You notice how input tag is closed and you successfully inject a script tag which will work
See if you can bypass protective filters and generate alert pop up.
Tags are blocked but as out data is going inside an input tag:
Just like sqli we can chose the already existing " and add our own html to the input tag
If we enter the payload abcd" onload="alert('xssed') this is how it would appear
This makes the value abcd and the moment iframe loads, you will get the popup
See if you can use the input field to cause harm to the user of this website
As our input is simply appended into the <h1> tags, we can pass our own html in the user_name parameter and that HTML/JS will get appended to the output.
See if you can use your knowledge of JavaScript to cause harm to the user of this website.
Xss isnt always in a text field, it can directly be in the URL
Exploitation doesn’t need <script> tags, js can be executed with js events too like onclick, onload, onmouseover etc
<img src="" onerror=alert(0)>
<svg onload=alert(0)>
See if you can execute javascript and generate alert pop up in the 'Products' page.
Step 1: Go to the hacking challenge (The URL will be different for each user). http://13.232.74.70/Cross-Site-Scripting/Permanent-XSS-Variant-3/ Step 2: Click on 'Login as A Seller' button. Step 3:Enter the payload "> in 'Seller Address' input field Step 4: Click on save changes. Step 5: Now click on ‘Show Products’ button to view the XSS Pop up. Now anybody who browses the products will be affected by the payload hence ‘Seller Address’ field is vulnerable to permanent XSS.
