Resource for Cross site scripting [closed]
Having issues in finding cross site scripting in web application.i would like to know indepth about xss
I need some best resource for learning cross site scripting (xss)
Category Archives: xss
Is it possible to get xss in json body request?
I was doing a VAPT assessment in which I see some JSON body in the request which has orgid deviceid
So there any possibility to get XSS in json body?
Continue reading Is it possible to get xss in json body request?
Can a plain text email contain XSS injection?
I need to send a plain text email with user-specified input.
For example, if a user is an attacker a plain text email can contain
<script>alert(1)</script>
It looks like mail clients should treat it just as plain text and it s… Continue reading Can a plain text email contain XSS injection?
Parameter vulnerable for HTML injection but cannot exploit because of URL encoding
I found a HTML injection vulnerability but there is an issue.
The following request returns the following:
curl "https://redacted.com/xss/para?meter="><h1>Test\</h1>"<meta name="url:url" content=&… Continue reading Parameter vulnerable for HTML injection but cannot exploit because of URL encoding
How does this script break out of a javascript tag?
How does putting the alert function ‘-alert(1)-‘ into a search field, where it ends up inside a script tag actually break out of the script string?
Wouldn’t this just be interpreted as an empty string before and after the alert? And how do… Continue reading How does this script break out of a javascript tag?
How does this PortSwigger lab’s XSS work?
I was doing the following PortSwigger Lab on cross site scripting (XSS).
The following payload works perfectly.
http://foo?'-alert(1)-'
Which is input into the following section of the webpage.
<img src="/resourc… Continue reading How does this PortSwigger lab’s XSS work?
Someone tried to execute one of my apps through a private IP [closed]
In my MalTrail log I found this:
192.168.1.100/nextcloud/remote.php/dav/files/admin/backup/leo/informatica/app/linux/dex2jar-2.x/dex-translator/src/test/java/res/i55
Under the category of "potential iot-malware download (suspicious)&… Continue reading Someone tried to execute one of my apps through a private IP [closed]
Can BeEF also work in public?
Is it possible to run the tool called BeEF to do penetration testing on real domains like example.com? As far as I know, BeEF can only be used within localhost.
I can only test my site for XSS on the real domain because of the database run… Continue reading Can BeEF also work in public?
XSS against jQuery PortSwigger challenge
I am trying to do this jQuery XSS challenge here by PortSwigger.
They have a good walkthrough for XSS attacks, however I could not find anything on jQuery, which is also a programming language I have no experience in.
The description of th… Continue reading XSS against jQuery PortSwigger challenge
Is this SQLi or XSS? (or both/neither)
I’m trying to get the hang of SQLi and XSS, and I am starting to get the hang of it.
However: in my lab I made this:
ignore’"; UPDATE users SET name=<script>alert(‘Malicious activity’)</script> WHERE name="John";… Continue reading Is this SQLi or XSS? (or both/neither)