Effective Payload Generation Method

XSS Components:

ID
Components

1

Tags

2

Special attributes

3

Pseudoprotocols

4

Malicious code

5

Closed characters

6

Events

-------------------------------------------------------------

-------------------------------------------------------------

Component: tags:

ID
Tags

1

<a>

2

<p>

3

<img>

4

<body>

5

<script>

6

<var>

7

<div>

8

<object>

9

<input>

10

<select>

11

<iframe>

12

<frameset>

13

<embed>

14

<svg>

15

<video>

16

<audio>

-------------------------------------------------------------

Special attributes:

ID
special attributes

1

src

2

dynsrc

3

lowsrc

4

href

5

action

6

data

7

background

8

formaction

9

poster

10

code

11

location

12

name

-------------------------------------------------------------

Pseudoprotocols:

ID
Pseudoprotocols

1

Javascript

2

data

-------------------------------------------------------------

Malicious code:

ID
Malicious code

1

alert()

2

confirm()

3

prompt()

4

self.location

5

top.location

6

location.href

-------------------------------------------------------------

Events:

  • - onabort: This event is triggered when an image fails to load.
- onerror: This event is triggered when an error occurs or an image fails to load.
- onload: This event is triggered when an object has loaded.
- onchange: This event is triggered when the content of a form element, the selection, or the checked state has changed (for <input>, <select>, <textarea>).
- onsubmit: This event is triggered when a form is submitted.
- onreset: This event is triggered when a form is reset.
- onselect: This event is triggered after some text has been selected in an element.
- onblur: This event is triggered when an element loses focus.
- onfocus: This event is triggered when an element receives focus.Pyload= "onfocus=alert(1337) autofocus="
- onkeydown: This event is triggered when a key is pressed.
- onkeypress: This event is triggered when a key is pressed and released.
- onkeyup: This event is triggered when a key is released.
- onclick: This event is triggered when an element is clicked.
- ondblclick: This event is triggered when an element is double-clicked.
- onmousedown: This event is triggered when a mouse button is pressed.
- onmousemove: This event is triggered when the mouse is moved.
- onmouseout: This event is triggered when the mouse is moved off an element.
- onmouseover: This event is triggered when the mouse is moved over an element.
- onmouseup: This event is triggered when a mouse button is released.

-------------------------------------------------------------

XSS Payload bypass method:

Mutation forms
Specific description

Coding confusion

1.HTML encode

2. Unicode encode

3. URL encode

4.Base64

Sensitive words replacement

5. Events-sensitive words replacement

6. Sensitive functions replacement

7. Blank character replacement

8. Bracket replacement

Position or form change

9. Attributes and events swap positions

10. Case change

11. Shape transformation of pop-up window function

Add special characters

  1. Add a blank character (between the event and the trigger code)

13. Insert the tag into the tag

14. Add notes (between the function and the parentheses)

15. Add some characters before or after the vector

PreviousUnderstanding XSS filtersNextXSS WAF Bypass Trick

Last updated