diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md
index 4dd9e00f..2411def2 100644
--- a/pentesting-web/file-upload/README.md
+++ b/pentesting-web/file-upload/README.md
@@ -132,7 +132,7 @@ Note that **another option** you may be thinking of to bypass this check is to m
 
 * Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
 * Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
-* Set **filename** to `<svg onload=alert(document.comain)>` to achieve a XSS
+* Set **filename** to `<svg onload=alert(document.domain)>` to achieve a XSS
 * Set **filename** to `; sleep 10;` to test some command injection (more [command injections tricks here](../command-injection.md))
 * [**XSS** in image (svg) file upload](../xss-cross-site-scripting/#xss-uploading-files-svg)
 * **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/#xss-abusing-service-workers)