0x01 - XSS via Custom Named Tags

Did you know you can trigger an XSS using the <potato> tag?

Or the <hacker> one?

Even <yourname> tag can be used.

The "magic" here is done by the 𝐨𝐧𝐟𝐨𝐜𝐮𝐬 and 𝐚𝐮𝐭𝐨𝐟𝐨𝐜𝐮𝐬 events in JavaScript which work on pretty much any existing/non-existing tag


Best part about this payload?

  1. Bypass the WAF - many of the WAF solutions check for known tags such as script or img which are commonly used on XSS attacks. Some WAFs may take it to next level and check on all existing HTML tags. But since this payload can be used in combination with non-valid HTML tags, it may fly under the defensive radars

  2. No quotes needed - one of the common defenses that developers and WAFs implement is blocking (or encoding) single/double quotes which are a prevalent in most of the XSS payloads. The lack of quotes combined with the custom tag option makes this payload useful in situations

  3. No user interaction - the autofocus part ensures that the payload is triggered without user interaction. This can make a huge difference in bug bounty programs where 0-click exploits can pay 5-10 times more than exploits that require user interaction

Credit to the PortSwigger team for their amazing research and resources



References