XSS: The basics

Julio Sergio
2 min readJan 5, 2023

--

What is XSS

When you are learning about cybersecurity, you learn that there are a lot of vulnerability types, and there is one that is very common to find and easy to learn: XSS.

XSS stands for Cross-Site Scripting, and is a vulnerability that allows an attacker to run scripts inside a user’s browser, potentially having the power to steal information and do actions as the victim.

This happens when the attacker sends data with his script to an application, and it without filtering the data sends it to a user and run the attacker’s script in his browser.

Types of XSS

There are three types of XSS:

  • Reflected XSS is when the attacker’s script comes in an HTTP request, like for an example the following URL: http://website.com/example?comment=<script> * hacker’s script here * </script>
  • Stored XSS is when the script, as the name implies, can be stored in the application’s database, in a comment or username for example
  • DOM-based XSS is when the script comes in a client-side Javascript, for example in a function that changes the HTML of the page

Testing for XSS vulnerabilities

To test for Reflected and Stored XSS, submit simple inputs into every place that you can in an application, identify where the inputs are returned in the HTTP responses, and test if you can execute Javascript in these locations.

To test for DOM-based XSS, if the vulnerability comes from URL parameters, place simple inputs as parameters, using developer tools to search in the DOM for the input, and test for each location to check if you can execute Javascript in it.

If the vulnerability doesn’t come from URL parameters, you have to review the Javascript code of the application.

alert( )

Usually if you inject a simple script, and it runs in your browser, you can confirm a XSS vulnerability. One of the easiest and most popular ways to do this is using the alert( ) function, that shows an alert popup with what is between the parenthesis.

Although this is for sure an easy way to test, there is a problem to do it. Since July 20, 2021, Google Chrome disabled the alert function to cross-domain iframes.

So, what’s the best option, that also works on Chrome? As this article explains, it’s the print( ) function! It’s simple, setup-free and highly visible. For more details, go checkout the article.

XSS Cheat Sheet

There are many places that can have XSS with many ways to explore it and, luckily for us, there is a free cheat sheet from PortSwigger with most (if not all) of then, that can be accessed here.

If you like it, read my other post about Broken Access Control here.

--

--

Julio Sergio
Julio Sergio

Written by Julio Sergio

I'm a web developer who posts about the things I learn.

No responses yet