gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-12 15:49:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

Normalize page header for Web Socket, XSLT, XSS, XXE

Browse Source
This commit is contained in:
Swissky
2024-11-10 21:15:44 +01:00
parent 48a4e5c95b
commit 0a5ecc407c
9 changed files with 94 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
XSS Injection/3 - XSS Common WAF Bypass.md
View File

@@ -1,5 +1,8 @@
# Common WAF Bypass
> WAFs are designed to filter out malicious content by inspecting incoming and outgoing traffic for patterns indicative of attacks. Despite their sophistication, WAFs often struggle to keep up with the diverse methods attackers use to obfuscate and modify their payloads to circumvent detection.
## Summary
* [Cloudflare](#cloudflare)
@@ -9,6 +12,7 @@
* [WordFence WAF](#wordfence-waf)
* [Fortiweb WAF](#fortiweb-waf)
## Cloudflare
* 25st January 2021 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)

10
XSS Injection/4 - CSP Bypass.md
View File

@@ -14,6 +14,7 @@
- [Bypass CSP script-src data](#bypass-csp-script-src-data)
- [Bypass CSP nonce](#bypass-csp-nonce)
- [Bypass CSP header sent by PHP](#bypass-csp-header-sent-by-php)
- [Labs](#labs)
- [References](#references)
@@ -173,6 +174,15 @@ GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a
Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
## Labs
* [Root Me - CSP Bypass - Inline Code](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Inline-code)
* [Root Me - CSP Bypass - Nonce](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Nonce)
* [Root Me - CSP Bypass - Nonce 2](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Nonce-2)
* [Root Me - CSP Bypass - Dangling Markup](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Dangling-markup)
* [Root Me - CSP Bypass - Dangling Markup 2](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-Dangling-markup-2)
* [Root Me - CSP Bypass - JSONP](https://www.root-me.org/en/Challenges/Web-Client/CSP-Bypass-JSONP)
## References

18
XSS Injection/README.md
View File

@@ -2,9 +2,10 @@
> Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
## Summary
- [Vulnerability Details](#vulnerability-details)
- [Methodology](#methodology)
- [Proof of Concept](#proof-of-concept)
- [Data Grabber](#data-grabber)
- [CORS](#cors)
@@ -38,10 +39,11 @@
- [Blind XSS endpoint](#blind-xss-endpoint)
- [Tips](#tips)
- [Mutated XSS](#mutated-xss)
- [Labs](#labs)
- [References](#references)
## Vulnerability Details
## Methodology
Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS allows attackers to inject malicious code into a website, which is then executed in the browser of anyone who visits the site. This can allow attackers to steal sensitive information, such as user login credentials, or to perform other malicious actions.
@@ -556,6 +558,18 @@ Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Sea
## Labs
* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
* [Root Me - XSS - Reflected](https://www.root-me.org/en/Challenges/Web-Client/XSS-Reflected)
* [Root Me - XSS - Server Side](https://www.root-me.org/en/Challenges/Web-Server/XSS-Server-Side)
* [Root Me - XSS - Stored 1](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-1)
* [Root Me - XSS - Stored 2](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-2)
* [Root Me - XSS - Stored - Filter Bypass](https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-filter-bypass)
* [Root Me - XSS DOM Based - Introduction](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Introduction)
* [Root Me - XSS DOM Based - AngularJS](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-AngularJS)
* [Root Me - XSS DOM Based - Eval](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Eval)
* [Root Me - XSS DOM Based - Filters Bypass](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Filters-Bypass)
* [Root Me - XSS - DOM Based](https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based)
* [Root Me - Self XSS - DOM Secrets](https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-DOM-Secrets)
* [Root Me - Self XSS - Race Condition](https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-Race-Condition)
## References