--- name: testing-for-xss-vulnerabilities description: > Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection testing, or JavaScript injection vulnerability testing. domain: cybersecurity subdomain: penetration-testing tags: [XSS, cross-site-scripting, client-side-security, OWASP-A03, JavaScript-injection] version: 1.0.0 author: mahipal license: MIT --- # Testing for XSS Vulnerabilities ## When to Use - Testing web applications for client-side injection vulnerabilities as part of OWASP WSTG testing - Evaluating the effectiveness of input sanitization and output encoding across all application features - Assessing the protection provided by Content Security Policy (CSP) headers against XSS exploitation - Demonstrating the impact of XSS through session hijacking, credential theft, or phishing overlay to stakeholders - Testing single-page applications (React, Angular, Vue) for DOM-based XSS in client-side routing and rendering **Do not use** against applications without written authorization, for deploying persistent XSS payloads that affect real users, or for exfiltrating actual user session tokens from production environments. ## Prerequisites - Authorized scope defining the target web application and acceptable testing activities - Burp Suite Professional with XSS-focused extensions (XSS Validator, Reflector, Active Scan++) - Browser with developer tools and XSS testing extensions (HackBar, XSS Hunter) - XSS Hunter or Burp Collaborator for out-of-band payload verification - SecLists XSS payload lists and custom payloads for WAF bypass scenarios ## Workflow ### Step 1: Input and Output Mapping Map every location where user input enters and is rendered by the application: - **Reflected inputs**: Test every URL parameter, search field, error message, and HTTP header value that is reflected in the response - **Stored inputs**: Identify features where input is saved and displayed later: user profiles, comments, forum posts, file names, support tickets, and chat messages - **DOM inputs**: Identify client-side JavaScript that reads from `location.hash`, `location.search`, `document.referrer`, `window.name`, `postMessage`, or `localStorage` and writes to the DOM - **Output context identification**: For each reflected input, determine the rendering context: - HTML body: `