theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  1. Web Application Testing
  2. XSS

XSS Methodology

Discovery and Mapping:

Enumerate all endpoints, parameters, and user inputs.

Identify entry points such as query parameters, request bodies, and HTTP headers.

Generate Test Inputs:

Use a unique value for each entry point.

Inject these values to observe if and how they're reflected or stored.

Submit and Observe:

Submit the test inputs to all identified entry points.

Monitor both the immediate and subsequent HTTP responses for reflection or persistence of the input data.

Context Analysis:

Analyse where and how the input is reflected or stored in the application.

Pay attention to the surrounding HTML, JavaScript, or attribute context to craft effective payloads.

Crafting XSS Payloads:

Create payloads suitable for the identified contexts.

Alternatively use a pre-made list.

Payload Testing:

Fuzz with the crafted payloads.

For reflected XSS, test if the payload is reflected in the immediate response.

For stored XSS, check if the payload persists in storage and is executed in subsequent responses.

For DOM-based XSS, examine the source and trace the flow to any sinks in the DOM, then test payloads that interact with these sinks.

Browser Execution:

Execute the payloads in a browser to verify script execution.

Use simple JavaScript like prompt(document.domain) to test for execution.

Document Reflections and Payload Execution:

Document the precise location and context of each reflected, stored, or DOM-based input.

Take note of successful payloads and their outcomes.

Exploit Refinement:

If the initial payloads are blocked or sanitized, refine them by using different encodings or obfuscation techniques.

Consider all possible filter bypass techniques based on the application's behavior.

Automated Scanning:

Use automated scanning tools to identify potential XSS vulnerabilities. However, manual confirmation is necessary, as automated tools can generate false positives and negatives.

Test for Browser Quirks:

Test how different browsers interpret the payloads. Some browsers may encode or decode inputs differently, affecting payload delivery.

Confirm Persistent Storage (Stored XSS):

Verify that the payload is stored and executed across sessions or different user accounts, confirming a stored XSS vulnerability.

Check for Execution Context (DOM-based XSS):

For DOM-based XSS, use browser developer tools to check how the payload is handled by the browser's JavaScript engine.

PreviousXSSNextBypass WAF

Last updated 11 months ago