search

XSS Methodology

  1. Discovery and Mapping:

    • Enumerate all endpoints, parameters, and user inputs.

    • Identify entry points such as query parameters, request bodies, and HTTP headers.

  2. Generate Test Inputs:

    • Use a unique value for each entry point.

    • Inject these values to observe if and how they're reflected or stored.

  3. Submit and Observe:

    • Submit the test inputs to all identified entry points.

    • Monitor both the immediate and subsequent HTTP responses for reflection or persistence of the input data.

  4. Context Analysis:

    • Analyse where and how the input is reflected or stored in the application.

    • Pay attention to the surrounding HTML, JavaScript, or attribute context to craft effective payloads.

  5. Crafting XSS Payloads:

    • Create payloads suitable for the identified contexts.

    • Alternatively use a pre-made list.

  6. Payload Testing:

    • Fuzz with the crafted payloads.

    • For reflected XSS, test if the payload is reflected in the immediate response.

    • For stored XSS, check if the payload persists in storage and is executed in subsequent responses.

    • For DOM-based XSS, examine the source and trace the flow to any sinks in the DOM, then test payloads that interact with these sinks.

  7. Browser Execution:

    • Execute the payloads in a browser to verify script execution.

    • Use simple JavaScript like prompt(document.domain) to test for execution.

  8. Document Reflections and Payload Execution:

    • Document the precise location and context of each reflected, stored, or DOM-based input.

    • Take note of successful payloads and their outcomes.

  9. Exploit Refinement:

    • If the initial payloads are blocked or sanitized, refine them by using different encodings or obfuscation techniques.

    • Consider all possible filter bypass techniques based on the application's behavior.

  10. Automated Scanning:

    • Use automated scanning tools to identify potential XSS vulnerabilities. However, manual confirmation is necessary, as automated tools can generate false positives and negatives.

  11. Test for Browser Quirks:

    • Test how different browsers interpret the payloads. Some browsers may encode or decode inputs differently, affecting payload delivery.

  12. Confirm Persistent Storage (Stored XSS):

    • Verify that the payload is stored and executed across sessions or different user accounts, confirming a stored XSS vulnerability.

  13. Check for Execution Context (DOM-based XSS):

    • For DOM-based XSS, use browser developer tools to check how the payload is handled by the browser's JavaScript engine.

arrow-up-right

PreviousJavaScript Injection (XSS)NextFile Inclusion

Last updated