Document Properties Scheme
location.protocol
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
location.hostname
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
location.pathname
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
location.search
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
previousSibling.nodeValue, document.body.textContent*
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
tagName, nodeName
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
outerHTML
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
innerHTML**, textContent**, nextSibling.nodeValue**, firstChild.nodeValue**, lastChild.nodeValue**
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
location.hash
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
URL, documentURI
protocol://domain/path/page?p= text1 <tag handler=code> text2 # text3
—– x —–
To make it easy to replace one property by another in case of blacklist or something, here we have them grouped by position:
Before
previousSibling.nodeValue, document.body.textContent*
Itself
location.search, tagName, nodeName, outerHTML
After**
textContent, nextSibling.nodeValue, firstChild.nodeValue, lastChild.nodeValue, innerHTML
Hash
location.hash
* comes with source content (body)
** may need to close the injected tag
So when building a location based payload using document properties to avoid filtered chars and/or in filtered sequences (like after on*=), this may help to choose the right ones for the injection.
#hack2learn