search

XSS

http://www.xssgame.com/arrow-up-right : http://www.xssgame.com/wmOM2q5NJnZSarrow-up-right https://xss.pwnfunction.com/arrow-up-right https://www.acunetix.com/blog/web-security-zone/test-xss-skills-vulnerable-sites/arrow-up-right https://theswissbay.ch/pdf/Gentoomen%20Library/Security/Cross%20Site%20Scripting%20Attacks%20Xss%20Exploits%20and%20Defense.pdfarrow-up-right

Check how values are sanitized by the server How many ways you can raise an error

http://www.xssgame.com/f/__58a1wgqGgI/confirm?next=javascript:a

Check which framework is used in UI based on that create payloads such as in angular to show alert you use interpolation;

hashtag
Xss filter bypass ><script>alert(1);</script>

Some ideas:

  1. Check if the encoding happens recursively. if you provide multiple '<', will they all be encoded?

  2. Try different types of encoding (e.g. URL encoding, double URL encoding) and see how the application treats them.

  3. There are cases where the application normalizes Unicode characters (have a look here Unicode Normalization Bypassarrow-up-right)

hashtag
Markdown XSS payload

https://github.com/JakobTheDev/information-security/blob/master/Payloads/md/XSS.mdarrow-up-right

hashtag
Error produce

"/</script>

Alert(1) to win: https://github.com/1bitrs/alert-1-to-winarrow-up-right Payloads:

hashtag
Tips

Code-split : | , ; , enter + code, +, -, /, , , %,^,&,*, <, >

Break the code inside the quotation

If JavaScript code sanitizes < and > characters, it indicates that it's trying to prevent HTML injection and potentially XSS attacks. However, there are ways attackers can still attempt XSS, such as using alternative encodings or bypassing the sanitizer logic. Here are a few techniques they might try:

  1. Using Hex Encoding: Instead of < and >, attackers might try using their hexadecimal equivalents (%3C for < and %3E for >). Some sanitizers may miss these encoded forms.

  3. Using Unicode Encoding: Attackers might use Unicode encoding to represent < and > characters. For example, \u003C for < and \u003E for >.

  4. Using Alternative Tags: Instead of <script> tags, attackers might try using alternative tags that the sanitizer may not detect as executable code. For example, <img> tags with JavaScript in the src attribute, or even uncommon HTML tags.

  5. Event Handlers: Attackers can try using event handlers like onmouseover or onerror to execute JavaScript code without directly injecting <script> tags.

  6. CSS Injection: Although less common, attackers might try injecting CSS code that includes JavaScript execution, such as using the expression() function in old versions of Internet Explorer.

LogoCheatSheetSeries/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md at master · OWASP/CheatSheetSeriesGitHubchevron-right
PreviousCommandsNextTools

Last updated