HTML tags that can clobber the credentials part of the URL
2
This vector shows which which html tags can clobber the credentials part of the URL, based on: https://portswigger.net/research/concealing-payloads-in-url-credentials
Created by: 0x999-x
Created on: Monday, November 4, 2024 at 8:01:37 AM
Updated on: Wednesday, November 6, 2024 at 7:05:13 PM
Vector type: XSS
Vector charset: UTF-8
Template used:
<$[data1] id="xx" $[data2]="https://x:x@x.com">
Code used after fuzz:
if(xx.username==="x"){log('$[data1]:$[data2]')}
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...
Sample payloads
<a:href id="xx" ="https://x:x@x.com">
<area:href id="xx" ="https://x:x@x.com">
Fuzz results
Chrome 130.0.0.0 desktop Windows NT 10.0
Updated
Mon Nov 04 2024
Found 2 results
Loading...