- a beautiful place

XSS Cheat Sheet: non repeating payloads

January 26, 2009 at 12:40 pm - Filed under Hacks, Language EN - 206 words, reading time ~0 minutes - Permalink - Comments

We always try to add something on topics discussed in old articles, if you liked XSS Cheat Sheet: the PLAINTEXT tag and XSS Cheat Sheet: two stage payloads perhaps you'll like this one. This article contains a more complete list of ways to avoid multiple execution of your payloads, it's a fast reading!

Plaintext tag (used chars [a-z<>]):


Hidden plaintext tag (used chars [a-z <>":;], the semicolon can be avoided):

payload<plaintext style="display:none;">

Local scope JS check (used chars [a-z <>:;!=(){}]):

if(a!=1){var a=1;payload();}

Global scope JS check (used chars [a-z <>':;!=(){}[]]):

if(window['a']!=1){var window['a']=1;payload();}

Global scope JS anonymous function with return (used chars [a-z<>"/*:;!=()[]]):


Note: if spaces are an issue comments can be useful (/**/, <--#-->).


Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets