XSS or Cross-Site-Scripting is a client side vulnerability that allow an attacker to run malicious javascript on victim website. When we think of XSS we often think of an alert box, but what are the real implication of an XSS ? On classic attack is to steal the victim cookies by sending a request to a malicious server. If you can't access the cookies you are still running code in the context of the website, you can do almost anything the real user can do. There is 4 ways to run javascript on webpage:

• <script></script> tag
• javascript event handler like <img onload=""></script>
• visiting javascript: url
• using eval or similar function

Example

Imagine the following php code for a welcome page.

The GET variable is added to the webpage without cleaning, this can be exploited.
Try to modifiy the name parameter to see what happens.

Now let's look at what happend when we tried to inject some script.

• Regular request
• Inject malicious Javascript
• Inject malicious event handler
• Inject malicious link with javascript: url

Beyond alert(1)

Running alert(1) is a nice way to expose a XSS but you can do better. The best way to show a XSS is to prove you can run arbitrary code. To do so you can use a "loader", a small javascript snippet that will load another arbitrary payload.
There is many way to do that,
for example:

---

Now that you got code execution, what can you do ?

• You can submit forms on behalf of the user.

• You can look for secrets on the page and exfiltrate them to your server.

• You can modify how a website webhave.

The only limit is your imagination and maybe your javascript skills.

If you want to learn more about XSS and how to defeat protections you can take a look at our >.

• Simple XSS
• InnerHTML
• JS urls
• Eventless
• HTML parser
• Prototype Pollution