This page collects reflected XSS from an array of sources and to various sinks.
The sinks are distributed to cover the HTML contexts, while the sources try to
cover as many of the real data sources as possible.
Unless otherwise specified, no escaped is performed on the payload.
HTML Contexts
This class of XSS simply takes a value from the parameter and echoes it
back in an HTML page in a specific HTML context
Error status codes:
Simple body-based reflected XSS served with an error HTTP status code.
Tags with special semantics:
Tags that ignore content in between the closing and the opening tag
-
Parameter - iFrame Attribute Value -
The parameter is used as an attribute value, i.e.
<iframe attribute=%q>
-
Parameter - iFrame srcdoc -
The parameter is used as an attribute value, i.e.
<iframe srcdoc=%q>.
The srcdoc attribute is supposed to be used together with the sandbox and seamless attributes.
If a srcdoc attribute is present within an iframe it will override content specified by the
src attribute. Thereby it accepts arbitrary HTML code which will be rendered inside the iframe.
-
Parameter - Textarea -
The parameter is echoed in a TEXTAREA tag's CDATA. In this case, no
parsing of the payload is performed unless the TEXTAREA tag is closed.
-
Parameter - Textarea Attribute Value -
The parameter is used as an attribute value, i.e.
<textarea attribute=%q>
-
Parameter - NoScript -
The parameter is echoed in a NOSCRIPT tag's CDATA. In this case, no
parsing of the payload is performed unless the NOSCRIPT tag is closed.
-
Parameter - Style Attribute Value -
The parameter is used as an attribute value, i.e.
<style attribute=%q>
CSS context
XSS that can occur inside a STYLE block or inside a style="" attribute.
-
Parameter - CSS -
The parameter is echoed as the only content of a STYLE tag positioned
into the HEAD.
-
Parameter - CSS Value -
The parameter is echoed as a color value in a STYLE tag positioned into
the HEAD.
-
Parameter - CSS Font Name -
The parameter is echoed as a font value in a STYLE tag positioned into
the HEAD. Font name is particularly interesting because many sanitizers
do not behave correctly when parsing it.
HTML event handler JS context
XSS that can occur inside eventhandler attribute of a HTML element.
Note that these payloads are escaped so that they break out of the handler.
JS context
XSS that can occur inside a SCRIPT block.
URLs
XSS that can occur due to unsanitized URLs in various contexts.
- Parameter - Script SRC double quoted -
Assigns the parameter to a SCRIPT src between quotes.
-
URL - HREF -
Assigns the parameter to an HREF property of an A tag. Requires clicking to trigger.
-
URL - CSS -
Assigns the parameter to the SRC property of a STYLE tag in the HEAD.
-
URL - Script SRC -
Assigns the parameter to the SRC property of a SCRIPT tag. The parameter must contain
a parseable URL.
-
URL - Object DATA -
Assigns the parameter to the DATA property of an OBJECT tag. The parameter must contain
a parseable URL.
-
URL - Param SRC -
Assigns the parameter to the SRC property of an OBJECT's PARAM tag. The parameter
must contain a parseable URL.
Content sniffing
These XSS can only be triggered on (and affect) content sniffing browsers.
-
Parameter - JSON -
Inserts the parameter inside a JSON object. Returns an HTML content type.
Note that this XSS does not actually require MIME content sniffing
-
ContentSniffing -
Inserts the parameter inside a JSON object. Returns a JSON content type.
-
ContentSniffing -
Inserts the parameter in a plain/text page.
-
ContentSniffing - Callback -
Uses an hidden callback parameter as a JSONP callback. The interesting bit
here is that the callback parameter is not in this link, so the scanner
has to guess its presence.
Escaping and filtering
XSS requiring escaping or filtering certain types of requests.