Loading video...

Video Failed to Load

Go Home

Do not use the script tag when testing for XSS

gregxsunday's profile picture

Bug Bounty Reports Explained

54,188 subscribers

41,260 views • 2 years ago •via X (Twitter)

News & PoliticsScience & TechnologyEducation
LIVE

Anya Rossi• Live Now

Private livecam show

7 Comments

Tib3rius's profile picture
Tib3rius2 years ago

Better advice would be to not use exploit payloads for XSS detection in the first place, IMO. I personally like @cinzinga_'s goto payload of <s>asdf since it's small, easily searchable, and the strike-through text is more noticeable.

Anton's profile picture
Anton2 years ago

In case your sink is innerHTML, but you still need to load <script> use this: <iframe srcdoc="<script src=''></script>"></iframe> Last time I saw this trick in @bbuerhaus article

Bug Bounty Reports Explained's profile picture
Bug Bounty Reports Explained2 years ago

@bbuerhaus Yes, I've used for actually exploiting the innerHTML XSS but not for detecting it.

Olajeedae Jr 🇳🇬's profile picture
Olajeedae Jr 🇳🇬2 years ago

Learnt this the hard way on hacker101 CTF

Mr. Robot.txt's profile picture
Mr. Robot.txt2 years ago

That brings me to the question that has been bugging me for a while now (Noob here) When you payload is being encoded, is that the end of the road? Cause usually i get stuck at this point

Bug Bounty Reports Explained's profile picture
Bug Bounty Reports Explained2 years ago

yes, encoding is a proper defence against xss and there's nothing you can do

Bug Bounty Reports Explained's profile picture
Bug Bounty Reports Explained2 years ago

Event handlers use need the same ''unsafe-inline' directive as inline scripts so what you say doesn't make sense.

Related Videos

What do drivers do at testing when they’re not testing? 🤔
0:37

What do drivers do at testing when they’re not testing? 🤔

Mercedes-AMG PETRONAS F1 Team

44,096 views • 3 months ago

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?
0:20

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?

Simpsons Daily Glavins

39,070 views • 23 days ago

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!
0:23

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!

Sahaj

91,057 views • 8 months ago

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.
4:07

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.

Gospel

12,567 views • 7 months ago

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️
0:39

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️

Earth Hippy 🌎🕊️💚

33,016 views • 5 months ago

When learning Japanese do NOT use Duolingo!🚫
1:56

When learning Japanese do NOT use Duolingo!🚫

SephirothSword57 🇯🇵

16,698,920 views • 11 months ago

Why do we not use the proper name for other countries?
0:44

Why do we not use the proper name for other countries?

Geoff Norcott

14,806 views • 5 months ago

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley
0:44

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley

Hiokleo 💀🎟️🌸 Horror Vtuber

21,849 views • 1 year ago

Do not use extensions for this please!
0:59

Do not use extensions for this please!

Aproko Doctor Global

953,292 views • 8 months ago

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...
0:22

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...

Barji

54,965 views • 2 years ago

do not turn up the volume do not use headphones 😭
0:48

Sensitive content

do not turn up the volume do not use headphones 😭

sim

163,942 views • 9 months ago

PentestGPT can now find XSS vulnerabilities for you!
0:30

PentestGPT can now find XSS vulnerabilities for you!

HackerAI

69,087 views • 1 year ago

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!
0:44

Sensitive content

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!

‎ Anos Voldigoad V

168,383 views • 1 month ago

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?
0:56

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?

Women Being Awful

680,892 views • 1 year ago

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”
1:55

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”

Wall Street Apes

343,895 views • 1 month ago

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]
3:05

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]

AfcVIP⁴⁹

305,398 views • 4 months ago

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com
2:38

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com

LittleKid

15,800 views • 2 months ago

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.
0:55

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.

Burp Suite

19,365 views • 7 months ago

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"
0:26

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"

Prince du Karabaque

31,847 views • 1 year ago