Execute JavaScript for XSS without script tags

Another one was mentioned at: https://stackoverflow.com/a/53430230/895245

<a href="javascript:alert(1)">asdf</a>

Works on Chromium 81.

More important perhaps is the question of how to sanitize against it, see e.g.:

  • How to prevent XSS with HTML/PHP?
  • How to sanitize HTML code in Java to prevent XSS attacks?
  • Is using jquery parseHTML to remove script tags enough to prevent XSS attacks?

  1. Try putting in different types of strings with special characters and look if any of these get encoded or outputed. (I personaly use '';!--"<XSS>=&{()})
  2. Now you have three options:
    1. Inside a HTML Tag: The <> won't matter, because you are already inside a HTML Tag. You can look if this Tag supports Events and use some kind of onload=alert(1) or other event. If <> is allowed, you can break out and create your own tag '><img src=0 onerror=alert(1)>
    2. Outside of HTML Tag: the <> are important. With these you can open a new Tag and the whole world is below your feet (or so...)
    3. Inside Javascript: Well...if you can break out of a string with '", then you can basically write ';alert(1)
  3. Craft your XSS accordingly to your encoded characters and the surrounding of where the string get's outputed

<XSS> disappears entirely: the application uses some kind of strip_tags . If you are outside of a HTML Tag and no HTML Tags are whitelisted, I unfortunatly don't know any method to achieve an XSS.

Crafting your own payload

There are various methods to achieve this and too much to name them all. Look on these two sites, which have a lot of the methods and concept to construct your own. It comes down to: What the page allows to go through.

  1. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator_.28short.29
  2. https://html5sec.org/

You can use the onclick attribute that is presented in HTML elements so you can create something like this:

"The search term" <p> <a href="" onclick="alert('I excuted JavaScript!');">Click me to see the JavaScript work!</a> </p> "returned no results"

Now when clicking on the element the JavaScript will be executed.