XSS
My notes on XSS
Some facts about XSS
One of the most common type of vulnerability found in web application (part of the OWASP top 10).
Rarely has an impact server-side.
Caused by flaws in the user input sanitization
Facilitate the exploitation of a large range of others vulnerabilities
Tips
To effectively check how user inputs are processed, we can press
CTRL+U
(View Source).When a XSS is found, execute
window.origin
ordocument.domain
to determine what specific origin is affected by the vulnerability. For example, a XSS may not affect the main application, but rather anIFrame.
A web application can also be inside a sandbox environment. In these cases, the XSS won't have any impact.
Payloads
Some alternatives to alert(1)
which is likely to get blocked by WAF
| ||
| Pop up the browser print | |
| ||
|
Evasion resources
Last updated