Part 2: XSS Code Analysis and Exploitation

July 24, 2016 | Views: 5672

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello Cybrarians, once again,

In this article, we continue our code analysis and exploitation of XSS from Part 1. If you haven’t already read it, please do.


Let’s begin…

Example 6:


As we see, our code is now completely different for the previous examples. In this one, our code running inside JavaScript so in our payload, we don’t have to specified the language using script tags ( <script> , javascript: , etc). We also see no sanitization in place.

Our payload will look like:




Example 7:


So here, it’s starts getting little bit more serious, as we see HTML encoding in place and we cannot use doublequotes (” “)

Our payload will look like:




Example 8:


The HTML encoding is still in place and also the application uses the php_self parameter, which trusts the user input and let’s us execute our code. But, we must first close the already running one.

Our payload will look like:




Example 9:


Here, we have DOM-based XSS and what actually happens is that every request is looking for the hash.substring (#)

Our payload will look like:
# <script>alert(‘ex9’)</alert>


That’s for now. Use the form below for questions and comments

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Well done thanks

  2. Well appreciated.

  3. Thanks…

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 741 / December 14, 2019
How do I Get MTA Certified?
Views: 1313 / December 12, 2019
How much does your PAM software really cost?
Views: 1750 / December 10, 2019
How Do I Get into Android Development?
Views: 2140 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?