( Original text by @filedescriptor )
alert()
in more than one context.
What is a XSS Polyglot?
A XSS payload which runs in multiple contexts. For example,
<mark>'--><svg onload=alert()></mark>
can pop alerts in
<div class='<mark>'--><svg onload=alert()></mark>'></div>
and
<!--<mark>'--><svg onload=alert()></mark>-->
. It is useful in testing XSS because it minimizes manual efforts and increases the success rate of blind XSS.
Rules
- You will be given 20 common contexts in black-box
- No DOM sinks or external libraries are involved
- Plain HTML injection with minimum filtering
- A headless Chrome will try your payload
- Your payload should run
alert()
in 2+ contexts
- Payloads exceeding 1024 characters will always fail
- Network is disabled
Contexts
<div class="{{payload}}"></div>
<div class='{{payload}}'></div>
<title>{{payload}}</title>
<textarea>{{payload}}</textarea>
<style>{{payload}}</style>
<noscript>{{payload}}</noscript>
<noembed>{{payload}}</noembed>
<template>{{payload}}</template>
<frameset>{{payload}}</frameset>
<select><option>{{payload}}</option></select>
<script type="text/template">{{payload}}</script>
<!--{{payload}}-->
<iframe src="{{payload}}"></iframe> " →
<iframe srcdoc="{{payload}}"></iframe> " → < →
<script>"{{payload}}"</script> </script → <\/script
<script>'{{payload}}'</script> </script → <\/script
<script>`{{payload}}`</script> </script → <\/script
<script>//{{payload}}</script> </script → <\/script
<script>/*{{payload}}*/</script> </script → <\/script
<script>"{{payload}}"</script> </script → <\/script " → \"