diff --git a/README.md b/README.md index bba5c51..cb72836 100644 --- a/README.md +++ b/README.md @@ -12,10 +12,11 @@ Put this repo on watch. I will be updating it regularly. ### Awesome People - [Rodolfo Assis](https://twitter.com/brutelogic) - [Ashar Javed](https://twitter.com/soaj1664ashar) -- [Somdev Sangwan](https://twitter.com/s0md3v) I own this repo, I can write whatever the fuck I want :v +- [Somdev Sangwan](https://twitter.com/s0md3v) because I made this repo :3 ### Awesome Reads - [XSS in Sarahah](http://www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html) +- [XSS in Facebook via PNG Content Type](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) ### Awesome Presentations - [How I met your girlfriend](https://www.youtube.com/watch?v=fWk_rMQiDGc) @@ -23,6 +24,10 @@ Put this repo on watch. I will be updating it regularly. - [Blind XSS](https://www.youtube.com/watch?v=OT0fJEtz7aE) - [Copy Pest](https://www.slideshare.net/x00mario/copypest) +### Awesome Tools +- [XSStrike](http://xsstrike.tk/) +- [KNOXSS](http://knoxss.me/) + ### Awesome Context Breaking #### Simple Context @@ -54,14 +59,59 @@ Come back later Come back later ### Awesome Tags & Event Handlers -Come back later +- [List of all Event Handlers](https://github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md) -### Awesome Methodology -Come back later +#### HTML Tags that you will be using +``` +img +svg +body +html +embed +script +object +details +isindex +iframe +audio +video +``` -### Awesome Tools -- [XSStrike](http://xsstrike.tk/) -- [KNOXSS](http://knoxss.me/) +### Awesome Probing +If nothing of this works, take a look at **Awesome Bypassing** section + +First of all, enter a non-malicious string like **d3v** and look at the source code to get an idea about number and contexts of refelections. +
Now for attribute context, check if double quotes (") are being filtered by entering **x"d3v**. If it gets altered to **x"d3v**, chances are that proper security measures are in place. If this happens, try doing the same for single quotes (') by entering **x'd3v**, if it gets altered to **x'**, you are doomed. The only thing you can try is encoding.
+If the quotes are not being filtered, you can simply try payloads from **Awesome Context Breaking** section. +
For javascript context, check which quotes are being used for example if they are doing +``` +variable = 'value' or variable = "value" +``` +Now lets say single quotes (') are in use, in that case enter **x'd3v**. If it gets altered to **x\'d3v**, try escaping the backslash (\) by adding a backslash to your probe i.e. **x\'d3v**. If it works use the following payload: +``` +\'-alert()-\' +``` +But if it gets altered to **x\\'d3v**, the only thing you can try is closing the script tag itself by using +``` + +``` +For simple HTML context, the probe is **x>d3v**. If it gets altered to **x>d3v**, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potenial filters. The dummy tag I like to use is **x<xxx>**. If it gets stripped or altered in any way, it means the filter is looking for a pair of **<** and **>**. It can simply bypassed using +``` + + +
+``` + +### Awesome Bypassing +Come back later ### Awesome Tips & Tricks - http:// can be shortened to // @@ -72,5 +122,6 @@ Come back later - The shortest independent payload is **<embed src=//14.rs>** (19 chars) ## Credits and all that +Help me buy a new laptop: All the payloads are crafted by me unless specified. Thanks to my big brother [Rodolfo Assis](https://twitter.com/brutelogic) whose writings inspired me to become an XSSLord.