Since we launched the ever popular XSS cheat sheet, we’ve had some fantastic contributions from the XSS community. In this post, we thought we’d take the opportunity to highlight the seven best community submissions that we think stand out from the rest.
Number 7: Missing events
At number seven is a whole range of missing events, submitted by @hahwul:
Number 6: Shorter Vue injection
In the sixth position is a Vue based vector entry, from @p4fg – this one uses the v-if attribute to save a few bytes:
Number 5: Tiny AngularJS vector
In at number five, this entry is a nice short vector from @NotSoSecure that may help when you have a character restriction limit with an AngularJS injection:
Number 4: DOM based AngularJS vector
The entry at number four entry is a vector from @kachakil – they add a missing vector from our AngularJS research, and fix it so that it works in other contexts:
Number 3: Unexpected Vue template injection
An unexpected entry at number three! We like this submission from @davwwwx because it injects into an HTML attribute that doesn’t support Vue template expressions – it’s very reminiscent of our AngularJS sandbox bypass.
Number 2: Brand new onbeforeinput event
The penultimate entry is from @laytonctf, who spotted a new relatively unknown event onbeforeinput. Guaranteed to bypass a denylist – or “blacklist” – of known bad events, many WAFs block on* but for those who don’t:
Claiming the top spot, and for good reason, we consider this the best entry that we wanted to highlight. It’s from @ladecruze, and uses the location object, base64 decoding, and tagged template strings to execute the payload. It’s a nice way to conceal a payload that should bypass a WAF that doesn’t detect backticks:
If backticks are detected, then you could probably bypass a dumb WAF using the grave entity:
We couldn’t resist finding variants on @ladecruze’s submission, using unescape/decodeURI/decodeURIComponent/String.fromCharCode/String.fromCodePoint. Can you find any more? Share them with us on @PortSwiggerRes if you do…
Got a contribution of your own?
We hope you liked the submissions from the XSS community. If you think you’ve got a vector worthy of adding to the XSS cheat sheet, you can submit a pull request and if it’s good enough, we’ll add it with credit.