$loading...
Paste a payload and see step-by-step how it works — from injection to execution to impact. Educational breakdowns for XSS, SQLi, and SSRF.
The attacker crafts a malicious payload and submits it to the application.
<script>alert(document.cookie)</script>
The payload contains a <script> tag. If the application reflects input without sanitization, the browser interprets it as executable code.
<html>
<body>
<p>Welcome, <script>alert(document.cookie)</script></p>
</body>
</html>The browser's HTML parser encounters the <script> tag and executes the JavaScript within it. This runs with the same privileges as the legitimate page scripts.
alert(document.cookie)
With JavaScript execution, the attacker can steal session cookies, redirect the user, modify page content, capture keystrokes, or perform actions as the victim.
document.cookie → sent to attacker session hijacked account compromised