mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 23:02:46 +00:00
fix: Fix more spelling
This commit is contained in:
parent
fc1f3b25a7
commit
31b213227e
1 changed files with 96 additions and 61 deletions
|
@ -4,65 +4,100 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
|||
|
||||
## Summary
|
||||
|
||||
- [Exploit code or POC](#exploit-code-or-poc)
|
||||
- [Data grabber for XSS](#data-grabber-for-xss)
|
||||
- [UI redressing](#ui-redressing)
|
||||
- [Javascript keylogger](#javascript-keylogger)
|
||||
- [Other ways](#other-ways)
|
||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||
- [Common Payloads](#common-payloads)
|
||||
- [XSS using HTML5 tags](#xss-using-html5-tags)
|
||||
- [XSS using a remote JS](#xss-using-a-remote-js)
|
||||
- [XSS in hidden input](#xss-in-hidden-input)
|
||||
- [DOM based XSS](#dom-based-xss)
|
||||
- [XSS in JS Context](#xss-in-js-context)
|
||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
|
||||
- [XSS in PostMessage](#xss-in-postmessage)
|
||||
- [Blind XSS](#blind-xss)
|
||||
- [XSS Hunter](#xss-hunter)
|
||||
- [Other Blind XSS tools](#other-blind-xss-tools)
|
||||
- [Blind XSS endpoint](#blind-xss-endpoint)
|
||||
- [Mutated XSS](#mutated-xss)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
- [Bypass case sensitive](#bypass-case-sensitive)
|
||||
- [Bypass tag blacklist](#bypass-tag-blacklist)
|
||||
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
|
||||
- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag)
|
||||
- [Bypass quotes for string](#bypass-quotes-for-string)
|
||||
- [Bypass quotes in script tag](#bypass-quotes-in-script-tag)
|
||||
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
|
||||
- [Bypass dot filter](#bypass-dot-filter)
|
||||
- [Bypass parenthesis for string](#bypass-parenthesis-for-string)
|
||||
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
|
||||
- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist)
|
||||
- [Bypass space filter](#bypass-space-filter)
|
||||
- [Bypass email filter](#bypass-email-filter)
|
||||
- [Bypass document blacklist](#bypass-document-blacklist)
|
||||
- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string)
|
||||
- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect)
|
||||
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
|
||||
- [Bypass ">" using nothing](#bypass--using-nothing)
|
||||
- [Bypass "<" and ">" using < and >](#bypass--and--using--and-)
|
||||
- [Bypass ";" using another character](#bypass--using-another-character)
|
||||
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
||||
- [Bypass using Katana](#bypass-using-katana)
|
||||
- [Bypass using Cuneiform](#bypass-using-cuneiform)
|
||||
- [Bypass using Lontara](#bypass-using-lontara)
|
||||
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
|
||||
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
|
||||
- [Bypass using Unicode](#bypass-using-unicode)
|
||||
- [Bypass using UTF-7](#bypass-using-utf-7)
|
||||
- [Bypass using UTF-8](#bypass-using-utf-8)
|
||||
- [Bypass using UTF-16be](#bypass-using-utf-16be)
|
||||
- [Bypass using UTF-32](#bypass-using-utf-32)
|
||||
- [Bypass using BOM](#bypass-using-bom)
|
||||
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
|
||||
- [Bypass using jsfuck](#bypass-using-jsfuck)
|
||||
- [CSP Bypass](#csp-bypass)
|
||||
- [Common WAF Bypass](#common-waf-bypass)
|
||||
- [Cross Site Scripting](#cross-site-scripting)
|
||||
- [Summary](#summary)
|
||||
- [Exploit code or POC](#exploit-code-or-poc)
|
||||
- [Data grabber for XSS](#data-grabber-for-xss)
|
||||
- [CORS](#cors)
|
||||
- [UI redressing](#ui-redressing)
|
||||
- [Javascript keylogger](#javascript-keylogger)
|
||||
- [Other ways](#other-ways)
|
||||
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
|
||||
- [Tools](#tools)
|
||||
- [XSS in HTML/Applications](#xss-in-htmlapplications)
|
||||
- [Common Payloads](#common-payloads)
|
||||
- [XSS using HTML5 tags](#xss-using-html5-tags)
|
||||
- [XSS using a remote JS](#xss-using-a-remote-js)
|
||||
- [XSS in hidden input](#xss-in-hidden-input)
|
||||
- [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized)
|
||||
- [DOM based XSS](#dom-based-xss)
|
||||
- [XSS in JS Context](#xss-in-js-context)
|
||||
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
|
||||
- [XSS in files](#xss-in-files)
|
||||
- [XSS in XML](#xss-in-xml)
|
||||
- [XSS in SVG](#xss-in-svg)
|
||||
- [XSS in SVG (short)](#xss-in-svg-short)
|
||||
- [XSS in Markdown](#xss-in-markdown)
|
||||
- [XSS in SWF flash application](#xss-in-swf-flash-application)
|
||||
- [XSS in SWF flash application](#xss-in-swf-flash-application-1)
|
||||
- [XSS in CSS](#xss-in-css)
|
||||
- [XSS in PostMessage](#xss-in-postmessage)
|
||||
- [Blind XSS](#blind-xss)
|
||||
- [XSS Hunter](#xss-hunter)
|
||||
- [Other Blind XSS tools](#other-blind-xss-tools)
|
||||
- [Blind XSS endpoint](#blind-xss-endpoint)
|
||||
- [Tips](#tips)
|
||||
- [Mutated XSS](#mutated-xss)
|
||||
- [Polyglot XSS](#polyglot-xss)
|
||||
- [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads)
|
||||
- [Bypass case sensitive](#bypass-case-sensitive)
|
||||
- [Bypass tag blacklist](#bypass-tag-blacklist)
|
||||
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
|
||||
- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag)
|
||||
- [Bypass quotes for string](#bypass-quotes-for-string)
|
||||
- [Bypass quotes in script tag](#bypass-quotes-in-script-tag)
|
||||
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
|
||||
- [Bypass dot filter](#bypass-dot-filter)
|
||||
- [Bypass parenthesis for string](#bypass-parenthesis-for-string)
|
||||
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
|
||||
- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist)
|
||||
- [Bypass space filter](#bypass-space-filter)
|
||||
- [Bypass email filter](#bypass-email-filter)
|
||||
- [Bypass document blacklist](#bypass-document-blacklist)
|
||||
- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string)
|
||||
- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect)
|
||||
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
|
||||
- [Bypass ">" using nothing](#bypass--using-nothing)
|
||||
- [Bypass "<" and ">" using < and >](#bypass--and--using--and-)
|
||||
- [Bypass ";" using another character](#bypass--using-another-character)
|
||||
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
||||
- [Bypass using Katana](#bypass-using-katana)
|
||||
- [Bypass using Cuneiform](#bypass-using-cuneiform)
|
||||
- [Bypass using Lontara](#bypass-using-lontara)
|
||||
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
|
||||
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
|
||||
- [Bypass using Unicode](#bypass-using-unicode)
|
||||
- [Bypass using UTF-7](#bypass-using-utf-7)
|
||||
- [Bypass using UTF-8](#bypass-using-utf-8)
|
||||
- [Bypass using UTF-16be](#bypass-using-utf-16be)
|
||||
- [Bypass using UTF-32](#bypass-using-utf-32)
|
||||
- [Bypass using BOM](#bypass-using-bom)
|
||||
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
|
||||
- [Bypass using jsfuck](#bypass-using-jsfuck)
|
||||
- [CSP Bypass](#csp-bypass)
|
||||
- [Bypass CSP using JSONP from Google (Trick by @apfeifer27)](#bypass-csp-using-jsonp-from-google-trick-by-apfeifer27)
|
||||
- [Bypass CSP by lab.wallarm.com](#bypass-csp-by-labwallarmcom)
|
||||
- [Bypass CSP by Rhynorater](#bypass-csp-by-rhynorater)
|
||||
- [Bypass CSP by @akita_zen](#bypass-csp-by-akita_zen)
|
||||
- [Bypass CSP by @404death](#bypass-csp-by-404death)
|
||||
- [Common WAF Bypass](#common-waf-bypass)
|
||||
- [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
|
||||
- [25st January 2021](#25st-january-2021)
|
||||
- [21st April 2020](#21st-april-2020)
|
||||
- [22nd August 2019](#22nd-august-2019)
|
||||
- [5th June 2019](#5th-june-2019)
|
||||
- [3rd June 2019](#3rd-june-2019)
|
||||
- [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10)
|
||||
- [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018)
|
||||
- [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018)
|
||||
- [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018)
|
||||
- [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018)
|
||||
- [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019)
|
||||
- [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018)
|
||||
- [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018)
|
||||
- [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018)
|
||||
- [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
|
||||
- [References](#references)
|
||||
|
||||
|
||||
|
||||
|
@ -134,7 +169,7 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
|
|||
|
||||
## Identify an XSS endpoint
|
||||
|
||||
This payload opens the debugger in the developper console rather than triggering a popup alert box.
|
||||
This payload opens the debugger in the developer console rather than triggering a popup alert box.
|
||||
|
||||
```javascript
|
||||
<script>debugger;</script>
|
||||
|
@ -154,7 +189,7 @@ Better payload replacing `<script>alert(1)</script>`:
|
|||
<script>alert(document.domain.concat("\n").concat(window.origin))</script>
|
||||
```
|
||||
|
||||
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developper console (doesn't require any interaction).
|
||||
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developer console (doesn't require any interaction).
|
||||
|
||||
Example:
|
||||
|
||||
|
|
Loading…
Reference in a new issue