I am learning about XSS (for ethical purposes), and I was wondering how to execute some JavaScript code without using <script>
tags. This is within the
HTML tag:
"The search term" <p> *JavaScript here* </p> "returned no results"
For some reason, the script tags are not working.
'';!--"<XSS>=&{()}
)<>
won't matter, because you are already inside a HTML Tag. You can look if this Tag supports Events and use some kind of onload=alert(1)
or other event. If <>
is allowed, you can break out and create your own tag '><img src=0 onerror=alert(1)>
<>
are important. With these you can open a new Tag and the whole world is below your feet (or so...)'"
, then you can basically write ';alert(1)
<XSS>
disappears entirely: the application uses some kind of strip_tags
. If you are outside of a HTML Tag and no HTML Tags are whitelisted, I unfortunatly don't know any method to achieve an XSS.
There are various methods to achieve this and too much to name them all. Look on these two sites, which have a lot of the methods and concept to construct your own. It comes down to: What the page allows to go through.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With