Cross-Site Scripting (XSS) is a web security vulnerability that enables attackers to inject malicious scripts into web pages viewed by other users. When unsuspecting users visit the infected page, the script executes within their browser, allowing attackers to access cookies, session tokens, or even modify page content. XSS vulnerabilities can severely compromise user security and application integrity. Ethical hackers and penetration testers use XSS testing to identify these vulnerabilities, helping organizations secure their applications.
Types of XSS Attacks
- Stored (Persistent) XSS: Malicious scripts are permanently stored on the server (e.g., in a database or a forum post). When other users load the affected page, the script executes, posing a threat to multiple users.
- Reflected (Non-Persistent) XSS: This occurs when user-supplied data is reflected in a web page without proper validation. Attackers craft URLs with malicious scripts that execute when unsuspecting users click the link.
- DOM-Based XSS: This type of XSS occurs within the browser’s Document Object Model (DOM). The vulnerability is due to client-side code modifying the DOM based on user inputs, often bypassing traditional XSS protections on the server.
Common XSS Payloads and Techniques
A basic test payload to check if the application properly sanitizes inputs.<script>alert('XSS')</script>
Injected into attributes or tags, such as <img src> or <a href>.
"><script>alert('XSS')</script>
Used in URLs or event attributes to execute JavaScript directly.
javascript:alert('XSS')
Exploits the onerror event to execute code when an image fails to load.<img src=x onerror=alert('XSS')>
An alternative for injecting XSS using SVG tags, as they are often overlooked in sanitization.<svg/onload=alert('XSS')>
Tools and Commands for XSS Testing
Several tools automate XSS detection and testing. Here are some popular ones with example commands and usage:
XSStrike
XSStrike is a powerful XSS detection tool designed to identify and exploit XSS vulnerabilities.
Common XSStrike Commands:
Scans a URL for potential XSS vulnerabilities.> python3 xsstrike.py -u <URL>
Crawls the target URL and checks for XSS on all discovered pages.> python3 xsstrike.py -u <URL> --crawl
XSS Payloads for Manual Testing
Ethical hackers often craft manual payloads for XSS testing when automated tools don’t detect the vulnerability. Below are common payloads used in different contexts:
Basic Script Injection:
This payload checks if the application is vulnerable to basic script injection.<script>alert('XSS')</script>
Attribute Injection:
This payload tests for injection points within tag attributes, triggering onerror when the image fails to load.<img src=x onerror=alert('XSS')>
Event-Based Injection:
This payload is used to check for injection vulnerabilities within event handlers like onclick and onmouseover.<button onclick="alert('XSS')">Click me</button>
URL-Based Injection:
In applications that allow custom URLs, this payload checks for vulnerabilities when loading links.javascript:alert('XSS')
DOM-Based XSS Payloads:
This payload is inserted into dynamic content to see if the page’s JavaScript code interacts with it in an unsafe way.<input type="text" onfocus="alert('XSS')">
Detecting XSS in Input Fields
Manually enter payloads in form fields and check for JavaScript alert pop-ups or any unusual behavior like this:"><script>alert('XSS')</script>
Using XSStrike for XSS Detection
This command tests the search parameter for XSS, attempting various payloads. To check a vulnerable endpoint with XSStrike:
> python3 xsstrike.py -u "http://example.com/search?query=test"
Full Exploitation Example
To check for persistent XSS, add a payload in a form or comment section. Once saved, visit the page where the script is rendered to test for execution on subsequent page loads.
<script>alert('Stored XSS')</script>