Skip to content

Instantly share code, notes, and snippets.

@caike

caike/attack.md

Last active October 2, 2022 14:37
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save caike/35522c3da161d29fc2ce to your computer and use it in GitHub Desktop.
Save caike/35522c3da161d29fc2ce to your computer and use it in GitHub Desktop.
Download ZIP
XSS attack demo with innerHTML
Raw
attack.md

Tested with Chrome, Firefox and Safari.

The following code will not trigger an alert. target.innerHTML = "<script> alert('XSS Attack'); </script>";

The following code will trigger an alert. target.innerHTML = "<img src=x onerror=\"alert('XSS Attack')\" >";

@YahyaRechaki
Copy link

the second code won't work, because the src value inside the code target.innerHTML = "<img src=x onerror="alert('XSS Attack')" >"; should be inside quotes ('')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment