From 4ef6aae880afacf7ed810de346004c90617076a2 Mon Sep 17 00:00:00 2001
From: Max Yaremchuk <38838852+w9w@users.noreply.github.com>
Date: Fri, 28 Feb 2025 02:10:50 -0800
Subject: [PATCH] Update xss.py

99% of WAFs will block the requests with default payloads. I suggest checking for <img src=uniquestring012> to detect a basic HTML injection and then act accordingly if found.
---
 xss.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/xss.py b/xss.py
index 0fedc8c..a47daa6 100755
--- a/xss.py
+++ b/xss.py
@@ -305,6 +305,7 @@ def realDoTest( t_params ):
 # source: https://twitter.com/brutelogic/status/1138805808328839170
 if not n_payloads:
     t_payloads = [
+	'<img src=uniquestring012>',
         '\'"--><a autofocus onfocus=prompt(1) href=?>.',
         '\'"--></sCrIpt><sCRIpt>prompt(1)</SCript>',
         '\'"--><svG><scRIpt href=data:,prompt(1) />',