# Cross Site Scripting
> Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
## Summary
- [Cross Site Scripting](#cross-site-scripting)
- [Vulnerability Details](#vulnerability-details)
- [Exploit code or POC](#exploit-code-or-poc)
- [Data grabber for XSS](#data-grabber-for-xss)
- [CORS](#cors)
- [UI redressing](#ui-redressing)
- [Javascript keylogger](#javascript-keylogger)
- [Other ways](#other-ways)
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
- [Tools](#tools)
- [XSS in HTML/Applications](#xss-in-htmlapplications)
- [Common Payloads](#common-payloads)
- [XSS using HTML5 tags](#xss-using-html5-tags)
- [XSS using a remote JS](#xss-using-a-remote-js)
- [XSS in hidden input](#xss-in-hidden-input)
- [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized)
- [DOM based XSS](#dom-based-xss)
- [XSS in JS Context](#xss-in-js-context)
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
- [XSS in files](#xss-in-files)
- [XSS in XML](#xss-in-xml)
- [XSS in SVG](#xss-in-svg)
- [XSS in SVG (short)](#xss-in-svg-short)
- [XSS in Markdown](#xss-in-markdown)
- [XSS in SWF flash application](#xss-in-swf-flash-application)
- [XSS in SWF flash application](#xss-in-swf-flash-application-1)
- [XSS in CSS](#xss-in-css)
- [XSS in PostMessage](#xss-in-postmessage)
- [Blind XSS](#blind-xss)
- [XSS Hunter](#xss-hunter)
- [Other Blind XSS tools](#other-blind-xss-tools)
- [Blind XSS endpoint](#blind-xss-endpoint)
- [Tips](#tips)
- [Mutated XSS](#mutated-xss)
- [Polyglot XSS](#polyglot-xss)
- [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads)
- [Bypass case sensitive](#bypass-case-sensitive)
- [Bypass tag blacklist](#bypass-tag-blacklist)
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag)
- [Bypass quotes for string](#bypass-quotes-for-string)
- [Bypass quotes in script tag](#bypass-quotes-in-script-tag)
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
- [Bypass dot filter](#bypass-dot-filter)
- [Bypass parenthesis for string](#bypass-parenthesis-for-string)
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist)
- [Bypass space filter](#bypass-space-filter)
- [Bypass email filter](#bypass-email-filter)
- [Bypass document blacklist](#bypass-document-blacklist)
- [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist)
- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string)
- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect)
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
- [Bypass ">" using nothing](#bypass--using-nothing)
- [Bypass "<" and ">" using < and >](#bypass--and--using--and-)
- [Bypass ";" using another character](#bypass--using-another-character)
- [Bypass using HTML encoding](#bypass-using-html-encoding)
- [Bypass using Katakana](#bypass-using-katakana)
- [Bypass using Cuneiform](#bypass-using-cuneiform)
- [Bypass using Lontara](#bypass-using-lontara)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
- [Bypass using Unicode](#bypass-using-unicode)
- [Bypass using UTF-7](#bypass-using-utf-7)
- [Bypass using UTF-8](#bypass-using-utf-8)
- [Bypass using UTF-16be](#bypass-using-utf-16be)
- [Bypass using UTF-32](#bypass-using-utf-32)
- [Bypass using BOM](#bypass-using-bom)
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
- [Bypass using jsfuck](#bypass-using-jsfuck)
- [CSP Bypass](#csp-bypass)
- [Bypass CSP using JSONP from Google (Trick by @apfeifer27)](#bypass-csp-using-jsonp-from-google-trick-by-apfeifer27)
- [Bypass CSP by lab.wallarm.com](#bypass-csp-by-labwallarmcom)
- [Bypass CSP by Rhynorater](#bypass-csp-by-rhynorater)
- [Bypass CSP by @akita_zen](#bypass-csp-by-akita_zen)
- [Bypass CSP by @404death](#bypass-csp-by-404death)
- [Common WAF Bypass](#common-waf-bypass)
- [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
- [25st January 2021](#25st-january-2021)
- [21st April 2020](#21st-april-2020)
- [22nd August 2019](#22nd-august-2019)
- [5th June 2019](#5th-june-2019)
- [3rd June 2019](#3rd-june-2019)
- [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10)
- [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018)
- [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018)
- [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018)
- [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018)
- [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019)
- [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018)
- [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018)
- [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018)
- [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
- [References](#references)
## Vulnerability Details
Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS allows attackers to inject malicious code into a website, which is then executed in the browser of anyone who visits the site. This can allow attackers to steal sensitive information, such as user login credentials, or to perform other malicious actions.
There are 3 main types of XSS attacks:
* **Reflected XSS**: In a reflected XSS attack, the malicious code is embedded in a link that is sent to the victim. When the victim clicks on the link, the code is executed in their browser. For example, an attacker could create a link that contains malicious JavaScript, and send it to the victim in an email. When the victim clicks on the link, the JavaScript code is executed in their browser, allowing the attacker to perform various actions, such as stealing their login credentials.
* **Stored XSS**: In a stored XSS attack, the malicious code is stored on the server, and is executed every time the vulnerable page is accessed. For example, an attacker could inject malicious code into a comment on a blog post. When other users view the blog post, the malicious code is executed in their browsers, allowing the attacker to perform various actions.
* **DOM-based XSS**: is a type of XSS attack that occurs when a vulnerable web application modifies the DOM (Document Object Model) in the user's browser. This can happen, for example, when a user input is used to update the page's HTML or JavaScript code in some way. In a DOM-based XSS attack, the malicious code is not sent to the server, but is instead executed directly in the user's browser. This can make it difficult to detect and prevent these types of attacks, because the server does not have any record of the malicious code.
To prevent XSS attacks, it is important to properly validate and sanitize user input. This means ensuring that all input meets the necessary criteria, and removing any potentially dangerous characters or code. It is also important to escape special characters in user input before rendering it in the browser, to prevent the browser from interpreting it as code.
## Exploit code or POC
### Data grabber for XSS
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.
```html
```
Write the collected data into a file.
```php
```
### CORS
```html
```
### UI redressing
Leverage the XSS to modify the HTML content of the page in order to display a fake login form.
```html
```
### Javascript keylogger
Another way to collect sensitive data is to set a javascript keylogger.
```javascript
```
### Other ways
More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all](http://www.xss-payloads.com/payloads-list.html?a#category=all):
- [Taking screenshots using XSS and the HTML5 Canvas](https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/)
- [JavaScript Port Scanner](http://www.gnucitizen.org/blog/javascript-port-scanner/)
- [Network Scanner](http://www.xss-payloads.com/payloads/scripts/websocketsnetworkscan.js.html)
- [.NET Shell execution](http://www.xss-payloads.com/payloads/scripts/dotnetexec.js.html)
- [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html)
- [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)
## Identify an XSS endpoint
This payload opens the debugger in the developer console rather than triggering a popup alert box.
```javascript
```
Modern applications with content hosting can use [sandbox domains][sandbox-domains]
> to safely host various types of user-generated content. Many of these sandboxes are specifically meant to isolate user-uploaded HTML, JavaScript, or Flash applets and make sure that they can't access any user data.
[sandbox-domains]:https://security.googleblog.com/2012/08/content-hosting-for-modern-web.html
For this reason, it's better to use `alert(document.domain)` or `alert(window.origin)` rather than `alert(1)` as default XSS payload in order to know in which scope the XSS is actually executing.
Better payload replacing ``:
```html
```
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developer console (doesn't require any interaction).
Example:
```html
```
References:
- [Google Bughunter University - XSS in sandbox domains](https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain)
- [LiveOverflow Video - DO NOT USE alert(1) for XSS](https://www.youtube.com/watch?v=KHwVjzWei1c)
- [LiveOverflow blog post - DO NOT USE alert(1) for XSS](https://liveoverflow.com/do-not-use-alert-1-in-xss/)
### Tools
Most tools are also suitable for blind XSS attacks:
* [XSSStrike](https://github.com/s0md3v/XSStrike): Very popular but unfortunately not very well maintained
* [xsser](https://github.com/epsylon/xsser): Utilizes a headless browser to detect XSS vulnerabilities
* [Dalfox](https://github.com/hahwul/dalfox): Extensive functionality and extremely fast thanks to the implementation in Go
* [XSpear](https://github.com/hahwul/XSpear): Similar to Dalfox but based on Ruby
* [domdig](https://github.com/fcavallarin/domdig): Headless Chrome XSS Tester
## XSS in HTML/Applications
### Common Payloads
```javascript
// Basic payload
ipt>alert('XSS')ipt>
">
">
//parseInt("confirm",30) == 8680439 && 8680439..toString(30) == "confirm"