I can't run an xss attack-CodePudding

I'm learning a bit about cybersecurity and I'm trying to do an xss attack on the following html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <form action="">
        <textarea cols="30" rows="10"></textarea>
        <input type="text">
    <input type="submit">
    </form>
</body>
</html>

But every time I try to write code in some input like: alert("Hello") inside a script tag and send it, it doesn't work, I already tried it with a server in xampp and without a server. Aid

CodePudding user response：

You need to display your input somewhere as html to make xss work..

Here is simple code for your practice

<input id="inp">
<button onclick="show()">click</button>
<div id="out"></div>

<script type="text/javascript">
function show() {
document.getElementById('out').innerHTML = document.getElementById('inp').value
}
</script>

Payload:

<image/src/onerror=prompt(8)>

CodePudding user response：

You can use the following HTML code segment for webpage,

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
 <form action="" method="GET">
  <input id="query" name="query" value="Enter query here..." onfocus="this.value=''">
  <input id="button" type="submit" value="Search">
 </form>
</body>
</html>

For the payload, a user enters a very simple script as shown below:,

<script>alert(‘XSS’)</script>

or, For Example: On a mouse hover,

<b onm ouseover=alert(‘XSS testing!‘)></b>

I hope it will be helpful.