In the following I want to introduce several so called “XSS Polyglots”. A XSS polyglot is an XSS attack vector which is able to execute in various contexts. Thus, one can inject less attack vectors, get a lot of attack surface covered and analyze the behavior of the application using less requests. Furthermore, as it covers several attack vectors in one, the probability to develop a successful attack vector increases. Another reason to use a XSS polyglot is to bypass the Content-Security-Policy (CSP), which is an added security layer for XSS detection and mitigation, provided by the browser.

Saving time and the amount of requests required to perform an successful attack is crucial in security topics like research, pentesting and hardening. So these might come handy. Lets start.

The first one is authored by 0xSobky:

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

It has a total length of 144 characters and contains the following features:

  1. jaVasCript: is either a label or an URI Scheme
  2. /*-/*`/*\`/*'/*"/**/ is either a multi-line comment or a literal-breaker sequence
  3. (/* */oNcliCk=alert() ) is trying to actually execute JavaScript using an event-listener
  4. //%0D%0A%0d%0a// is either a single-line comment or a double-CRLF in HTTP response headers
  5. </stYle/</titLe/</teXtarEa/</scRipt/--!> is a sequence trying to break HTML-tags
  6. \x3csVg/<sVg/oNloAd=alert()//>\x3e is a svg tag trying to execute javascript using an event-listener

Next, I want to introduce a very interesting polyglot authored by Gareth Heyes, who is in my point of view really an expert when it comes to XSS.

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Yes, these polyglots are weird and syntactically completely out of this world. But they have their right to exist, for a good reason. This payload has a total length of 112 characters and thus is slightly smaller than the first one. But what is it doing?:

  1. javascript: is again either a label or an URI Scheme
  2. /*--> begins a multi-line comment.
  3. </title></style></textarea></script></xmp> Is closing several tags and can and should be modified or enhanced at will
  4. <svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'> is a svg element with an event listener trying to execute javascript (note: mouseover event). I for myself rather use event listeners like onclick to be honest. - Did you notice the closing multi-line comment for. 2.?

-EOF-