0x01 - XSS via Custom Named Tags
Did you know you can trigger an XSS using the <potato>
tag?
Or the <hacker>
one?
Even <yourname>
tag can be used.
The "magic" here is done by the 𝐨𝐧𝐟𝐨𝐜𝐮𝐬
and 𝐚𝐮𝐭𝐨𝐟𝐨𝐜𝐮𝐬
events in JavaScript which work on pretty much any existing/non-existing tag
Best part about this payload?
Bypass the WAF - many of the WAF solutions check for known tags such as
script
orimg
which are commonly used on XSS attacks. Some WAFs may take it to next level and check on all existing HTML tags. But since this payload can be used in combination with non-valid HTML tags, it may fly under the defensive radarsNo quotes needed - one of the common defenses that developers and WAFs implement is blocking (or encoding) single/double quotes which are a prevalent in most of the XSS payloads. The lack of quotes combined with the custom tag option makes this payload useful in situations
No user interaction - the autofocus part ensures that the payload is triggered without user interaction. This can make a huge difference in bug bounty programs where 0-click exploits can pay 5-10 times more than exploits that require user interaction
Credit to the PortSwigger team for their amazing research and resources