Metnew / Uxss Db
Licence: mit
🔪Browser logic vulnerabilities ☠️
Stars: ✭ 565
Programming Languages
javascript
184084 projects - #8 most used programming language
Projects that are alternatives of or similar to Uxss Db
cve-2016-1764
Extraction of iMessage Data via XSS
Stars: ✭ 52 (-90.8%)
Mutual labels: xss, vulnerability, cve
Eagle
Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities
Stars: ✭ 85 (-84.96%)
Mutual labels: xss, cve
PastebinMarkdownXSS
XSS in pastebin.com and reddit.com via unsanitized markdown output
Stars: ✭ 84 (-85.13%)
Mutual labels: xss, vulnerability
XSS-Cheatsheet
XSS Cheatsheet - A collection of XSS attack vectors https://xss.devwerks.net/
Stars: ✭ 26 (-95.4%)
Mutual labels: xss, vulnerability
vulnerablecode
A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
Stars: ✭ 269 (-52.39%)
Mutual labels: vulnerability, cve
log4jscanwin
Log4j Vulnerability Scanner for Windows
Stars: ✭ 142 (-74.87%)
Mutual labels: vulnerability, cve
Application Security Engineer Interview Questions
Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer
Stars: ✭ 267 (-52.74%)
Mutual labels: vulnerability, xss
Penetration testing poc
渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss penetration-testing-poc csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
Stars: ✭ 3,858 (+582.83%)
Mutual labels: xss, cve
Faraday
Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distributing, indexing, and analyzing the data generated during a security audit.
Stars: ✭ 3,198 (+466.02%)
Mutual labels: vulnerability, cve
vulristics
Extensible framework for analyzing publicly available information about vulnerabilities
Stars: ✭ 46 (-91.86%)
Mutual labels: vulnerability, cve
advisories
A collection of my public security advisories.
Stars: ✭ 16 (-97.17%)
Mutual labels: vulnerability, cve
APSoft-Web-Scanner-v2
Powerful dork searcher and vulnerability scanner for windows platform
Stars: ✭ 96 (-83.01%)
Mutual labels: xss, vulnerability
massh-enum
OpenSSH 2.3 up to 7.4 Mass Username Enumeration (CVE-2018-15473).
Stars: ✭ 136 (-75.93%)
Mutual labels: vulnerability, cve
Detect-CVE-2017-15361-TPM
Detects Windows and Linux systems with enabled Trusted Platform Modules (TPM) vulnerable to CVE-2017-15361. #nsacyber
Stars: ✭ 34 (-93.98%)
Mutual labels: vulnerability, cve
Hardware And Firmware Security Guidance
Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance. #nsacyber
Stars: ✭ 408 (-27.79%)
Mutual labels: vulnerability, cve
CVE-2019-8449
CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4
Stars: ✭ 66 (-88.32%)
Mutual labels: vulnerability, cve
uxss-db 🔪
Star the repo, if it was useful for you ⭐️.
Any help is highly appreciated, 🙏 check TODO!
Inspired by js-vuln-db
For memory bugs, exploits and other: check awesome-browser-exploit
You can extract
js-vuln-dbCVEs to.html/.jsfiles using Scripts
Intro
Some CVE ids were not found:
- 0-$$$$ - the issue with id $$$$ in google project zero tracker
- cr-$$$$ - the issue with id $$$$ in Chromium tracker
- some-bug - the vulnerability doesn't have CVE or CVE is unknown
Version field has "?" symbol, if a version wasn't attached to the report
NOTE: Many CVEs aren't listed in the tables below!
Check /other folder = unsorted/unknown/duplicated CVEs and vulnerabilities for less popular browsers
Webkit
| CVE/id | title | version | date |
|---|---|---|---|
| CVE-2017-7089 | UXSS via parent-tab://
|
10? | Sep 20, 2017 |
| CVE-2017-7037 | UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive
|
10? | Mar 10 2017 |
| 0-1197 | WebKit: UXSS via CachedFrameBase::restore
|
10? | Mar 17 2017 |
| CVE-2017-2528 | UXSS: CachedFrame doesn't detach openers |
10? | Mar 10 2017 |
| 0-1163 | UXSS via Document::prepareForDestruction and CachedFrame |
10? | Mar 3 2017 |
| CVE-2017-2510 | UXSS: enqueuePageshowEvent and enqueuePopstateEvent don't enqueue, but dispatch |
10? | Feb 27 2017 |
| CVE-2017-2508 | UXSS via ContainerNode::parserInsertBefore
|
10? | Feb 24 2017 |
| 0-1134 | UXSS via ContainerNode::parserRemoveChild (2) |
10? | Feb 17 2017 |
| 0-1132 | UXSS: the patch of #1110 made another bug | 10 | Feb 16 2017 |
| CVE-2017-2504 | UXSS via Editor::Command::execute
|
10.0.3 | Feb 16 2017 |
| CVE-2017-2493 | UXSS through HTMLObjectElement::updateWidget
|
10.0.3 | Feb 9 2017 |
| CVE-2017-2480 | UXSS via a synchronous page load | 10.0.3 | Feb 9 2017 |
| CVE-2017-2479 | UXSS via a focus event and a link element | 10.0.3 | Feb 9 2017 |
| CVE-2017-2475 | UXSS via ContainerNode::parserRemoveChild
|
10.0.3 | Feb 2 2017 |
| CVE-2017-2468 | Use-After-Free via Document::adoptNode
|
10.0.3 | Jan 23 2017 |
| 0-1094 | UXSS via operationSpreadGeneric
|
10.0.2 | Jan 20 2017 |
| 0-1084 | UXSS via PrototypeMap::createEmptyStructure
|
10.0.2 | Jan 17 2017 |
| CVE-2017-2445 | UXSS via disconnectSubframes
|
10.0.2 | Jan 9 2017 |
| CVE-2017-2442 | UXSS with JSCallbackData
|
10.0.2 | Jan 3 2017 |
| CVE-2017-2367 | UXSS by accessing a named property from an unloaded window | 10.0.2 | Dec 23 2016 |
| CVE-2017-2365 | UXSS via Frame::setDocument
|
10.0.2 | Dec 20 2016 |
| CVE-2017-2364 | UXSS via Frame::setDocument (1). |
10.0.2 | Dec 20 2016 |
| CVE-2017-2363 | UXSS via FrameLoader::clear
|
10.0.2 | Dec 19 2016 |
Chromium
| CVE/id | title | version | date |
|---|---|---|---|
| CVE-2018-6128 | UXSS via URL parsing bug | 66 | May 9 2018 |
| CVE-2017-5124 | UXSS with MHTML | 61 | Oct 20 2017 |
| cr-687844 |
window.external leaks global object + cross origin script access |
57 | Feb 2 2017 |
| CVE-2017-5007 | UXSS through bypassing ScopedPageSuspender with closing windows |
55 | Dec 5 2016 |
| cr-656274 | Cross-origin object leak via fetch
|
56 (canary) | Oct 15 2016 |
| cr-594383 | UXSS via window.open() via file:// pages |
54 | Oct 15 2016 |
| CVE-2016-5207 | UXSS via fullscreen element updates | 54 | Oct 14 2016 |
| CVE-2016-5204 | UXSS by intercepting a UA shadow tree | 52 | Jul 24 2016 |
| CVE-2016-1676 | Persistent UXSS via SchemaRegistry
|
50 | Apr 19 2016 |
| CVE-2016-1667 | UXSS through adopting image elements | 50 | Apr 21 2016 |
| CVE-2016-1674 | UXSS via the interception of Binding with Object.prototype.create
|
49 | Mar 26 2016 |
| CVE-2016-1673 | UXSS using a FrameNavigationDisabler bypass |
49 | Mar 24 2016 |
| cr-583445 | UXSS in DocumentLoader::createWriterFor
|
48 | Feb 2 2016 |
| CVE-2016-1631 | UXSS using Flash message loop | 47 | Dec 14 2015 |
| CVE-2015-6770 | UXSS using document.adoptNode
|
45 | Oct 8 2015 |
| CVE-2015-6769 | UXSS via the unload_event module |
45 | Sep 22 2015 |
| CVE-2015-6765 | UXSS via ContainerNode::parserInsertBefore
|
44 | Aug 11 2015 |
| CVE-2015-1268 | UXSS using IDBKeyRange static methods | 43 | May 31 2015 |
| CVE-2014-1747 | UXSS via local MHTML files | 35 | Dec 25 2013 |
| CVE-2014-1701 | UXSS via dispatchEvent on iframes |
32 | Feb 11 2014 |
| CVE-2011-2856 | Arbitrary cross-origin bypass using __defineGetter__ prototype override |
15 | Aug 18 2011 |
| CVE-2011-3243 | Universal XSS using contentWindow.eval
|
12 | May 24 2011 |
| CVE-2011-1438 | bypass SOP with blob:
|
11 | Mar 2 2011 |
| cr-74372 |
chrome://blob-internals/ XSS |
11 | Feb 28 2011 |
| cr-37383 |
javascript: url with a leading NULL byte can bypass cross origin protection. |
? | Mar 4 2010 |
IE/Edge
| CVE/id | version/date | reporter |
|---|---|---|
| CVE-2015-0072, alternative PoC |
Articles
- (RU) Комикс о UXSS в Safari и Chrome - CVE-2017-5124 + CVE-2017-7089
- Analysis on Internet Explorer's UXSS - CVE-2015-0072
- Universal XSS via Evernote WebClipper
- Mobile Browsers Security: iOS
- SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) - May 10, 2017
- Grabbing data from Inputs and Textareas (Edge/IE) - Aug 28, 2016
- Exploring and Exploiting iOS Web Browsers - Łukasz Pilorz, Marek Zmysłowski, Hack In The Box, Amsterdam 2014
- https://leucosite.com blog by @Qab
-
BrokenBrowser blog:
- https://www.brokenbrowser.com/revealing-the-content-of-the-address-bar-ie/
- https://www.brokenbrowser.com/sop-bypass-uxss-tweeting-like-charles-darwin/
- https://www.brokenbrowser.com/sop-bypass-abusing-read-protocol/
- https://www.brokenbrowser.com/microsoft-edge-detecting-installed-extensions/
- https://www.brokenbrowser.com/free-ticket-to-the-intranet-zone/
- https://www.brokenbrowser.com/uxss-ie-domainless-world/
- https://www.brokenbrowser.com/bypass-the-patch-to-keep-spoofing-the-address-bar-with-the-malware-warning/
- https://www.brokenbrowser.com/zombie-alert/
- https://www.brokenbrowser.com/uxss-ie-htmlfile/
- https://www.brokenbrowser.com/uxss-edge-domainless-world/
- https://www.brokenbrowser.com/abusing-of-protocols/
- https://www.brokenbrowser.com/loading-insecure-content-in-secure-pages/
- https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
- https://www.brokenbrowser.com/workers-sop-bypass-importscripts-and-basehref/
- https://www.brokenbrowser.com/detecting-apps-mimetype-malware/
- https://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/
- https://www.brokenbrowser.com/css-history-leak/
- https://www.brokenbrowser.com/grabdatafrominput/
Whitepapers
- X41: Browser Security White Paper + website + repo
- The Definitive Guide to Same-origin Policy
- On the Security of the SOP-DOM Using HTML and JavaScript Code
- Same-Origin Policy: Evaluation in Modern Browsers + slides + talk + your-sop.com
- Google Browser Security Handbook
- A Security Study of Chrome’s Process-based Sandboxing
- A Systematic Approach to Uncover Security Flaws in GUI Logic
- JSON hijacking
- Bypassing the Same Origin Policy - The Browser Hacker’s Handbook (2014)
Browser hacking guides and design docs
Firefox
Tor
Brave
- Brave browser repo
- Component Structure
- Directory Structure
- State - similar to Redux state concept, but just an ImmutableJS object
- How to work with crashes
Chromium
- How Chromium Displays Web Pages
- Chromium: Multi-process Architecture
- Site Isolation Design Document
- Threading and Tasks in Chrome
- Important Abstractions and Data Structures
Webkit
Electron
Specs
Bounties
Misc
- NodeFuzz - web browser fuzzer
- brave/Muon - Build browsers and browser like applications with HTML, CSS, and JavaScript (part of the Brave's bug bounty)
- https://ios.browsr-tests.com - list of SOP bypasses in iOS
- https://github.com/rafaybaloch/SOP-Bypass-Mini-Test-Suite - list of SOP bypasses
- ref_fuzz fuzzer - source code
- javascript - Ways to circumvent the same-origin policy - Stack Overflow - document.domain, window.postMessage, CORS, reverse proxy( + jsonp)
- Slides about cookie security - Cookie same origin policy
- PortSwigger/hackability - "Devtools" for browser security. (useful for less known browsers)
Scripts
# Export `js-vuln-db` repo CVEs to html
bash ./scripts/js-vuln-db-to-format.sh html
# Export `js-vuln-db` repo CVEs to js
bash ./scripts/js-vuln-db-to-format.sh js
Author
Vladimir Metnew mailto:[email protected]
LICENSE
MIT
TODO
- Add these bugs:
- Pwn2Own: content: scheme allows cross-origin info leaks
- Use-after free in leveldb
- Security: UaF in MidiHost round 2 (JS -> Browser code execution)
- https://bugs.chromium.org/p/chromium/issues/detail?id=419383
- https://github.com/mpgn/ByP-SOP
- http://unsafe.cracking.com.ar/demos/edgedatametadata/bing.html
- https://bugs.chromium.org/p/chromium/issues/detail?id=666246
- http://www.cracking.com.ar/demos/workerleak/
- http://www.cracking.com.ar/demos/xmldom/
- http://unsafe.cracking.com.ar/demos/sandboxedge/
- https://www.cracking.com.ar/demos/sop-ax-htmlfile/injectiframexdom.html
- 438085 - Security: SOP bypass via DNS-Rebind (including PoC) - chromium - Monorail
- demonic_browsers.pdf
- JSON hijacking for the modern web | Blog
- Pwnfest 2016 meta bug
- https://bugs.chromium.org/p/chromium/issues/detail?id=682020
- https://blog.jeremiahgrossman.com/2006/08/i-know-where-youve-been.html - that web 1.0 thing
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].