Open aszx87410 opened 3 years ago
https://brutelogic.com.br/blog/file-upload-xss/
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
HackMD Stored XSS & Bypass CSP with Google Tag Manager https://github.com/k1tten/writeups/blob/master/bugbounty_writeup/HackMD_XSS_%26_Bypass_CSP.md
Content Security Policy Level 3におけるXSS対策 https://inside.pixiv.blog/kobo/5137
A journey from subdomain #SELFXSS to site-wide #CSRF @Twitter. A private talk I delivered in 2016. https://speakerdeck.com/filedescriptor/killing-with
Facebook DOM Based XSS using postMessage https://ysamm.com/?p=493
原來 form 的 action 也可以放 javascript:alert(1) 這種東西
LEXSS: Bypassing Lexical Parsing Security Controls https://labs.bishopfox.com/tech-blog/lexss-bypassing-lexical-parsing-security-controls
這篇講的是我一直想知道的東西,找時間詳細看一下
https://portswigger.net/research/javascript-without-parentheses-using-dommatrix
用 DOMMatrix 達成 function call,原理是 new DOMMatrix+''
會產生 matrix(1, 0, 0, 1, 0, 0)
用 matrix=alert
就可以執行 alert,然後把整串字 assign 給 location 去執行
x=new DOMMatrix;
matrix=alert;
x.a=1337;
location='javascript'+':'+x
Cheatsheet: XSS that works in 2021
谭谈 XSS 那些世人皆知的事 https://xz.aliyun.com/t/9606
https://github.com/s0md3v/AwesomeXSS#awesome-challenges