You’ve discovered a XSS vulnerability on a page. What next?

Submit a confidential report.

Below are a few simple snippets of JavaScript snippets that can be used for evil.

Of course, you need to be familiar with Javascript first…

https://jsfiddle.net/ is a convenient way to execute JavaScript in your web browser.

Client Payloads

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
// this is a comment. 

/*
 * BTW, there's no difference between useing single quotes (')
 * or double quote (") for strings in Javascript.
 *
 * Semicolons are optional.
 */
// usage: setTimeout(function, milliseconds);
setTimeout(function() {
  alert("Have a wonderful day! ^_^");
}, 5000);

// usage: setInterval(function, milliseconds);
setInterval(function() {
  alert("Don't forget to be awesome.");
}, 5000);

document.getElementsByTagName('h1')[0].innerText = 'Just wanted to say hello :)';


// these functions will DOS your site!
location.reload();
window.replace('http://www.staggeringbeauty.com/');

Some exploits require more setup. For example, you can inject window.replace to have users be sent to a spoofed login page. https://tools.kali.org/information-gathering/set