gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-12 15:49:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

IIS MachineKeys + CI/CD + CSPT + ORM leak

Browse Source
This commit is contained in:
Swissky
2024-08-26 11:27:47 +02:00
parent 314e4da963
commit 1dae291696
19 changed files with 815 additions and 249 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
XSS Injection/README.md
View File

@@ -61,6 +61,7 @@
- [Bypass ">" using nothing](#bypass--using-nothing)
- [Bypass "<" and ">" using and ](#bypass--and--using--and-)
- [Bypass ";" using another character](#bypass--using-another-character)
- [Bypass using missing charset header](#bypass-using-missing-charset-header)
- [Bypass using HTML encoding](#bypass-using-html-encoding)
- [Bypass using Katakana](#bypass-using-katakana)
- [Bypass using Cuneiform](#bypass-using-cuneiform)
@@ -962,6 +963,40 @@ Unicode Character U+FF1C and U+FF1E
'te' instanceof alert('instanceof') instanceof 'xt';
```
### Bypass using missing charset header
**Requirements**:
* Server header missing `charset`: `Content-Type: text/html`
#### ISO-2022-JP
ISO-2022-JP uses escape characters to switch between several character sets.
| Escape | Encoding |
|-----------|-----------------|
| `\x1B (B` | ASCII |
| `\x1B (J` | JIS X 0201 1976 |
| `\x1B $@` | JIS X 0208 1978 |
| `\x1B $B` | JIS X 0208 1983 |
Using the [code table](https://en.wikipedia.org/wiki/JIS_X_0201#Codepage_layout), we can find multiple characters that will be transformed when switching from **ASCII** to **JIS X 0201 1976**.
| Hex | ASCII | JIS X 0201 1976 |
| ---- | --- | --- |
| 0x5c | `\` | `¥` |
| 0x7e | `~` | `‾` |
**Example**
Use `%1b(J` to force convert a `\'` (ascii) in to `¥'` (JIS X 0201 1976), unescaping the quote.
Payload: `search=%1b(J&lang=en";alert(1)//`
### Bypass using HTML encoding
```javascript
@@ -1307,3 +1342,4 @@ Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
- [Bypass < with ](https://hackerone.com/reports/639684)
- [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code)
- [Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks - Philippe Dourassov - 13 may 2024](https://youtu.be/Sm4G6cAHjWM)
- [Encoding Differentials: Why Charset Matters - Stefan Schiller - July 15, 2024](https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/)

1
XSS Injection/XSS in Angular.md
View File

@@ -332,3 +332,4 @@ When doing a code review, you want to make sure that no user input is being trus
- [Blind XSS AngularJS Payloads](https://ardern.io/2018/12/07/angularjs-bxss)
- [Angular Security](https://angular.io/guide/security)
- [Bypass DomSanitizer](https://medium.com/@swarnakishore/angular-safe-pipe-implementation-to-bypass-domsanitizer-stripping-out-content-c1bf0f1cc36b)
- [Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs - Matan Berson - 2024-07-11](https://matanber.com/blog/4-char-csti)