24 Dec 2025
XSS Merry XSSMasXSS - Web app vulnerability that allows attackers to inject malicious code (usually JavaScript) into input fields that reflect content viewed by other users (e.g., a form or comment in a blog). If the app doesn’t properly validate or escape user input it can be viewed and processed as code.
When the injection is immediately projected in a response. For instance turning a url with a search term into a url with a payload and sending it to someone. As soon as it’s clicked, the payload executes.
Occurs when a malicious script is saved on the server, then loaded for every user who views the affected page. Reflected targets individual victims, Stored targets anyone and everyone.
Simple blog with comment area at bottom of post.
POST /post/comment HTTP/1.1
Host: sub.domain.tld
postId=3
name=Tony Spamone
email=tony@email.tld
comment=This comment is normal.
POST /post/comment HTTP/1.1
Host: sub.domain.tld
postId=3
name=Tony Spamone
email=tony@email.tld
comment=<script>alert(atob("VEhNe0V2aWxfU3RvcmVkX0VnZ30="))</script> + "This comment is normal."
If the app doesn’t filter or sanatize inputs an attacker can submit JavaScript which gets stored to the database. Everytime the post and comment is loaded, the payload triggers. This allows stealing session cookies, triggering fak login popups, and defacing the page.
Each service is different, but key practices include:
InnerHTML allows injecting any content directly into HTML. Consider textContent which treats input as text and parses for html.Use test payloads to check if an app runs the code injected. Enter recommended code for testing reflected XSS in search box:
<script>alert('Reflected meow meow')</script>
Enter recommended code for testing stored XSS in send message box:
<script>alert('Stored Meow Meow')</script>
Check if the messaging site is vulnerable to XSS.
Intro to Cross-site Scripting.