Photograph via snooOG

Everything about Cross-Site Scripting (XSS)

Cross-Site Scripting vulnerabilities and discussion

Keep your postings legal!

Please properly report your vulnerabilities to the appropriate owner.

Related Subs:


11,025 Subscribers


My mothers Messenger got hacked

My well loved mother’s Messenger got hacked. I need urgent help from someone that is willing to help get it back. She wants it back as it is her most important social media of them all as she has had it for 7 years and have got so many memories on there. She has lost her email, phone number and password to the account, but she knows the new email linked to it. She has many important friends on there and I really want to do whatever I can. The way they took her account was by impersonating another friend of hers with 100+ mutual friends etc, so to her it seemed legit. I had no idea of this going on until it’s already been hacked which is where I am now. Can somebody guide me or help, it would mean a lot to her and me. Please!

21:13 UTC


Stealing cookies (help)

I was trying on my own website to steal my cookies of another website but I don't really know how to...

Any help? I mean, once you get into my website a script appears and steal my cookies from a specific domain, is that possible?

Thank you in advance

10:29 UTC


Got some code flagged during a security test and I don't understand why.

A part of the page we add a bunch of hidden inputs into which we write string values, primarily for changing language strings. The values are loaded from a database table

<input id="lang\_welcome" type="hidden" value="<$ requestScope.lang\_welcome $>" /> <h1 id="head\_title"></h1>

In the javascript we might do something like

var welcome = $('#lang_welcome').val();

This is a bit of a contrived example but is a simplified version of what we are doing. As none of the values are user entered data or taken from queries or param I would have thought this is safe but the argument is that someone could change the value of the input to be something malicious which would then been written to the dom. I'd have thought that if someone has access to change the input value then they've got enough access to write to the dom anyway.

Can someone explain what the security issue is here as my understanding was you always escape untrusted data but it appears that I have to sanitise every change to the dom regardless of the source.

02:09 UTC


xss payload for a ctf that only allows these characters: ~._-

first char: ~ second char: . third char: _ fourth char: - and of course all alphabets are allowed

15:04 UTC


Can this simple web page be exploited?

<body> <a href="">LINK</a> <script> document.querySelector("a").href = location.search; </script> </body>

Although it seems very vulnerable, I can't seem to find an XSS that works on chrome ( haven't tried other browsers )

Here is a link to play around with:

17:17 UTC


Hello senior hunters a totally noob here!

Tried googling but didn't find any way! I found a directory of domain where images are broken and page is messed up any ways i can inject xss ? I tried it on inspection it goes self attack

12:45 UTC


Is this a valid XSS or auto XSS?

Hello hackers, I would like to know if my find is a valid XSS or just an auto XSS. Well, I was browsing through the platform of an online course that I'm taking, so I decided to intercept some requests in a questionnaire that I was answering. When sending one of the requests to Burp's repeater, the site returned me with an error page, saying that something was wrong, and with a "try again" button, when I clicked on the button I intercepted a somewhat interesting response. Soon I decided to add a payload as shown in the following figure:


When sending the edited response to the server, nothing happened, but when I clicked the "submit all and finish" button, I received an alert in my browser, as shown in the following figures:




In short: I already logged out of the account, I closed and reopened the browser and the payload continues on the button. That is, it is a stored XSS. In addition, the payload is found in buttons on other forms that have the name "submit all and finish".

So I would like to know if this is just a self XSS, and if so is there any way to escalate this to something reportable?

1 Comment
03:03 UTC


Xss with input length limit

I'm trying to solve an XSS CTF challenge on a website and have found the XSS entry point via <img src=x onerror=alert(1)>. However, the url parameter I'm injecting this payload in is limited to 40 characters, which is checked by a global JavaScript function via m.length. But I need the actual executed code (instead of alert(1)) to be a fetch command with an url etc... Which obviously exceeds 40 characters. Now I'm stuck at this point. Any clues on this?

18:37 UTC



I'm testing for xss on a certain website inside search field.

As far as I have understood the website has some special characters blacklisted such as " and <> except for =

When I enter any of the blacklisted characters as plain text or url encoded it reflects in the source as HTML encoded. For example I entered " or %22, it reflects as " but on the webpage it reflects in plain text that is " .

If I enter html encoded character it seems like the website has completely ignored it and the value parameter of the search field appears empty in source code.

The code seems something like this when I put " or %22: <input placeholder="search" value=""" ....>

It seems like this when I put = or %3D:

<input placeholder="search" value="=" ....>

Any idea about how can I escape the quotes of the value parameter.

Thanks in advance.

1 Comment
18:40 UTC


Help with postMessage DOM XSS Portswigger Lab

I'm doing this lab on portswigger - https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages

I have looked at the solution, but I can't figure out why my solution won't work. Here is my solution:

window.pwned=window.open('https://[LAB_ID].web-security-academy.net/');           window.pwned.postMessage('<img src=x onerror=print()>', '*'); 

Why is this not working? It is sending postMessage to vulnerable website and executing print().

1 Comment
09:54 UTC


has anyone purchased XSS-rat udemy course?

It is called XSS Survival Guide, by Wesley Thijs, is it worth it?

01:00 UTC


I can't execute XSS

My XSS doesn't execute for some reason, i bypassed sanitization, CSP and SRI, but browser just ignores the script like it doesn't even exist, also there aren't any errors mentioning this in the console, when i tried this payload on other sites it works without a problem.


11:38 UTC


Anyone using ESAPI?

Been working on a WASM interopt layer for accessing DOM, and considering scenarios where data is being interpolated with user content and how to sanitize. Some of the edge cases like attribute execution I did not reallize until now were possible with things like jQuery.parseHtml. Reading through https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html I'm seeing that it's very context sensitive as to where the potentially unsafe content appears in the structure and what sanitization is necesary.

They use ESAPI for the different types of sanitization.

I'm wondering if anyone has familiarity with this library? Is it still a good tool for the job?

00:28 UTC


Does XSS exists in framework like React, Vue and Angular?


Recently I learned React and read a post about XSS best practices.

I'm curios, if a website was built in React, is it vulnerable to cross site scripting?

12:29 UTC


How to get a flag using xss

Hey guys, so I found a place on a website where there's xss exploit .i.e. I used <script>alert(1)</script> and it's popping the alert. Now I was told there's a flag in this, any idea on how to get this flag ?

02:10 UTC


(Lab Environment) Help - Pass a cookie from vuln website to malicious db.

I need to dump the cookie from the vuln website to the malicious db in a URL.
vuln website: http://x.x.x.x:7800/details/1
malicious db: http://x.x.x.x:7777/

I can grab the cookie with this:

http://x.x.x.x:7800/details/1<img src=1 onerror=alert(document.cookie)>

but I am not sure how to pass it to the db.
Javascript is disabled


00:22 UTC


can't even do level 2

I found this nice website to learn xss: xsslabs.com. But I can't even do level 2. The input is reflected into the page, but it is encoded into html entities ('<' becomes '&lt;') Can someone help me?

14:40 UTC


i was scanning sites for XSS vulns while doing bug bounties I found these are these worth reporting

Total vulnerabilities: 3

[!] Summary: Autocomplete cross-site scripting vulnerability

[!] Severity: high

[!] CVE: CVE-2012-6662

[!] Summary: Title cross-site scripting vulnerability

[!] Severity: medium

[!] CVE: CVE-2010-5312

[!] Summary: XSS Vulnerability on closeText option

[!] Severity: high

[!] CVE: CVE-2016-7103

I never really saw theses ones I was wondering if its anything the site owner should be worried about

05:42 UTC


Is parseHTML() executes scripts in event handlers (CVE-2015-9251) a vulnerability or no?

I was scanning websites while doing bug bounty’s and I found this while I was scanning is this something worth reporting?

17:23 UTC


CSP Confusion

Here is the code:

<!DOCTYPE html>
<html lang="en">
    <title>SAML POST Binding in progress...</title>
    <script type="text/javascript" nonce="584PC">
        function submitForm() {
        window.addEventListener("load", submitForm);

<form name="autosubmit" id="autosubmit" action="https://example.com" method="post">
    <input type="hidden" name="RelayState"  value="-KM9SD-shelled"/><img/src/onerror=alert(1)>" />
    <input type="hidden" name="SAMLRequest" value=""/>

This is the CSP

Content-Security-Policy: default-src 'self'; script-src 'nonce-584PC';

I have injected <img/src/onerror=alert(1)>" /> but, I get the following error:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'nonce-584PC'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Why is my payload being blocked? The CSP is script-src, so it should only be blocking script tags. Why is it blocking my img tag?

1 Comment
20:40 UTC


Payload question

Hello I had a came across a XSS payload on one of portswiggers labs that I didn’t really understand. It was the “stored xss into onclick event with angle brackets and double quotes html encoded and single quotes and backslash escaped”

The payload is '-alert()-'

What I don’t understand is the significance of the - character. I tried removing it and replacing it with other chars but I couldn’t get it to work without it. I looked around online too with no results. Any help/ knowledge would be really appreciated!!!!

23:48 UTC


XSS in Modern Frameworks

I'm confused how people are finding XSS vulnerabilities on websites using React, Vue, Angular, Rails, ASP.NET, Django, etc. All of these frameworks automatically encode characters needed for XSS unless the developer implicitly tells the input not to be encoded by using functions such as dangerouslySetInnerHTML ,v-html, @Html.Raw(), etc.

The only other way I am familiar with is if your input is being reflected into an href tag.

<a href=XSS>click</a>

I'm also familiar with using Vue or Angular as a templating engine to trigger XSS through CSTI.

I'm curious if I'm missing some knowledge on this. Are there other way that XSS can trigger on modern frameworks? How are people finding XSS bugs on ads.tiktok.com when Wappalyzer says they are using React and Vue.

20:27 UTC

Back To Top