Collaborate Disseminate
there is this javascript file that a can inject code after throw new Error("error string") line. But it seems that after the throw statement, no code can be executed.
throw new Error("error string");
<my xss code her… Continue reading xss: is it possible to continue javascript code execution after a "throw new Error()" line?
I’m testing a website, which is vulnerable to XSS.
<input type="hidden" id="referer" name="referer" value="INJECTION_POINT">
<script>
document.referer = referer.value
</script>
… Continue reading How is a XSS attack possible in this context?
How could someone execute javascript in here?
Is this vulnerable?
<input type="hidden" id="referer" name="referer" value="$INJECTION_POINT">
<script>
document.referer = referer.value
&l… Continue reading Is this vulnerable to XSS? [closed]
any way to bypass this
Any lead is appreciated.
Continue reading Bypass XSS filters when tags are interpreted as text [closed]
After many attempts I managed to bypass the filters with this payload: <script>alert(5)</script>
I got this response
As you can see, the payload is correctly written but it doesn’t execute.
What can I do to make it … Continue reading My XSS payload is not executing [closed]
After many attempts I managed to bypass the filters with this payload: <script>alert(5)</script>
I got this response
As you can see, the payload is correctly written but it doesn’t execute.
What can I do to make it … Continue reading My XSS payload is not executing [closed]
I am testing a cross-site scripting attack on a website, as we all know the Request.Form function validates the input so the user couldn’t insert a <script> inside the input.
My focus in this question isn’t how to bypass the Request…. Continue reading force XSS after bypassing Request.Form using URL Encoding
Backend: Django / Django Rest Framework, would be hosted at GCP k8s
Frontend: Angular, would be hosted at some CDN e.g Vercel
Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)
The frontend and backend would … Continue reading Is storing access token in private data, refresh token in http-only cookie safe?
If you use inspect in the developer tools for Chrome the values for the two input boxes below will look the same.
<input name="test1" type="text" value="<script>alert(‘a’)</script>"/>
<inp… Continue reading Understanding browser text input value rendering for combatting XSS
The application allows user to enter a 30 character long username.
I tried the following XSS payload and it worked, but the triager is asking if I can alert cookie. But script tags and src keyword is blocked.
"><iframe/onload=al… Continue reading How to alert cookie in 30 character XSS payload?