Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Visualizing XSS With Unusual Payloads

Pampuna
InfoSec Write-ups
Published in
8 min readMar 4, 2025

Typically, demonstrating Cross-Site Scripting (XSS) vulnerabilities involves one of two approaches:

  • Look, I made your site display an alert.
  • I’ve exfiltrated your cookies, credit card information and cat.

Not a member? Read this article for free on my site.

What if there was a third approach. Some more visual and maybe less malicious method, which would still demonstrate the potential impact of an XSS vulnerability? In this post I’m diving into some visual payloads, which aim to do just that. Have fun reading, and don’t take this one too seriously!

Visualizing repainting a web site using XSS

A quick heads-up before you start. While it’s technically possible to combine some of the payloads described below. I don’t recommend doing this, you’ll get sick.

Spoilers: If you make it all the way to the end, you’ll be rewarded with a Matrix-like payload!

This article is written for educational purposes and is intended only for legal penetration testing and red teaming activities, where explicit permission has been granted. The code examples serve the purpose of demonstrating the potential impact of an XSS attack. If you wish to test any of the scripts provided, please refer to the disclaimer at the end of this post.

Horrible Server

In a previous post I set up a pretty terrible Python server to demonstrate XSS. I’ve made it a bit worse, and upgraded its name to Horrible Server. This server is now vulnerable to a few variants of reflected XSS injection, but now also has a functional search function.

Before showing the entire script, lets zoom in on the vulnerable line:

<input id="q" name="q" type="text" class="form-control me-2" placeholder="Search..." value=\"""" + query + """\">

The user input (query) is directly inserted into the HTML string, creating a false sense of security by enclosing it in double quotes.

Imagine searching for ?q=color" style="color:red;. Because of the double quote and direct injection, it breaks out of the HTML attribute, resulting in the following:

<input id="q" name="q" type="text" class="form-control me-2" placeholder="Search..." value="color"

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app
Or, continue in mobile web

Already have an account? Sign in

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 1 day ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Pampuna
Pampuna
Follow

Written by Pampuna

31 Followers
6 Following

Ethical Hacker & Security Researcher. Crafting offensive tools with Python & PowerShell, emphasizing defensive strategies. Passionate about digital security.

Follow

No responses yet

Write a response

What are your thoughts?

More from Pampuna and InfoSec Write-ups

See all from Pampuna
See all from InfoSec Write-ups

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech