XSS
1. Reflected XSS Methods
Reflected XSS attacks exploit vulnerabilities where user input is included in the response without proper sanitization. Below are some common approaches.
Mind Map for Reflected XSS
An extensive mind map detailing approaches to reflected XSS can be found here: Reflected XSS Mindmap by @A9HORA.
1.1 Using Burp Suite
Install the Reflection and Sentinel plugins for Burp Suite.
Walk and spider the target site.
Inspect the reflected parameters tab in Burp.
Send parameters to Sentinel for automated analysis or verify manually.
1.2 Using WaybackURLs and Similar Tools
Use Gau or WaybackURLs to collect URLs.
Filter parameters using
grep "="or GF patterns and store them in a file.Manually inspect reflected parameters or use Dalfox.
1.3 Using Google Dorks
Use Google Dork:
site:target.comFind links with parameters using dorks such as:
site:target.com inurl:".php?"site:target.com filetype:phpMore dorks: Top 100 XSS Dorks
Check if parameters are reflected in HTML.
Inject XSS payloads or test with automated tools.
1.4 Finding Hidden Variables in Source Code
Inspect JavaScript and HTML source files for hidden parameters.
Search manually in Page Source for:
var==""=''
Append discovered parameters to URLs, e.g.,
https://example.com?hiddenvariablename=xss
1.5 Other Techniques
Use Methods 1 or 2 to gather URLs.
Identify the firewall using WhatWaf.
Find WAF bypass payloads:
Twitter search
Use Arjun to discover hidden parameters.
Additional Tips
Examine error pages (404, 403, etc.) for reflected values.
Trigger a 403 error by requesting the
.htaccessfile.Test all reflected parameters for XSS.
Video References
2. Stored XSS Methods
Stored XSS occurs when malicious scripts are permanently stored on the target website.
Steps for Detecting Stored XSS
Enumerate the firewall and identify WAF rules.
Test payloads in fields such as:
Username
Address
Email
Inject payloads in profile picture filenames and metadata.
Attempt injections in comments, reviews, and feedback sections.
Try every input field that reflects data to other users.
Register an account with an XSS payload in the name field.
Additional Tips
Test entity injection with:
<a href=#>test</a>If any payload is executed, refine and escalate the attack.
Write-Up Reference
3. Blind XSS
Blind XSS occurs when the payload does not immediately reflect, but executes later in backend systems or admin panels.
Detection Techniques
Inject payloads that call back to a listener on your server.
Use:
Burp Collaborator
Ngrok for receiving callbacks.
Test injection points such as:
Contact forms
Admin dashboards
User input logs
E-commerce checkout fields
Common Injection Points
Review and feedback forms
Address fields in e-commerce sites
User-Agent headers
Log viewers
Chat applications
Moderation panels
Video References
4. DOM-Based XSS
DOM XSS occurs when JavaScript dynamically manipulates the page without sanitizing user input.
Tips
Manual detection is difficult; use tools like:
Burp Suite PRO
Video References
5. XSS Filter Evasion Techniques
General Bypass Techniques
Replace
<and>with HTML entities:<script>alert(1)</script>Use XSS polyglots:
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
XSS Firewall Bypass
Bypass lowercase filtering:
<scRipT>alert(1)</scRipT>Break firewall regex using new lines:
<script>%0alert(1)</script>Double Encoding:
%2522Recursive filters bypass:
<src<script>ipt>alert(1);</scr</script>ipt>Injecting anchor tags without whitespace:
<a/href="j	a	v	asc	ri	pt:alert(1)">Bypassing whitespace filtering using a bullet (
•):<svg•onload=alert(1)>Changing request methods:
GET /?q=xss POST / q=xssInjecting CRLF characters for HTTP response splitting:
GET /%0A%0DValue=%20Virus
Acknowledgments and References
Special Thanks
References
Authors
Enhanced and reformatted for HowToHunt repository by remonsec
Last updated