xss cheat sheet

Introduction This cheat sheet is meant to be used by bug hunters, penetration testers, security analysts, web application security students and enthusiasts. It’s about Cross-Site Scripting (XSS), the most widespread and common flaw found in the World Wide Web.
There’s lot of work done in this field and it’s not the purpose of this book to cover them all. What you will see here is XSS content created or curated by me. I’ve tried to select what I think it’s the most useful info about that universe, most of the time using material from my own blog which is dedicated to that very security flaw.
Keep in mind that you might need to adapt some of the info presented here to your own scenario (like single to double quotes and vice-versa). Although I try to give you directions about it, any non-imagined specific behavior from you target application might influence the outcome. A last tip: follow instructions strictly. If something is presented in an HTML fashion, it’s because it’s meant to be used that way. If not, it’s probably javascript code that can be used (respecting syntax) both in HTML and straight to existing js code. Unless told otherwise. I sincerely hope it becomes an easy-to-follow consulting material for most of your XSS related needs. Enjoy!
Basics
HTML Context — Simple Tag Injection
Use when input lands inside an attribute’s value of an HTML tag or outside tag except the ones described in next case.
HTML Context — In Block Tag Injection
Use when input lands inside or between opening/closing of the following tags:
HTML Context — Source Injection
Use when input lands as a value of the following HTML tag attributes: href, src, data
or action (also formaction). For src in script tag use an external script call (URL) or
“data:,alert(1)”. 2nd payload below alerts out of target’s context for Webkit browsers.
javascript:alert(1)
data:text/html,
Javascript Context — Code Injection in Logical Block
Use 1st or 2nd payloads when input lands in a script block, inside a string delimited value and inside a single logical block like function or conditional (if, else, etc). If quote is escaped with a backslash, use 3rd payload. ‘}alert(1);{‘ ‘}alert(1)%0A{‘ \’}alert(1);{//
Javascript Context — Tag Injection
Use when input lands anywhere in a script block.
Advanced
Multi Reflection — Double Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
‘onload=alert(1)>
Multi Reflection — Triple Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
*/alert(1)”>’onload=”/*
Multi Input Reflections (Double & Triple)
Use to take advantage of multiple input reflections on same page.
p=
File Upload Injection — Metadata
Use when metadata of uploaded file is reflected somewhere in target page. It uses
command-line exiftool and any metadata field can be set.
brute@logic:~$ exiftool -Artist=’”>
File Upload Injection — SVG File
Use to create a stored XSS on target when uploading image files. Save content below
as “xss.svg”.
DOM Insert Injection
Use to test for XSS when injection gets inserted into DOM as valid markup instead of
being reflected in source code. It works for cases where script tag and other vectors
won’t work.
DOM Insert Injection — Resource Request
Use when javascript code of the page inserts into page the results of a request to an
URL controlled by attacker (injection).
data:text/html,
data:text/html,
Script Injection — No Closing
Use when there’s a closing script tag () somewhere in the code after reflection.
Javascript postMessage() DOM Injection (with Iframe)
Use when there’s a “message” event listener like in “window.addEventListener(‘message’, …)” in javascript code without a check for origin. Target must be able to be framed (X-Frame Options header according to context). Save as HTML file (or using data:text/html) providing TARGET_URL and INJECTION (a XSS vector or payload).
Filter Bypass
Mixed Case XSS
Use to bypass case-sensitive filters.
Unclosed Tags
Use in HTML injections to avoid filtering based in the presence of both lower than (<) and greater than (>) signs. It requires a native greater than sign in source code after input reflection.
Uppercase XSS
Use when application reflects input in uppercase.
Double Encoded XSS
Use when application performs double decoding of input. %253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E %2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
Alert without Parentheses (Strings Only)
Use in an HTML vector or javascript injection when parentheses are not allowed and a simple alert box is enough. alert`1`
Alert without Alphabetic Chars
Use when alphabetic characters are not allowed. Following is alert(1). [][‘\146\151\154\164\145\162’][‘\143\157\156\163\164\162\165\143\164\157\162’] (‘\141\154\145\162\164\50\61\51’)()
Alert Obfuscation
Use to trick several regular expression (regex) filters. It might be combined with previous alternatives (above). The shortest option “top” can also be replaced by “window”, “parent”, “self” or “this” depending on context. (alert)(1) a=alert,a(1) [1].find(alert) top[“al”+”ert”](1) top[/al/.source+/ert/.source](1) al\u0065rt(1) top[‘al\145rt’](1) top[8680439..toString(30)](1)
— brutelogic






