0

I'm making a web penetration test, so I trying to exploit a XSS, I've looked that if I use a payload like the following:

<script>alert(document.domain)</script>

The output in the page will be

&lt;script&gt;alert(document.domain)&lt;/script&gt;

So I'm looking for alternatives payloads or valid encoding, already I tryied these encoding:

http://evuln.com/tools/xss-encoder/

Anyone have an idea about exploiting this XSS or is it possible exploiting an xss without using </> ?

schroeder
  • 129,372
  • 55
  • 299
  • 340
BeginnerDon'tExpert
  • 1
  • Does this answer your question? XSS payload without using < and > – nobody Aug 10 '21 at 18:48
  • Yes but the payloads adviced in that question don't work on the web app that I'm testing – BeginnerDon'tExpert Aug 10 '21 at 18:57
  • 1
    Maybe you missed the line "If your input isn't being reflected anywhere else, and < and > are always encoded, then you can't exploit the page via XSS."? Not every web page that allows you to inject text is vulnerable to XSS. (If thigs were always so easy, then all social media sites, and stackexchange itself would be vulnerable to XSS :).) – nobody Aug 10 '21 at 19:02

0 Answers0