Maybe it's an weird question but I'll try to explain it as good I can. Currently I'm pentesting a website, for xss (cross site scripting).
First I just tried, <script>alert(1)</script>
and it resulted in [removed]alert(1)[removed]
, but also <scr<script>
and those kinds of things, and I tried much more.
Now I finally got a working one:
<input onfocus=alert("test") autofocus>
and yes it really spits out 'test' but when i type alert(document.cookie)
it already doesn't spit anything out anymore, also
<input onfocus=alert("test lol") autofocus>
doesn't spit anything out anymore, but like how can I now get the cookie? And why is it spitting out test, or ahihawiejawije but not ahjiahwe jijaja or test test, just one word? Also integers WORKS.
Also all html code, I try to in does work like <div>
or <iframes>
so how can I get the document.cookie spitted
out on the page?
This is where I enter the XSS code: https://gyazo.com/d260e065a305941e92a414a321501134
And when I save it I can view it on this page: https://gyazo.com/723c1bff1d6fb7f3341a5b19cadcd264
But since the document.cookie one isn't working it'll just show an input bar, but when I replace the document.cookie just with "lol" it gives me this: "lol" (can't put more than 2 links bcz reputation) so it is working with lol.
So how is it possible that like one word, or one big word like AAAAAAAAA is working but not just 2 words like aaa aaa or document.cookie?