GMSGadget 🚀
Star Fork

This project is inspired by the work of slekies, kkotowicz, and sirdarckcat in their Black Hat USA 2017 talk, “Breaking XSS Mitigations via Script Gadgets” (paper, slides, video, github).

➵ What is this project about?

GMSGadget (Give Me a Script Gadget) is a collection of JavaScript gadgets that can be used to bypass XSS mitigations such as Content Security Policy (CSP) and HTML sanitizers like DOMPurify.

It’s important to note that this is not a list of exploits. The gadgets listed here are either patched vulnerabilities or intended JavaScript behaviors that can be leveraged to bypass HTML restrictions.

➵ Want to contribute?

Your contributions are welcome! Whether it’s submitting new gadgets, improving documentation, or reporting issues, feel free to get involved. Check out the contribution guidelines to get started.

➵ Acknowledgements

Maybe you? 👀

This project uses the GTFOBins website template as a base. Big thanks to its creators for the clean and effective design!

🌐 Browsers
<> Tags
@ Attributes
🛡️ CSP
⏱️ Timing
🔍 Filter
Showing 58 of 58 libraries.
Dump All
Library Browsers Tags Attributes CSP Timing
addtoany img name src strict-dynamic before-load
ajaxify any id class strict-dynamic before-load
angular.js any custom wh-host nonce unsafe-eval before-load
astro doc-tags name strict-dynamic before-load
axios form name value before-call
bootstrap any data-* title href id strict-dynamic before-call before-load
ckplayer img name src strict-dynamic before-call
clipboard.js any class data-* href any
closure img name src strict-dynamic before-load
curl doc-tags data-* name strict-dynamic before-load
cusdis doc-tags name data-* before-load
dojo-toolkit script data-* unsafe-eval before-load
dompurify script src before-load func-parameter
doomcaptcha img name label before-load
fresh any id before-load
google-client-api iframe name src unsafe-eval before-call
handlebars any a href any unsafe-eval func-parameter
htmx any data-* custom unsafe-eval before-load before-call func-parameter
inspire.js img src name strict-dynamic before-load
jquery-mobile any data-* unsafe-eval strict-dynamic before-load
jquery-ui ul li a id href before-call
jquery-ujs a data-* href any
jquery script text-tags any strict-dynamic before-call func-parameter
knockout any data-* unsafe-eval before-call
layui img name src strict-dynamic before-load
materialize any select optgroup class data-* label before-call
mathjax img any a name src any id href strict-dynamic before-load
mavo img src strict-dynamic before-call
mustache any a href any func-parameter
next.js any id strict-dynamic before-load
pagefind img src name strict-dynamic before-load
plausible-analytics img data-* before-load
plotly.js img src name before-load
polyfills img link src name rel href strict-dynamic before-load
prism img name data-* strict-dynamic before-load
ractive script id nonce unsafe-eval func-parameter
rails-ujs a data-* href nonce any
react-router iframe srcdoc wh-host any
recaptcha any class data-* custom wh-host unsafe-eval before-load
require.js script data-* strict-dynamic before-load
rollup img name src strict-dynamic before-load
rspack img name src strict-dynamic before-load
sea.js img src name strict-dynamic before-call
stage.js img src strict-dynamic before-call
steal.js img src before-call
tarteaucitron img name src before-call
tinymce any noscript comment any func-parameter
tsup img name src strict-dynamic before-load
turbo-frame a href data-* any
uikit any a data-* any
umeditor a id strict-dynamic before-load
underscore text-tags any unsafe-eval func-parameter
unpoly any custom unsafe-eval before-load
vite img name src strict-dynamic before-load
vue.js any custom any unsafe-eval func-parameter
webpack img script name src strict-dynamic unsafe-eval before-load
webwhiz any id data-* custom before-load
wordpress script src wh-host any
No binary matches...