search
Personal BlogTwitterGitHubContact

Cross-Site Scripting (XSS)

hashtag
Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

LogoCross Site Scripting (XSS) | OWASP Foundationowasp.orgchevron-right

hashtag
Going Beyond 'Document.Cookie'

While using document.cookie is great to demonstrate the exploitability of a Cross-Site Scripting vulnerability, to further demonstrate the risk we can leverage the following resources:

LogoStored XSS to Account Takeover : Going beyond document.cookie (Dumping IndexedDB)Mediumchevron-right
LogoTricks for Weaponizing XSSTrustedSecchevron-right

hashtag
Why HttpOnly Isn't Enough

There are multiple articles on the Internet stating that the HttpOnly flag provides a false sense of security as an attacker is unlikely to wait several hours for a user to trigger the payload and obtain a session token. Rather, an attacker can leverage a more sophiscated attack to hook the user or perform immediate malicious actions.

Why HttpOnly Won't Protect Youwww.gnucitizen.orgchevron-right
LogoCookie without HttpOnly flag setportswigger.netchevron-right

hashtag
Testing / Payload Creation

LogoCross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademychevron-right
LogoJSFiddle - Code Playgroundjsfiddle.netchevron-right
LogoJSFuck - Write any JavaScript with 6 Characters: []()!+www.jsfuck.comchevron-right
https://ppn.snovvcrash.rocks/pentest/web/xssppn.snovvcrash.rockschevron-right
https://xssor.ioxssor.iochevron-right
PreviousInjection VulnerabilitiesNextBlind Cross-Site Scripting

Last updated