.png)
Cross Site Scripting (XSS) has been around longer than I’ve been alive, yet it remains one of the most widespread vulnerabilities in web applications today. Despite years of mitigation efforts from input sanitization to Content Security Policies, XSS continues to slip through the cracks across countless websites. It’s often one of the first vulnerabilities web hackers learn and consistently ranks among the most reported issues in the bug bounty hunting world. One advanced technique used to uncover XSS in various contexts is an XSS polyglot. A polyglot is a single payload crafted to trigger across multiple injection points, making testing faster and more efficient.
One of my favorite things to do when testing for XSS is to just blindly spray payloads everywhere I see an input field. You would be surprised at the number of times this has worked out for me! However, depending on the payload you are using you could be missing out on triggering the payload. I'm not going to explain XSS but I do want to show you some simple examples so you get the point.
Looking at the code above we can clearly see there is an XSS vulnerability in the <input> field due to user input being adding. To trigger this you would need a payload like the following:
You might also have code that looks like the image above. If you were to use the same " autofocus onfocus=alert(1) payload as before then your XSS payload wont trigger. For this example you need something like this:
The above image also shows html code that differs from the others. Also like the others its vulnerable to XSS and requires another payload.
So if you were spraying XSS payloads across a web application you would need to cover all of these payloads. That's just a few examples, there are many more that you would need to cover as well to make sure you get all the possible scenarios. Instead of having to send a separate XSS payload for each scenario we can use a single XSS polyglot that covers all of them, this will make spraying for XSS a lot easier.
An XSS polyglot is a single, specially-crafted payload that works across multiple injection contexts in a web application to trigger Cross-Site Scripting (XSS). Just like a human polyglot can speak multiple languages, an XSS polyglot is understood (executed) in multiple places:
Lucky for us we dont have to spend any time coming up with one as people have already done this for us. I would look at the following github repo as it has the best XSS polyglot and a bunch of demos of it trigger on various situations.
The polyglot used is the following:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
If you want a single payload to trigger all XSS scenarios this is it. As mentioned earlier my favorite technique is to take this payload and spray it across all input fields within an application. Because you're using an XSS polyglot you only have to use this single payload.
XSS is still one of the most popular web vulnerabilities and you should always be looking for it. When you're fuzzing or blindly spraying for XSS you want to make sure you're using an XSS polyglot. If you dont you will most likely miss some vulnerabilities due to your payload not triggering on a specific scenario.
