search

🧨XSS Context Besed

hashtag
Path-based xss with different types of methods

hashtag
Inecject payload in every path and check xss

hashtag
append fake parameters in every path and check the xss vulnerability

hashtag
PATH Based - XSS Injection

Example:
https://premierbuild.com/asad"><img src=a onerror=alert(document.domain)>/..CFIDE/administrator/index.cfm
https://www.premierbuild.com/asad%22%3E%3Cimg%20src=a%20onerror=alert(document.domain)%3E/..CFIDE/administrator/index.cfm
https://mobile.premierbuild.com/asad%22%3E%3Cimg%20src=a%20onerror=alert(document.domain)%3E/..CFIDE/administrator/index.cfm
https://m.atlas.kfc.co.uk:8443/MicroStrategyLibrary/style/vge01'-alert(document.domain)-'vephk/favicon.ico
https://app-webtech-web.plutopreprod.tv/stream-br/category/5"><svg onload=alert(document.cookie)>"f862733747338000786e085/view-all
https://www.allianz.es/xx<a href="javascript:prompt(document%2edomain)">aaaa.childrenlist.html
https://www.allianz.es/seguros/especialidades/"><img src=a onerror=alert(document.domain)>.childrenlist.html

  • first Realize what Path value is Reflected in the Source Code:

  • Copy Path value and Search in Source Code then escape it....

<form action="/gym.php" method="POST">

  • Then, type Simple input like asad after Path-Valueand realize that input was reflected on the page or source code or inspect Dom

  • if reflected then put Path-Value">asad and check if it escapes the area where it is reflected

  • Then try After Path: Path-Value'"><script>alert(1)</script>

  • And try/ After Path: Path-Value/'"><script>alert(1)</script>

  • And try; After Path: Path-Value/;'"><script>alert(1)</script>

  • And Then try ? After Path: Path-Value/?'"><script>alert(1)</script>

  • And Then try ? After Path: Path-Value/?&xx&xx'"><script>alert(1)</script>

  • And Then try > After Path: Path-Value>'"><script>alert(1)</script>

  • Try & After Path: Parameter-Value&'"><script>alert(1)</script>

hashtag
---------------------------------------------------------------

hashtag
My-XSS-Probe:

hashtag
If Payload Encode then Search .replace in Source-Code

LogoUrl encode - W3cubToolstools.w3cub.comchevron-right
LogoHtml Escape/Unescape - W3cubToolstools.w3cub.comchevron-right
LogoDeobfuscate Code - W3cubToolstools.w3cub.comchevron-right

hashtag
Double URL Escape encoding:

hashtag
Unicode Escape encoding:

hashtag
HTML entity Escape encoding:

hashtag
---------------------------------------------------------------

hashtag
HTML Context:

hashtag
Sunerio:

hashtag
---------------------------------------------------------------

hashtag
Attribute Context:

hashtag
Sunerio:

hashtag
---------------------------------------------------------------

hashtag
URL Context:

hashtag
Script Tag:

hashtag
Sunerio:

hashtag
Anchor Tag:

hashtag
Sunerio:

hashtag
Iframe Tag:

hashtag
Sunerio:

hashtag
Form Tag:

hashtag
Sunerio:

hashtag
Frameset Tag:

hashtag
Sunerio:

hashtag
---------------------------------------------------------------

hashtag
javascript Context:

hashtag
Single Qoute:

hashtag
Sunerio:

hashtag
Double Qoute:

hashtag
Sunerio:

hashtag
Without Qoute:

hashtag
Sunerio:

hashtag
---------------------------------------------------------------

hashtag
---------------------------------------------------------------

hashtag
Parameters

hashtag
looking in your Burp proxy History for ?parameter=

You can also browse endpoint.js files (look for innerHTML, var = getParameter() parameter pathname document.write(, document.cookie, location.href, location.search redirectUrl, window.hash)or you can simply brute force commonly known parameter names, such as returnUrl.

large companies re-use code & parameter names across lots of endpoints.

hashtag
Note: Do not waste time browsing things such as jquery.js.

hashtag
Typically these files do not contain anything that will be of use to you.

hashtag
Go for the custom-made specific endpoint.js files.

hashtag
---------------------------------------------------------------

hashtag
HTML Injections ……

hashtag
You can customize the payloads to find what it reflects and manually make a bypass payload.

hashtag
Simple HTML Injection

hashtag
Use when input lands inside an attribute’s value outside the tag except the ones described in the next case.

hashtag
The most straightforward one is that input is reflected just right in the code between existing tags, after or before them. Without the need to escape or break anything,

hashtag
---------------------------------------------------------------

hashtag
HTML entity and URL encoding:

hashtag
if Block onerror,onload,onclick Event-handler – Use this

hashtag
Use when input lands inside an attribute’s value of an HTML tag or outside tag. But if Block onerror, onload, onclick Event-handler “Then Use “onpointerrawupdate” event-handler case below.

hashtag
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

hashtag
---------------------------------------------------------------

hashtag
---------------------------------------------------------------

hashtag
Simple HTML Injection – Attribute Breakout

hashtag
Use when input lands inside an attribute’s value of an HTML tag or outside tag except the ones described in the “Tag Block Breakout” case below.

hashtag
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

hashtag
---------------------------------------------------------------

hashtag
Simple HTML Injection – Comments Breakout

hashtag
Use when input lands inside the comments section (between <!--and --> ) of the HTML document.

hashtag
---------------------------------------------------------------

hashtag
inside Comments Bypass

hashtag
Vector to use if only anything inside HTML comments is allowed.

hashtag
Regex example: /<!--.*-->/

hashtag
---------------------------------------------------------------

hashtag
HTML Injection in JS (Javascript) Block – Script Breakout

hashtag
Input sometimes lands into a javascript block (script tags), but the website blocks single or Double Quotes, usually in the value of some variable of the code. However because the HTML tags have priority in the browser’s parsing, we can simply terminate the block and insert a new tag.

hashtag
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

hashtag
---------------------------------------------------------------

hashtag
Simple HTML Injection – Tag Block Breakout

hashtag
Use when input lands inside or between opening/closing of some tags like title, style, script, iframe, noscript, xmp, pre, and textarea, respectively.

hashtag
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

hashtag
---------------------------------------------------------------

hashtag
HTML Injection - Inline

hashtag
Almost simple but with a little “> prepended to break out of the current tag.

hashtag
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

hashtag
--------------------------------------------------------------

hashtag
HTML Injection - Inline: No Tag Breaking

hashtag
Use when input lands inside an attribute’s value of an HTML tag but that tag can’t be terminated by greater than sign (>).

hashtag
When input lands in an HTML attribute and there’s filtering of greater than character (>), it’s not possible to break out of the current tag like in the previous case.

(>), it’s not possible to break out of current tag

So we use an event handler appropriate to the very tag we are injecting into, like:

Which closes the value and gives room to the insertion of the onmouseover event handler. Pointing to alert(1) followed by double slashes to comment out the hanging quote, which triggers the js popup when the victim points his/her mouse over the affected input field.

hashtag
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload

hashtag
---------------------------------------------------------------

hashtag
HTML Injection - Source

hashtag
Use when input lands as a value of the following HTML tag attributes: href, src, data, or action (also formaction). The second one is exclusive to script tags.

hashtag
---------------------------------------------------------------

hashtag
HTML Injection – Script Breakout

hashtag
Use when input lands anywhere within a script block. The vectors make use of the native (since input lands in the middle of a script block) to close the injected script.

hashtag
---------------------------------------------------------------

hashtag
Multi Reflection HTML Injection - Double Reflection (Single Input)

hashtag
Use to take advantage of multiple reflections on the same page. They also have attribute-breaking capabilities with a double quote for most common scenarios.

hashtag
---------------------------------------------------------------

hashtag
Multi Reflection i HTML Injection - Triple Reflection (Single Input)

hashtag
Use to take advantage of multiple reflections on the same page.

hashtag
---------------------------------------------------------------

hashtag
Multi-Input Reflections HTML Injection - Double & Triple

hashtag
Use to take advantage of multiple input reflections on the same page. Also useful in HPP (HTTP Parameter Pollution) scenarios, where there are reflections for repeated parameters. 4th payload makes use of comma-separated reflections of the same parameter.

hashtag
---------------------------------------------------------------

hashtag
Multi-Input Reflections HTML Injections - JSON Encode Bypass

hashtag
Use to take advantage of multiple input reflections on the same page. Useful when the 1st reflection has no execution potential and the 2nd reflection is on JSON encoded Javascript block. Vectors for parameters “p” and “q” and for “pq” which means just one parameter reflecting in those 2 different places of the code.

hashtag
---------------------------------------------------------------

hashtag
Multi Reflection HTML Injection - Alert Reuse

hashtag
A vector that reflects at least twice in which the payload alert(1) is also the HTML tag or element. 2nd payload fires without user interaction.

hashtag
---------------------------------------------------------------

hashtag
HTML InjectionEscaped Quote Filter Bypass

hashtag
Use when quotes are escaped with a backslash (" or ') in HTML context. Escaping quotes in an HTML Context is useless to prevent the breakout but changes the vector in a way that can fool filters and WAFs.

hashtag
---------------------------------------------------------------

hashtag
Markdown Vector

hashtag
Use in text boxes, comment sections, etc that allows some markup input. Click to fire.

hashtag
---------------------------------------------------------------

hashtag
CommonMark Vectors

hashtag
Use in text boxes, comment sections, etc that allows some markup (CommonMark-like) input. Click to fire.

hashtag
---------------------------------------------------------------

hashtag
Onscroll Universal Vector

hashtag
That vector fires without user interaction using the onscroll event handler. It works with address, blockquote, body, center, dir, div, dl, dt, form, li, menu, ol, p, pre, ul, and h1 to h6 HTML tags.

hashtag
---------------------------------------------------------------

hashtag
Type Juggling

hashtag
Use to pass an “if” condition matching a number in loose comparisons.

hashtag
---------------------------------------------------------------

hashtag
SQLi Error-Based Vector

hashtag
Use in endpoints where a SQL error message can be triggered (with a quote or backslash).

hashtag
---------------------------------------------------------------

hashtag
PATH Based - XSS Injection

  • first Realize what URL or Path value is Reflected in the Source Code

  • Then, type Simple input like asad after Path-Valueand realize that input was reflected on the page or source code or inspect Dom

  • if reflected then put Path-Value">asad and check if it escapes the area where it is reflected

hashtag
---------------------------------------------------------------

hashtag
PHP_SELF HTML Injection

hashtag
Use when the current URL is used by PHP code as an “action” attribute of an HTML form. Inject between php filename and the start of URL query (?) using a leading slash (/)

hashtag
---------------------------------------------------------------

hashtag
URL Reflection HTML Injection in PHP

hashtag
When the URL is reflected somehow in the source code, we can add our own XSS vector/payload to it. For PHP pages it’s possible to add anything in the URL after the page name (without changing it) with the use of a slash character (/).

hashtag
try Endpoint: .php/"><svg onload=alert(1)>

hashtag
try Endpoint: .htm/"><svg onload=alert(1)>

The leading tag breaking (“>) is needed to break out of the current tag and make possible the insertion of a new one.

hashtag
---------------------------------------------------------------

hashtag
HTML Injection in JSP Path

hashtag
try Endpoint: .jsp/"><svg onload=alert(1)>

hashtag
try Endpoint: .do/"><svg onload=alert(1)>

hashtag
try Endpoint: .htm/"><svg onload=alert(1)>

hashtag
Use in JSP-based applications in the path of URL.

hashtag
---------------------------------------------------------------

hashtag
Vectors Exclusive for ASP Pages

hashtag
try Endpoint: .asp/"><svg onload=alert(1)>

hashtag
try Endpoint: .htm/"><svg onload=alert(1)>

hashtag
Use to bypass <[alpha] filtering in .asp pages.

hashtag
XSS in ASP pages reflected inside span and < blocked

hashtag
---------------------------------------------------------------

hashtag
Vectors Exclusive for ASP Page - Percentage Padding

hashtag
Use to bypass <[alpha] and keyword filtering in .asp pages.

hashtag
---------------------------------------------------------------

hashtag
Body Vectors

hashtag
A collection of body vectors.

hashtag
---------------------------------------------------------------

hashtag
Weird XSS vectors

hashtag
Just some odd/weird vectors that I don’t see mentioned often.

hashtag
---------------------------------------------------------------

hashtag
Less Known XSS Vectors

hashtag
A collection of less-known XSS vectors.

hashtag
---------------------------------------------------------------

hashtag
Mixed Case Bypass

hashtag
Use to bypass case-sensitive filters.

hashtag
---------------------------------------------------------------

hashtag
Unclosed Tags

hashtag
Use to avoid filtering based on the presence of both lower than (<) and greater than (>) signs. It requires a native greater than sign in source code after input reflection.

hashtag
---------------------------------------------------------------

hashtag
Uppercase Vector

hashtag
Use when the application reflects input in uppercase. Replace “&” with “%26” and “#” with “%23” in URLs.

hashtag
---------------------------------------------------------------

hashtag
Extra Content for Script Tags

hashtag
Use when the filter looks for “<script>” or “<script src=...” with some variations but without checking for other non-required attributes.

hashtag
---------------------------------------------------------------

hashtag
Fake Tags

hashtag
Just some HTML vectors to try to fool filters.

hashtag
---------------------------------------------------------------

hashtag
Fake Twin Tags

hashtag
Some HTML vectors try to fool filters using the same attribute for the real and the fake tag.

hashtag
---------------------------------------------------------------

hashtag
Alert without ParenthesesHTML Entities

hashtag
Use only in HTML injections when parentheses are not allowed. Replace “&” with “%26” and “#” with “%23” in URLs.

hashtag
---------------------------------------------------------------

hashtag
PHP Email Validation Bypass

hashtag
Use to bypass the FILTER_VALIDATE_EMAIL flag of PHP’s filter_var() function.

hashtag
---------------------------------------------------------------

hashtag
Second-order HTML Injection

hashtag
Use when your input will be used twice like stored normalized in a database and then retrieved for later use or inserted into DOM.

hashtag
---------------------------------------------------------------

hashtag
Other SVG Vectors with Event Handlers

hashtag
Use against blacklists.

hashtag
---------------------------------------------------------------

hashtag
Vectors without Event Handlers

hashtag
Use as an alternative to event handlers, if they are not allowed. Some require user interaction as stated in the vector itself (also part of them).

hashtag
---------------------------------------------------------------

hashtag
Vectors with Agnostic Event Handlers > Bypass Filter HTML Tag

hashtag
Use the following vectors when all known HTML tag names are not allowed. Any alphabetic char or string can be used as a tag name in place of “k”. They require user interaction as stated by their very text content (which makes part of the vectors too) except the last ones.

hashtag
---------------------------------------------------------------

hashtag
Vector Without Alert - Eval + URL

hashtag
Use as an alternative to call alert, prompt, and confirm. The first payload is the primitive form while the second replaces eval with the value of the id attribute of the vector used. URL must be in one of the following ways, in the URL path after the PHP extension or in a fragment of the URL, except in the last vector (it already has its payload). Plus sign (+) must be encoded in URLs.

hashtag
---------------------------------------------------------------

hashtag
Vector without Parentheses, Backticks or Entities

hashtag
Use as alternative to alert(1), alert1 or HTML Entities versions of those.

hashtag
---------------------------------------------------------------

hashtag
SVG Vectors without Event Handlers

hashtag
Use to avoid filters looking for event handlers or src, data, etc. The last one is Firefox only, already URL encoded.

hashtag
---------------------------------------------------------------

hashtag
Using Attributes to Store Strings

hashtag
The following vectors make use of the mandatory attribute to store the address of the import() function. Since it returns a valid image, “onload” is used instead of “onerror” in the 2nd vector below.

hashtag
---------------------------------------------------------------

hashtag
Agnostic Event Handlers Vectors – CSS3 Based

hashtag
Vectors with event handlers that can be used with arbitrary tag names useful to bypass blacklists.

hashtag
---------------------------------------------------------------

hashtag
Vectors for Fixed Input Length

hashtag
Use when input must have a fixed length like in most common following hashes.

hashtag
---------------------------------------------------------------

hashtag
Inner & Outer HTML Properties Alternative

hashtag
These last vectors make use of innerHTML and outerHTML properties of elements to get the same result as the location ones. But they require to creation of a complete HTML vector instead of a “javascript:alert(1)” string. The following collections of elements can be used here with index 0 to make it easier to follow: all[0], anchors[0], embeds[0], forms[0], images[0], links[0], and scripts[0]. They all can replace the head or body elements used below.

PreviousBash ScriptNextXSS Cheat Sheet

Last updated