Listen to this Post

Introduction:
Reflected Cross-Site Scripting (XSS) remains one of the most pervasive and dangerous web application vulnerabilities, allowing attackers to execute malicious scripts in a victim’s browser. The recent ethical disclosure by Muhammad Fikri Adhirajasa, recognized by UNESCO, underscores the critical importance of proactive security testing. This article deconstructs the technical mastery behind such a discovery, providing the tools and methodologies to identify and mitigate XSS flaws.
Learning Objectives:
- Understand the mechanics and real-world impact of Reflected XSS vulnerabilities.
- Master the use of industry-standard tools for manual and automated XSS discovery.
- Implement robust mitigation techniques to harden web applications against XSS attacks.
You Should Know:
1. Manual XSS Probe Crafting with cURL
`curl -G “https://target-site.com/search” –data-urlencode “query=“`
This command tests a `GET` parameter (query) for basic XSS filtering. The `-G` flag ensures the data is appended to the URL as a parameter, and `–data-urlencode` properly encodes the payload to avoid issues with special characters. Analyze the response HTML for unescaped output of your payload.
2. Automated Scanning with OWASP ZAP CLI
`zap-baseline.py -t https://target-site.com -r baseline_report.html`
The OWASP ZAP baseline scan performs passive security testing against the target URL. It spiders the site and analyzes responses for common vulnerabilities, including XSS indicators. The `-r` flag generates an HTML report summarizing findings.
3. Crafting Advanced Polyglot XSS Payloads
`jaVasCript:/-/`/\`/’/”//(/ /oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e`
This polyglot payload is designed to bypass naive input filters by being valid in multiple contexts (JavaScript, HTML, URL, CSS). Test this against various injection points where standard payloads fail.
4. Testing for DOM-based XSS with Browser Console
`javascript:eval(decodeURIComponent(location.hash.slice(1)));alert(document.domain)`
Paste this in the address bar to test for client-side script evaluation from the URL fragment. DOM XSS occurs when client-side JavaScript unsafely handles user-controllable data like location.hash.
5. Bypassing Basic XSS Filters with Encoding
`
`
This payload uses HTML hexadecimal character references to encode the `alert(‘XSS’)` string, which browsers decode before execution. This can bypass blacklist filters that look for literal JavaScript function names.
6. HTTP Header Injection for XSS
`curl -H “User-Agent: ” https://target-site.com`
Some applications reflect HTTP headers like `User-Agent` or `Referer` into the page HTML without proper encoding. This tests if any header values can trigger XSS.
7. Identifying XSS Sinks with Code Analysis
`grep -r “innerHTML\|document\.write\|eval(” /path/to/webapp/source/`
This Linux command searches an application’s source code for common JavaScript functions that unsafely output data (XSS sinks). Review any located instances to ensure proper context-aware output encoding.
8. Testing for Stored XSS with SQLite
`sqlite3 webapp.db “INSERT INTO comments (text) VALUES (‘‘);”`
For testing stored XSS during development, directly inject a payload into the database. This simulates an attack where malicious input is persisted and rendered to other users.
9. Content Security Policy (CSP) Bypass Testing
`curl -I https://target-site.com | grep -i “content-security-policy”`
Check if a CSP header is present. If it allows `unsafe-inline` or uses a permissive `script-src` directive (like 'self'), it may be vulnerable to bypass. A strong CSP is a primary XSS mitigation.
10. Mitigation: HTML Context Output Encoding
`const encodedValue = originalValue.replace(/&/g, ‘&’).replace(//g, ‘>’).replace(/”/g, ‘"’).replace(/’/g, ‘&x27;’);`
In your Node.js backend, use this function to encode user-controlled data before outputting it into an HTML context. This neutralizes the payloads by turning them into inert text.
11. Mitigation: JavaScript Context Output Encoding
`const safeValue = JSON.stringify(originalValue);`
When outputting user data into a JavaScript context (e.g., inside a `