Reflected XSS attacks exploit vulnerabilities where user input is included in the response without proper sanitization. Below are some common approaches.
An extensive mind map detailing approaches to reflected XSS can be found here:
Reflected XSS Mindmap by @A9HORA.
- Install the Reflection and Sentinel plugins for Burp Suite.
- Walk and spider the target site.
- Inspect the reflected parameters tab in Burp.
- Send parameters to Sentinel for automated analysis or verify manually.
- Use Gau or WaybackURLs to collect URLs.
- Filter parameters using
grep "="or GF patterns and store them in a file. - Run Gxss or Bxss on the file.
- Manually inspect reflected parameters or use Dalfox.
- Use Google Dork:
site:target.com - Find links with parameters using dorks such as:
site:target.com inurl:".php?"site:target.com filetype:php- More dorks: Top 100 XSS Dorks
- Check if parameters are reflected in HTML.
- Inject XSS payloads or test with automated tools.
1.4 Finding Hidden Variables in Source Code
- Inspect JavaScript and HTML source files for hidden parameters.
- Search manually in Page Source for:
var==""=''
- Append discovered parameters to URLs, e.g.,
https://example.com?hiddenvariablename=xss
- Use Methods 1 or 2 to gather URLs.
- Identify the firewall using WhatWaf.
- Find WAF bypass payloads:
- Twitter search
- Awesome WAF Bypass
- Use Arjun to discover hidden parameters.
- Examine error pages (404, 403, etc.) for reflected values.
- Trigger a 403 error by requesting the
.htaccessfile. - Test all reflected parameters for XSS.
Stored XSS occurs when malicious scripts are permanently stored on the target website.
- Enumerate the firewall and identify WAF rules.
- Test payloads in fields such as:
- Username
- Address
- Inject payloads in profile picture filenames and metadata.
- Attempt injections in comments, reviews, and feedback sections.
- Try every input field that reflects data to other users.
- Register an account with an XSS payload in the name field.
- Test entity injection with:
<a href=#>test</a>
- If any payload is executed, refine and escalate the attack.
Blind XSS occurs when the payload does not immediately reflect, but executes later in backend systems or admin panels.
- Inject payloads that call back to a listener on your server.
- Use:
- XSS Hunter
- Burp Collaborator
- Ngrok for receiving callbacks.
- Test injection points such as:
- Contact forms
- Admin dashboards
- User input logs
- E-commerce checkout fields
- Review and feedback forms
- Address fields in e-commerce sites
- User-Agent headers
- Log viewers
- Chat applications
- Moderation panels
DOM XSS occurs when JavaScript dynamically manipulates the page without sanitizing user input.
- Manual detection is difficult; use tools like:
- Burp Suite PRO
- RA2 DOM XSS Scanner
- Replace
<and>with HTML entities:<script>alert(1)</script>
- Use XSS polyglots:
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
- Bypass lowercase filtering:
<scRipT>alert(1)</scRipT>
- Break firewall regex using new lines:
<script>%0alert(1)</script>
- Double Encoding:
%2522 - Recursive filters bypass:
<src<script>ipt>alert(1);</scr</script>ipt>
- Injecting anchor tags without whitespace:
<a/href="j	a	v	asc	ri	pt:alert(1)">
- Bypassing whitespace filtering using a bullet (
•):<svg•onload=alert(1)>
- Changing request methods:
GET /?q=xss POST / q=xss - Injecting CRLF characters for HTTP response splitting:
GET /%0A%0DValue=%20Virus
Enhanced and reformatted for HowToHunt repository by remonsec