Skip to content

theqamiqaze/Crossfire

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
static
static
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
app.py
app.py
 
 
requirements.txt
requirements.txt
 
 
test_oauth.py
test_oauth.py
 
 

Repository files navigation

Crossfire

Intentionally insecure, for your inconvenience.

Running the app

  1. Extract files from the .zip to a directory of your choice.

  2. Open PowerShell and cd into the project folder.

  3. Create a virtual environment and activate it:

# create venv named .venv
py -m venv .venv
# activate
.\.venv\Scripts\Activate.ps1
  1. Install Python dependencies:
python -m pip install -r requirements.txt
  1. Create a .env file next to app.py and add a SECRET_KEY (single line):
SECRET_KEY=your_generated_secret_here
  1. Start the app:
python app.py
  1. Open your browser to: http://127.0.0.1:5000.

Example XSS commands for testing

Copy and paste these in your blog post to test them.

  1. The Classic Pop-up

Uses a <script> tag to execute JavaScript that creates a simple alert box.

Payload:

<script>alert('This blog has been HACKED!');</script>
  1. Image & Event Handler

These payloads use HTML tags like and their event handlers to execute code.

The Rickroll Image - A simple HTML injection that embeds an animated GIF.

<img src="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExbDB1M2FiaWNzOG9wNThjN2Nudnd0aXRucmE3ejdnZWVrYXZtY2FkYiZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/lgcUUCXgC8mEo/giphy.gif" alt="Never Gonna Give You Up" width="500">

The Broken Image Alert - A more common XSS vector that uses the onerror event handler of an image tag.

<img src="x" onerror="alert('Oops, the image is broken... and so is this website\'s security!');">
  1. CSS & Style

Injecting a <style> tag can alter the appearance of the entire page, demonstrating control over the Document Object Model (DOM).

Make Everything Spin - This CSS payload makes the entire page rotate endlessly.

<style>
  body {
    animation: spin 2s linear infinite;
  }
  @keyframes spin {
    100% {
      transform: rotate(360deg);
    }
  }
</style>
<h2>If you're reading this, I hope you're not dizzy!</h2>
  1. Interactive Mouse examples

These examples use mouse events like onmouseover to trigger actions when a user interacts with an element.

The Surprise Message - Creates an alert when a user hovers their mouse over a link.

<a href="#" onmouseover="alert('I lied!');">Hover over me for free money!</a>

The Page Takeover - Replaces the entire page's content when a user hovers over a heading.

<h1 onmouseover="document.body.innerHTML = '<h1>This page has been taken over!</h1>';">
    Hover here!
</h1>

About

Intentionally insecure

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages