- Zero-Day Wire
- Posts
- Break the Web (Week 5): Cross-Site Scripting (XSS)
Break the Web (Week 5): Cross-Site Scripting (XSS)
XSS Exploitation: Step-by-Step Tutorial with XSStrike, BeEF, Browser Hijacking & Payload Crafting
In partnership with
π― Week 5: Cross-Site Scripting (XSS)
Break the Web: Part 5 of 8
Welcome back to Offensive Tuesday.
Hey π
Last week you injected SQL and commands directly into servers. You bypassed logins, dumped databases, and executed system commands. If you missed it, catch up here π
This week? We're hijacking browsers.
Here's what most people don't understand β the browser trusts the website completely. If you can inject JavaScript into a page, you own every user who visits it.
Their cookies? Yours.
Their keystrokes? Captured.
Their session? Hijacked.
Their bank account? One click away.
You're not attacking the server anymore. You're attacking everyone who uses it.
This is Cross-Site Scripting (XSS) β the vulnerability behind some of the biggest data breaches in history. MySpace worm that infected a million users in 24 hours? XSS. British Airways breach that stole 380,000 credit cards? XSS. Countless session hijackings and account takeovers? You guessed it.
Today you're learning how to turn innocent web pages into attack platforms.
Let's weaponize some JavaScript. β‘
β‘Starting a business in 2026? Only AI is not enoughβ¦
The Future of Shopping? AI + Actual Humans.
AI has changed how consumers shop by speeding up research. But one thing hasnβt changed: shoppers still trust people more than AI.
Levantaβs new Affiliate 3.0 Consumer Report reveals a major shift in how shoppers blend AI tools with human influence. Consumers use AI to explore options, but when it comes time to buy, they still turn to creators, communities, and real experiences to validate their decisions.
The data shows:
Only 10% of shoppers buy through AI-recommended links
87% discover products through creators, blogs, or communities they trust
Human sources like reviews and creators rank higher in trust than AI recommendations
The most effective brands are combining AI discovery with authentic human influence to drive measurable conversions.
Affiliate marketing isnβt being replaced by AI, itβs being amplified by it.
π§ What is XSS?
XSS happens when an attacker injects malicious scripts into web pages viewed by other users.
Here's the flow:
You find where the website displays user input (search box, comment, profile)
You inject JavaScript code instead of normal text
Website doesn't sanitize it
Website serves your malicious script to other users
Their browsers execute your code
You steal their data, hijack sessions, or take over accounts
The key difference from SQL injection: You're not attacking the server. You're attacking the users.
Every victim's browser becomes your puppet.
π The Three Types of XSS
Reflected XSS β Instant Attack
Your payload is in the URL. Victim clicks your link. Script executes immediately.
Think of it like this: You send someone a link to search for "laptops" but you sneak JavaScript into the search term. They click. The website reflects your search back to them. Your code runs in their browser.
Example URL:
http://shop.com/search?q=<script>alert('XSS')</script>
Real example: Victim gets an email saying "Check out these deals!" with a link. Link contains hidden JavaScript. They click. Session stolen.
Use case: Phishing emails, malicious links, social engineering attacks
Stored XSS β Time Bomb
Your payload gets saved in the database. Every user who views that page gets attacked automatically.
You post a comment with hidden JavaScript. The site stores it. Now everyone who reads that comment section executes your code. You don't need to send links anymore. The website does your work for you.
Real example: You leave a "product review" on an e-commerce site. Hidden in your review is code that steals cookies. Every shopper who reads reviews? Compromised.
Use case: Forum posts, user profiles, comment sections, reviews, guestbooks
Why it's the most dangerous: One injection = unlimited victims. Set it and forget it.
DOM-Based XSS β Client-Side Chaos
The vulnerability exists in JavaScript itself, not the server code.
The page's own JavaScript reads something (like the URL) and unsafely inserts it into the page. The server never sees your payload. Web Application Firewalls can't block it.
Real example: A single-page app reads the URL fragment (everything after the #) and displays it on the page without checking what's in it. You craft a malicious URL. Victim clicks. Their own browser executes your code.
Use case: Single-page apps, JavaScript-heavy sites, modern frameworks like React/Angular/Vue
π§ The XSS Attack Process
Step 1: Find Input Points
Look everywhere users can submit data:
β
Search boxes
β
Comment sections
β
Contact forms
β
URL parameters
β
User profiles (name, bio, location)
β
File upload names
β
HTTP headers (User-Agent, Referer)
β
Chat features
β
Review sections
β
Error messages β
Markdown editors
Your mantra: If it displays user input, test it.
Pro tip: The weirdest places often have the weakest protections. File upload filename? Test it. "Report a bug" form? Test it. Password reset error message? Test it.
Step 2: Test for Vulnerabilities
Start dead simple. Type this into every input field you find:
<script>alert('XSS')</script>
Does a popup appear? Congrats, you found XSS.
But modern sites usually block script tags. So you need alternatives.
Try these payloads instead (full list at PayloadsAllTheThings and PortSwigger's XSS cheat sheet):
Image tags with error events
SVG tags with onload events
Body tags with onload
Input tags with autofocus
The goal is simple: get JavaScript to execute. If you see alert() pop up, you've proven the vulnerability.
Pro tip: Use alert() for testing only. In real attacks, you're not showing popups β you're stealing cookies and sessions silently.
Step 3: Bypass Filters
Sites try to block XSS. Here's how attackers get around them:
Mix uppercase and lowercase β Filters looking for <script> might miss <ScRiPt>
Use encoding β Turn characters into HTML entities or URL encoding
Try different tags β If <script> is blocked, try <img>, <svg>, <iframe>, <body>, <input>
Use event handlers β onerror, onload, onfocus, onmouseover
Double encoding β Encode your payload twice
JavaScript protocol β javascript:alert(1) in href attributes
Template literals and backticks β Bypasses some WAFs
Don't memorize these. Use the cheat sheets: PayloadsAllTheThings bypass section and PortSwigger's filter evasion guide. There are literally thousands of bypass techniques documented.
The game is simple: keep trying variations until something works.
Step 4: Weaponize Your Payload
alert() proves it works. But real attackers aren't showing popups. They're doing this:
Cookie theft β Send the victim's cookies to your server (full payloads here)
Session hijacking β Steal their authentication tokens (examples here)
Keylogging β Record every keystroke on that page (payload examples)
Phishing β Inject a fake login form over the real page (techniques here)
Credential harvesting β Create a convincing "Your session expired, please log in again" prompt
BeEF framework β Hook the victim's browser for complete remote control (setup guide) - screenshots, keylogging, webcam access, network pivoting
Cryptocurrency miners β Use their CPU to mine coins
Defacement β Change the page content
Admin actions β If the victim is logged in as admin, perform admin actions silently
The scariest part? All of this happens invisibly. The victim sees a normal webpage. Behind the scenes, you're owning their session.
Check out PayloadsAllTheThings and PortSwigger's resources above for full working examples. Don't reinvent the wheel β use battle-tested payloads.
Step 5: Deliver the Attack
For Reflected XSS:
Craft your malicious URL. Shorten it with bit.ly so it doesn't look suspicious. Then:
Send via email ("Check out this cool feature!")
Post on Discord, Slack, Reddit
Send in SMS/WhatsApp messages
Post in forums with "Check this bug I found"
Use in phishing campaigns
Social engineering is key. Make people want to click.
For Stored XSS:
Inject once. Walk away. Every visitor gets attacked automatically.
Post your payload as:
A forum comment
A product review
A profile bio
A chat message
A support ticket
The website becomes your distribution network.
For DOM XSS:
Target JavaScript-heavy apps. Your payload never touches the server, so WAFs can't see it. Perfect for bypassing security.
π― Real-World XSS Hunting
Where XSS hides in 2025:
π Modern JavaScript frameworks β React, Vue, Angular apps with dangerous functions
π User-generated content platforms β Social networks, forums, review sites
π Search functionality β Query parameters reflected in results
π Error messages β "No results found for [your input here]"
π Rich text editors β Markdown, WYSIWYG editors
π Email clients β Webmail rendering HTML emails
π Admin panels β Lower security, higher privileges = bigger payout
π File upload features β Filename gets displayed without sanitization π URL shorteners β Original URL displayed on preview page π Translation features β Translated text rendered without encoding
Bug bounty pro tip: Look for XSS in features developers just launched. New code = less testing = more bugs. Check the changelog, then hunt those fresh endpoints.
π‘οΈ Why XSS is So Dangerous
Here's the brutal truth about XSS:
It bypasses basically everything:
β Same-Origin Policy? Doesn't matter. Your script runs in the victim's origin.
β HTTPS? Doesn't matter. The malicious script is served over the same secure connection.
β Strong passwords? Doesn't matter. You're stealing the session after they log in.
β 2FA? Doesn't matter. You hijack the authenticated session.
β CORS protections? Doesn't matter. You're already inside their origin.
XSS turns the website itself into your attack tool. The victim trusts the website. The website executes your code. Game over.
π οΈ Essential XSS Tools
Testing & Exploitation:
XSStrike β Automated XSS scanner with smart payload generation β Get it here
Burp Suite β Industry standard for manual XSS testing β Download
OWASP ZAP β Free alternative to Burp β Download
dalfox β Fast, powerful XSS scanner β Get it here
XSSer β Automatic XSS testing framework β Get it here
Browser Developer Tools β Built-in, inspect how the page handles your input
Payload Generation & Exploitation:
BeEF (Browser Exploitation Framework) β Hook browsers and control them remotely β Official site
XSS Polyglots β One payload that works in multiple contexts β Get them here
Payload Collections:
PayloadsAllTheThings - XSS Section β Massive collection of XSS payloads and bypasses β Browse here
PortSwigger XSS Cheat Sheet β Comprehensive payload reference with interactive examples β View here
XSS Payload List β Curated collection of working payloads β Get it here
Awesome XSS β Curated list of XSS resources β Check it out
π Learning Resources
Interactive Labs:
PortSwigger XSS Labs β Free hands-on practice with progressive difficulty β Start here
OWASP WebGoat β Practice XSS in a safe environment β Try it
HackTheBox β Real vulnerable machines with XSS challenges β Join here
TryHackMe XSS Room β Guided XSS learning path β Start learning
Google XSS Game β Learn XSS by exploiting intentionally vulnerable pages β Play here
Deep Dives:
OWASP XSS Guide β Complete reference documentation β Read here
PortSwigger XSS Guide β Comprehensive tutorial series β Learn here
Excess XSS β In-depth XSS tutorial β Read it
The Tangled Web β Book by Michal Zalewski, Chapter on browser security
HackerOne XSS Reports β Learn from actual disclosed bugs β Browse reports
That's Week 5. β‘
Tomorrow (Wednesday): How to defend against XSS and write secure frontend code.
Next Tuesday (Week 6): File Uploads & Remote Code Execution β we're uploading shells and taking over servers.
See you then.
Your Feedback MattersDid You Enjoy This Weekβs Offensive Tutorial? |
P.S. Got questions? Reply to this email. I read everything.
Reply