Our favourite community contributions to the XSS cheat sheet

by Prapattimynk, Wednesday, 23 August 2023 (6 months ago)
Our favourite community contributions to the XSS cheat sheet


Some sticky notes showing contribution to the XSS cheat sheets

Since we launched the ever popular XSS cheat sheet, we’ve had some fantastic contributions from the XSS community. In this post, we thought we’d take the opportunity to highlight the seven best community submissions that we think stand out from the rest.

Number 7: Missing events

At number seven is a whole range of missing events, submitted by @hahwul:

hahwul(45)

hahwul(45)

hahwul(45)

hahwul(45)

hahwul(45)

hahwul(45)

hahwul(45)

View this entry on the XSS cheat sheet

Number 6: Shorter Vue injection

In the sixth position is a Vue based vector entry, from @p4fg – this one uses the v-if attribute to save a few bytes:

View this entry on the XSS cheat sheet

Number 5: Tiny AngularJS vector

In at number five, this entry is a nice short vector from @NotSoSecure that may help when you have a character restriction limit with an AngularJS injection:

View this entry on the XSS cheat sheet

Number 4: DOM based AngularJS vector

The entry at number four entry is a vector from @kachakil – they add a missing vector from our AngularJS research, and fix it so that it works in other contexts:

{y:''.constructor.prototype}.y.charAt=[].join;[1]|orderBy:'x=alert(1)'

View this entry on the XSS cheat sheet

Number 3: Unexpected Vue template injection

An unexpected entry at number three! We like this submission from @davwwwx because it injects into an HTML attribute that doesn’t support Vue template expressions – it’s very reminiscent of our AngularJS sandbox bypass.

View this entry on the XSS cheat sheet

Number 2: Brand new onbeforeinput event

The penultimate entry is from @laytonctf, who spotted a new relatively unknown event onbeforeinput. Guaranteed to bypass a denylist – or “blacklist” – of known bad events, many WAFs block on* but for those who don’t:

View this entry on the XSS cheat sheet

Number 1: Base64 encoded javascript redirection

Claiming the top spot, and for good reason, we consider this the best entry that we wanted to highlight. It’s from @ladecruze, and uses the location object, base64 decoding, and tagged template strings to execute the payload. It’s a nice way to conceal a payload that should bypass a WAF that doesn’t detect backticks:

If backticks are detected, then you could probably bypass a dumb WAF using the grave entity:

View this entry on the XSS cheat sheet

Mini challenge

We couldn’t resist finding variants on @ladecruze’s submission, using unescape/decodeURI/decodeURIComponent/String.fromCharCode/String.fromCodePoint. Can you find any more? Share them with us on @PortSwiggerRes if you do…

Got a contribution of your own?

We hope you liked the submissions from the XSS community. If you think you’ve got a vector worthy of adding to the XSS cheat sheet, you can submit a pull request and if it’s good enough, we’ll add it with credit.

Back to all articles



Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.