XSS

Genral methodology

1. Identify Reflected Values

• Check if any value you control is reflected in the HTML or used by JavaScript.

• The values you can control include:

  • URL parameters

  • Path variables

  • Headers (if applicable)

  • Cookies

2. Determine the Context of Reflection

• Locate where your input is being reflected or used:

  • Raw HTML

  • Inside an HTML tag

  • Inside JavaScript code

  • Inside a JavaScript function

3. Exploitation Based on Context

A. If Reflected in Raw HTML

• Can you create new HTML tags?

• Can you inject JavaScript execution using events or attributes (onerror, onmouseover, etc.)?

• Can you bypass protection mechanisms (e.g., WAF, filtering)?

• If a JavaScript framework (e.g., AngularJS, VueJS, Mavo) is in use, check for Client-Side Template Injection (CSTI).

• If JavaScript execution is blocked, consider Dangling Markup Injection (HTML scriptless injection).

B. If Reflected Inside an HTML Tag

• Can you escape the attribute and inject raw HTML?

• Can you add new events/attributes that allow JavaScript execution?

• Does the attribute where you are trapped support JavaScript execution (href="javascript:alert(1)")?

• Can you bypass existing security protections?

C. If Reflected Inside JavaScript Code

• Can you escape the <script> tag and inject custom JavaScript?

• Can you break out of strings (", ', `) and execute arbitrary JavaScript?

• Are you inside template literals (` `) where expressions (${}) can be evaluated?

• Can you bypass security protections?

D. If Used in a JavaScript Function

• Is the application calling a function where you can control parameters?

• Can you exploit a DOM XSS?

• Check if your input reaches a sink (e.g., innerHTML, eval(), document.write()).

• Can you control a function name (e.g., ?callback=alert(1)) to execute arbitrary JavaScript?