Last active
May 18, 2020 04:23
-
-
Save Rhynorater/d628f34e25e06ec37b0aa086b13781f5 to your computer and use it in GitHub Desktop.
XSS Discovery Bookmarklet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| javascript:(function()%7Bvar j %3D document.getElementsByTagName("input")%3Bif (document.location.href.indexOf("%3F")>-1)%7Bvar l %3D "%26"%3B%7Delse%7Bvar l %3D "%3F"%3B%7Dfor (i%3D0%3Bi<j.length%3Bi%2B%2B)%7Bl%2B%3Dj%5Bi%5D.getAttribute("name")%2B'%3D"><test1234>%26'%7Ddocument.location %3D document.location%2Bl%7D)() |
There is also this one by @fransr:
javascript:(function()%7Bvar str='';var attack=prompt('Attack','');if(!attack)return false;function getallelems(v)%7Bvar ii=document.getElementsByTagName(v);for(var i=0;i<ii.length;i++)%7Bif(!ii%5Bi%5D.name)continue;str+=(str?'&':'')+ii%5Bi%5D.name+'='+attack;%7D%7Dgetallelems('input');getallelems('textarea');getallelems('select');str=document.location.search+(document.location.search.indexOf('?')==-1?'?':'&')+str;alert(str);document.location.search=str;%7D)();
Hi Justin, could you explain it in simple steps via images.
i meant how to add the script to the location of a book mark.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this script to the location of a bookmark and it will reload the page with all the inputs in the page assigned to "> for testing purposes. Then you can just look at the source and see if any of the inputs got echo'ed in without sanitization.