Hi, I'm a web developer transitioning into AppSec.

I managed to solve most of the level 1 XSS challenges without looking at the solutions, but struggled with level 2. I wasn’t even in the right direction when I checked the solution, and I find DOM exploits particularly tough. Should I explore the other labs in the pinned post or continue with the current ones? Also, what do experienced bounty hunters recommend for beginners facing similar challenges?

Hello, I am really a big beginner but I would like to know how to know if a site is vulnerable when you enter <script>alert(1)</script> in the search bar.

Hello,

I found a reflection inside an input tag as following

<input type="text" value="{{PAYLOAD}}">

I am able to:

• Use the following symbols :"'();
• Not use <>=

I tried to use the payload " onfocus=alert(1)" unfortunately the equal symbol is removed and the result is:

<input type="text" value="" onfocusalert(1)"">

I tried already to encode and double encode in a number of ways.

Some idea?

Thank you

Hello,

I have been confronted with an xss attack. Now I would like to download and investigate the payload. Is this possible and how would I do this?

When I inject xss payloads in a search bar, how can this cause harm for users? Because that way the users would have to search for that payload by themselves and nobody would do this. Or am I missing something?

I understand how it might steal cookies when sent through something like a chat promt to other users. Or what might happen if you can post the xss payload on a public post that other users visit. But not in the search bar?

I am testing the efficiency of OWASP CRS with a fuzz based testing tool GotestWAF where it fuzzes the payload by encoding and it places it in different placeholder such as URLpath , URL param, HTMLform and HTMLmultipart form . However I am having a doubt if xss in URLpath is valid .

I am attempting to create a reflected XSS payload to bypass a filter. The filter replaces spaces with "+".

so a payload like <svg onload=alert(0)&test2> becomes <svg+onload=alert(0)&test2>.

To include an ending ">" to close the tag, I use &test2>, as the filter does not escape ">" when & precedes it but does escape ">" when it follows =.

This seems to be because the filter only escapes URL parameter values, such as

?notescaped=(escaped)&notescaped=(escaped).

This payload works correctly in an HTML file as:

<svg onload=alert(0)&test2>

Additionally, the / character is also escaped, preventing the use of a payload like:

<svg/onload=xxxx&test2>
or
<script>alert(0)</script>

I am looking for a way to bypass this filter. Specifically, I am seeking a character that can function like a space or / in this context.

Hi

How to go about solving this challenge - https://xss.challenge.training.hacq.me/challenges/baby03.php

I am not able to figure it out. Any advise is welcome. Thanks

Can someone suggest me some of the bug bounty platforms. I have a lot of websites which I found vul to different attacks. But they are either govt owned or govt affiliated. Now I want to participate in any better bug bounty pogramm, suggest some.

I need some info about, is there any way we can save xss payload on the server via search field xss vul. Every time I run any payload it reflects changes only on my web browser and server side remains unchanged.

so while testing for xss, if the value is reflected with special characters like double quotes encoded, which encodings to try among the following? are all of the following encodings to be tried one by one?? are some of them testing equals waste of time?

 HTML entities:

 Hexadecimal &#x22;

 Decimal &#34;

 Named Entity &quot;

 Js or JSON Escape sequences:

 Javascript escape \"

 Octal Js Escape \042

 Hexadecimal Js Escape \x22

 URL encoding:

 Hexadecimal %22

 Unicode encoding:

 UTF-16 Hexadecimal \u0022

 UTF-8 Hexadecimal 0x22

 HTML Hexadecimal &#x0022;

 ASCII encoding:

 Hexadecimal 0x22

 Decimal 34

 Binary 00100010

full code on my website would it be possible to use a XSS attack as long as i don't run anything with it on clients side?

document.addEventListener("DOMContentLoaded", function () {

const urlParams = new URLSearchParams(window.location.search);

const affiliateCode = urlParams.get("aff");

if (affiliateCode) {

localStorage.setItem("affiliate_code", affiliateCode);

}

});

whenever I replace redirect url with javascript:alert(1) , browser convert it to unsafe:javascript:alert(1)

How I can bypass?

just came across xss, watched some introductory videos on yt about it, i get the concept and i want to continue pursuing it

like all beginners, it's overwhelming for me and don't know what to do

any lead would help, thanks

I've recently been practicing on portswigger's gin and juice shop test site, https://ginandjuice.shop/ , they have a list of all the vulnerabilities and the paths to them here, https://ginandjuice.shop/vulnerabilities, it says there's a reflected XSS at /catalog/subscribe. I'm assuming this is where on the home page, if you scroll down you can enter a email to subscribe, it then reflects this email on the home page. I can't figure out how to trigger this XSS so if anyone has done it please can you help me out.

What I've tried : I first tried a basic input with <>@gmail.com on the page, but it has basic filtering so that the email input field has to be a real email, no grammar apart from @ and . To bypass this, I intercepted the request of a valid email, e.g. asd@gmail.com, in burpsuite and edited it there to <img src="x" onerror="alert(1)">, this got past the basic filtering and was displayed to the screen but no XSS. After looking through the js I saw that it used .textContent to set it, as to why the XSS didn't trigger but looked correct in the source code. This is as far as I got and I'd appreciate any help.

i'm testing a web application where the = sign is filtered, meaning when i type it in the payload the app url encodes it, if i tried to encode it twice nothing happens except that the app returns the double encoding that i did, same thing for triple encoding. In the case of HTML encoding and i guess any other encoding really what happens is that the app returns the = sign url encoded once also, any ideas of how to bypass this ?, or how can i write a payload that is empty of = signs ?

Hello friends. while working in a vdp program, I realized that I can write an xss code in the username section. However, I cannot run xss codes exactly because there is a max length setting. Is there a chance to bypass the max length and run the xss code? If you have information, I would appreciate it if you share it.

Hey guys I am kinda new to XSS and want to get more into it as i am using it for my thesis.
I know there are labs out there like the ones from BurpSuite, but are there any better ones out there?
For example i would like to show an example of how stealing of session cookie is done and so on.
My approach would have been to setup multiple websites, that are equipped with different security measures, but maybe there is already something out there, that i can use?
I would gladly appreciate in the sharing of your knowledge!

Hi,

I am trying for xss on a website..my payload gets reflected inside "<div title="my\_payload">"..<> are not filtered means not getting convert into "&lt;" and "&gt;"..but double quotes are getting convert into "&quot;"..so my question is xss is possible there? for getting xss popup i need double quotes to work..without them i can't close the "<div>" tag.

Thanks

I found this payload to be reflected in a form field. the website is protected bu sucuri firewall.

<a%20x%20href=javascript%26%2358%3Bprompt(1)>a</a>

but i can't make the prompt to work. can somebody explain me this ?

thank you.

I'm a beginner trying to learn ethical hacking.

Can someone help me on this?

if i manually enter the payloads into search box able to trigger the xss however , if i pass the payload in parameter like /?s="mypayload" it is getting encoded so unable trigger. Can you suggest how to bypass it ?

if i use CSRF POC and form enctype="text/plain" - my parameter is not searching in target after submitting the button.

javascript:/*--></title></style></textarea></script></xmp>
<svg/onload='+/"`/+/onmouseover=1/+/[*/[]/+alert(42);//'>

Thanks

We covered brief introduction to both types of cross site scripting vulnerability (XSS), reflected & stored xss, and demonstrated a practical scenario showcasing intercepting HTTP requests and modifying request headers and other form parameters to include XSS payloads that when injected and stored in the target website database will lead to the transfer of the user's cookies to the attacker everytime the user visits the vulnerable page.

Video

Writeup

How does one go about doing these exercises.?

I can see my input is going into a div tag what next steps do take?>

Hi,

I am new to bug hunting and very much noob in xss too. I was trying for stored xss in comment section of a website..later i got to know its using markdown. then i tried some payloads..check below i have write payload with its response on website:-

![a](onerror=confirm(1)) -----> <img alt="a" src="onerror=confirm(1)">

![a](x"onerror=confirm(1)) -----> <img alt="a" src="x&quot;onerror=confirm(1)">

the i used   for space..it worked.

![aa](x" onerror=confirm(1)) -----> <img alt="a" src="x&quot; onerror=confirm(1)">

then i tried " for double quotes..it didn't worked.

![aa](x" onerror="confirm(1)) -----> <img alt="aa" src="x&quot; onerror=&quot;confirm(1)">

i need only x" and onerror="'s double quotes to work..it quite surpise for me (i am totally noob) that for space   worked and for double quotes " didn' worked.

any help? how to trigger xss popup here? i tried such payloads <img src=x onerror=confirm(1)> but <> are converting into < > but double quotes are not..also <img src=x onerror=confirm(1)> creates seperate <span> tag on website..response is something like this <span>&lt;img src=x onerror=confirm(1)&gt;</span>.

URL encoding doesn't work.

also i can get ip address of any user using this payload ![a](https://webhook.site/aa) i will report it if i didn't get xss. if you guys have any other suggestion for any other bug please comment.

once again i am saying i am totally noob so please don't troll.

thanks