appsec.fyi

XSS — A Practical Guide

A curated AppSec resource library covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

XSS: A Practical Guide

Curated and synthesized by . Last updated 2026-06-29. Synthesized from 471 of 471 curated resources. Browse all 471 XSS resources →

Problem Framing: The Enduring Threat of XSS

Cross-Site Scripting (XSS) remains a pervasive and potent threat in web application security. Despite decades of research and mitigation efforts, vulnerabilities persist across a wide spectrum of applications, from legacy systems to modern frameworks.

At its core, XSS is an injection vulnerability that allows an attacker to inject malicious client-side scripts, typically JavaScript, into web pages viewed by other users. This injection occurs when an application fails to properly validate, sanitize, or encode user-supplied data that is subsequently rendered in a web page without adequate security controls. The consequence is that the malicious script executes in the context of the victim's browser session, inheriting their privileges and access to sensitive data within that session.

The impact of XSS attacks is far-reaching, extending beyond mere annoyance. Common outcomes include:

The enduring prevalence of XSS is partly due to its multifaceted nature, the complexities of modern web development, and the evolving tactics used by attackers to bypass security controls [20][21]. Despite advancements in browser security and WAFs, new vulnerabilities continue to be discovered in popular software and frameworks [22][23][24][25].

Core Mechanics: How XSS Works

XSS vulnerabilities manifest when an application fails to distinguish between trusted executable code and untrusted user input. The fundamental process involves an attacker injecting a script into a web application, which is then delivered to a victim's browser and executed as if it were legitimate code from the trusted origin. This execution occurs within the browser's security context for that origin, granting the script access to the origin's data and functionality.

There are three primary categories of XSS vulnerabilities:

Reflected XSS

Reflected XSS is the most common type. In this scenario, the injected script is part of the attacker's request (e.g., a URL parameter, a POST request body) and is immediately reflected back by the web server in the response without proper sanitization. The victim must be tricked into clicking a crafted link or submitting a form that sends this malicious input to the vulnerable server. The script then executes in the victim's browser.

Example: A search function that displays the search term directly on the results page.

GET /search?query=<script>alert('XSS')</script> HTTP/1.1

Host: vulnerable-website.com

If the server renders the query parameter unsanitized:

<p>Search results for: <b><script>alert('XSS')</script></b></p>

This type of XSS is often delivered via phishing emails or malicious links shared on social media [26][27].

Stored XSS (Persistent XSS)

Stored XSS occurs when an application stores the attacker's injected script persistently on the target server. This could be in a database, a message board, a comment field, a user profile, or any other form of persistent storage. When any user (including administrators) views the page containing the stored malicious script, it is executed in their browser.

Examples include:

Stored XSS is particularly dangerous because a single injection can lead to widespread compromise. Notable examples include vulnerabilities in platforms like GitLab, Jira, and Zimbra [22][4][8][19].

DOM-based XSS (Client-Side XSS)

DOM-based XSS, also known as client-side XSS, happens when the vulnerability lies entirely within client-side JavaScript code. The malicious script is not directly injected into the HTML response from the server. Instead, the application's client-side scripts process untrusted data (from sources like window.location.hash, document.referrer, window.name, or URL parameters) and use it in a way that manipulates the Document Object Model (DOM) unsafely, leading to script execution.

Key characteristics:

Example: A single-page application (SPA) that uses window.location.hash to update content.

// Vulnerable client-side JavaScript

const hash = window.location.hash.substring(1); document.getElementById('content').innerHTML = decodeURIComponent(hash);

An attacker could craft a URL like https://example.com/page#<img src=x onerror=alert(1)> which, when visited by a victim, would cause the script to execute.

DOM-based XSS is prevalent in modern JavaScript-heavy applications and SPAs [30][31].

Notable Techniques and Attack Vectors

Attackers continuously refine their methods to inject malicious scripts, often employing sophisticated techniques to bypass filters, exploit obscure browser behaviors, and chain vulnerabilities. Some notable techniques include:

Mutation XSS (mXSS)

Mutation XSS occurs when the browser's HTML parser or a sanitization library (like DOMPurify) mutates the input in unexpected ways, leading to the bypass of security checks and subsequent script execution. This can involve exploiting inconsistencies in how different browsers or parsers handle malformed HTML, CDATA sections, or specific tag structures [32]. For example, differences in parsing SVG or MathML elements can be leveraged for injection [33].

DOM Clobbering

DOM Clobbering involves injecting HTML elements with id or name attributes that clash with JavaScript global variables. This can overwrite legitimate script variables, redirecting execution flow or allowing for unexpected behavior. It's often used to bypass DOMPurify or manipulate JavaScript logic [34][35][36].

SVG-based XSS

Scalable Vector Graphics (SVG) elements can host scripts. Vulnerabilities can arise from improper sanitization of SVG uploads or inline SVG rendering. Attackers leverage SVG's animation tags (``) or script elements within SVGs to execute code, often combined with Base64 encoding or other obfuscation techniques [33][37].

Attribute Injection

This technique involves injecting malicious code into HTML attributes, particularly event handlers (onerror, onload, onfocus, etc.). Even attributes not typically associated with script execution can become vectors if sanitization is incomplete. For instance, injecting into attributes within SVG or MathML elements can lead to execution [34][33].

Log Injection

If an application logs user input without proper sanitization, attackers might inject special characters or control sequences that can be interpreted by log viewers or analysis tools as executable code, leading to XSS within the logging infrastructure [24].

Prototype Pollution

Prototype pollution vulnerabilities, where attackers can modify the __proto__ property of JavaScript objects, can indirectly lead to XSS. By altering global object prototypes, attackers can inject malicious code or modify application behavior in ways that eventually trigger XSS.

CSP Bypass Techniques

Content Security Policy (CSP) is a crucial defense mechanism, but attackers actively seek ways to bypass it. Techniques include exploiting JSONP endpoints with overly permissive connect-src or script-src directives, using untrusted script gadgets, finding nonces that are predictable or reusable, or exploiting fallback mechanisms in CSP configurations [7][30][38]. Some bypasses leverage specific browser parsing quirks or the misconfiguration of report-uri or report-to directives.

Encoding and Obfuscation Evasion

Attackers use various encoding schemes (URL encoding, HTML entities, Base64, hex encoding, Unicode escaping) and obfuscation techniques (string concatenation, character code manipulation, case variation) to disguise malicious payloads and evade signature-based detection by WAFs and security scanners [21][39][40][41][16].

Polyglot Attacks

Polyglot payloads are designed to execute as valid code in multiple contexts simultaneously. For instance, a single payload might work as HTML, JavaScript, or even within different file types like images (if parsed incorrectly by the application). This broad applicability makes them effective against varied filtering mechanisms [42].

Prompt Injection Attacks

With the rise of AI agents and conversational UIs, prompt injection attacks aim to manipulate AI models into executing unintended actions or revealing sensitive information. In some cases, these injections can leverage XSS-like mechanisms or result in similar outcomes, such as unauthorized data access or code execution within the AI's environment [18][19].

Chaining XSS with Other Vulnerabilities

The real power of XSS is often realized when it's combined with other weaknesses. For example, an attacker might chain an XSS vulnerability with a CSRF flaw to perform state-changing actions on behalf of the user [34][43]. Similarly, XSS can be combined with SSRF, command injection, or authorization bypasses to escalate privileges or achieve RCE [17][44]. Authentication bypasses can lead to stored XSS in administrative interfaces [45].

Exploiting Modern Frameworks and Libraries

Frameworks like React, Vue, and Angular, while offering built-in security features, are not immune. Vulnerabilities can arise from insecure use of APIs like dangerouslySetInnerHTML in React, v-html in Vue, or template injection issues in AngularJS [30][46][20][37][47][48]. Supply chain attacks targeting dependencies (e.g., compromised npm packages) can also introduce XSS flaws [20].

Detection and Prevention Strategies

Effective XSS defense requires a multi-layered approach, combining secure coding practices, robust input validation and output encoding, modern security features, and vigilant monitoring.

Input Validation and Sanitization

The first line of defense is validating and sanitizing all user-supplied input. This involves:

Output Encoding

Perhaps the most critical defense is proper output encoding. When rendering user-supplied data within HTML, it must be encoded to ensure it's treated as literal data, not executable code. The type of encoding required depends on the context:

Many frameworks provide context-aware encoding functions that should be used consistently [49][50].

Content Security Policy (CSP)

CSP is a powerful browser-level defense mechanism that allows developers to define approved sources of content (scripts, styles, images, etc.) that the browser should allow. By restricting where scripts can be loaded from and executed, CSP can significantly mitigate XSS risks, even if an injection vulnerability exists [38]. However, CSP configurations must be carefully implemented to avoid bypasses [38].

Trusted Types

Trusted Types is a newer browser API designed to prevent DOM-based XSS by enforcing that string data cannot be implicitly converted to HTML or JavaScript sinks. Developers must explicitly convert strings into Trusted Type objects before they can be used in these sinks, forcing a review of data flows and preventing many common DOM XSS attack vectors [51][52][53].

Secure Development Practices

Browser-Based Defenses

Modern browsers include built-in XSS filters and security features. While valuable, these are often considered a last line of defense and can be bypassed. Features like Firefox's Sanitizer API aim to provide more robust native protection against XSS [51].

Web Application Firewalls (WAFs)

WAFs can detect and block known XSS attack patterns. They are an important layer of defense but should not be relied upon as the sole protection, as attackers constantly find ways to evade WAF signatures [21][54].

Tooling for XSS Detection and Prevention

A robust ecosystem of tools aids developers and security professionals in identifying, preventing, and exploiting XSS vulnerabilities.

Vulnerability Scanners

Code Analysis and Linters

Specialized Tools

Developer Libraries

Recent Developments and Emerging Trends

The landscape of XSS vulnerabilities is constantly evolving, driven by new technologies, frameworks, and attacker methodologies.

AI in Security and XSS

Artificial intelligence and machine learning are being applied to both the discovery and defense against XSS. AI-powered scanners can analyze code and network traffic for novel vulnerability patterns, while AI agents themselves can become targets for prompt injection attacks that exhibit XSS-like behaviors [14][18][62][19]. Conversely, AI can also aid in generating more sophisticated XSS payloads and developing automated defense mechanisms.

Supply Chain Risks

The increasing reliance on third-party libraries and open-source components has amplified supply chain risks. A vulnerability in a widely used library can impact thousands or even millions of applications. XSS vulnerabilities discovered in popular frameworks or development tools can have a broad reach [30][20].

XSS in Development Tools and Platforms

Vulnerabilities are increasingly being found in tools used by developers themselves, such as IDE extensions, preview servers, and collaboration platforms. Compromising these tools can have significant implications, potentially affecting multiple projects or developer credentials [5][63][64][65].

Advanced Filter Evasion and Polyglot Attacks

Attackers continue to develop highly specialized techniques to bypass sophisticated Web Application Firewalls (WAFs) and browser filters. This includes exploiting subtle parser inconsistencies, leveraging HTTP/2 smuggling, and crafting polyglot payloads that work across diverse contexts [66][67][68][69].

Electron Application Security

Electron applications, which bundle web technologies into desktop applications, present unique security challenges. Vulnerabilities in their handling of web content, inter-process communication (IPC), or even their packaging (e.g., ASAR extraction) can lead to XSS and other critical exploits [70][18].

Zero-Day Exploitation

The discovery and exploitation of zero-day XSS vulnerabilities remain a significant concern, often highlighted by their active use in targeted attacks or by sophisticated threat actors [7][15][71].

Where to Go Deeper

For those seeking to deepen their understanding and practical skills in XSS, a wealth of resources is available:

Continuous learning and hands-on practice are essential for staying ahead of the evolving XSS threat landscape.

Sources cited in this guide

  1. How a Cross-Site Scripting Vulnerability Led to Account Takeover | HackerOne — hackerone.com
  2. Sniping Insecure Cookies with XSS — breakdev.org
  3. Sniping Insecure Cookies with XSS — breakdev.org
  4. Over 10000 Zimbra servers vulnerable to ongoing XSS attacks — bleepingcomputer.com
  5. XSS in Live Preview Microsoft VS Code Extension with 11M Downloads — ox.security
  6. JS-Tap: Weaponizing JavaScript for Red Teams — trustedsec.com
  7. Zero-Click pretalx XSS Flaw Lets Hackers Hijack Conference Organizer Accounts — hackread.com
  8. Stored XSS Bug in Jira Work Management Could Lead to Full Organization Takeover — cybersecuritynews.com
  9. Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website — thehackernews.com
  10. Critical XSS Vulnerabilities in Meta Conversion API Enable Zero-Click Account Takeover — gbhackers.com
  11. Paulos Yibelo - Blog: THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS — paulosyibelo.com
  12. CVE-2025-26244: Stored XSS in DeimosC2 Leading to Privilege Escalation — jarm222.github.io
  13. Exploiting Auth0 Defaults in XSS Attacks - elttam — elttam.com
  14. MeshCentral: From XSS to RCE — techanarchy.net
  15. CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV — thehackernews.com
  16. Top 500 Most Important XSS Cheat Sheet for Web Application Pentesting — gbhackers.com
  17. From XSS to RCE (dompdf 0day) — positive.security
  18. DeepChat AI agent XSS-to-RCE via Mermaid and Electron IPC — securityboulevard.com
  19. Multiple GitLab Vulnerabilities Let Attackers Inject Malicious Prompts to Steal Sensitive Data — cybersecuritynews.com
  20. Why React Didn't Kill XSS: The New JavaScript Injection Playbook — thehackernews.com
  21. XSS Filter Evasion: How Attackers Bypass XSS Filters — acunetix.com
  22. CVE-2026-10086: High-Severity XSS Vulnerability in GitLab Enterprise Edition Analytics Dashboard Analysis Impact and Mitigation Steps — rescana.com
  23. Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195) — snyk.io
  24. Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow — aikido.dev
  25. Angular XSS Vulnerability Exposes Thousands of web Applications to XSS Attacks — cybersecuritynews.com
  26. XSS Attacks & Exploitation: The Ultimate Guide | YesWeHack — yeswehack.com
  27. Cross Site Scripting (XSS) | OWASP Foundation — owasp.org
  28. DOM-based Cross-Site Scripting Attack in Depth - GeeksforGeeks — geeksforgeeks.org
  29. What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy — portswigger.net
  30. Frontend Security in 2025: Protecting Client-Side Code in React, Vue & More — evrone.com
  31. Demonstrating Reflected versus DOM Based XSS — littlemaninmyhead.wordpress.com
  32. CVE-2025-26791: DOMPurify Regular Expression Bug for mXSS — cve.news
  33. CVE-2025-66412: Angular Stored XSS via SVG Animation and MathML Attributes — github.com
  34. Chaining Stored XSS and CSRF in Typemill CMS: A Deep Dive into Attribute Injection — infosecwriteups.com
  35. A Bunch of Web and XSS Challenges — blog.huli.tw
  36. GreHack 2024 | Playing with HTML parsing to bypass DOMPurify on default configuration — slides.com
  37. Angular Platform Vulnerability Allows Malicious Code Execution Via Weaponized SVG Animation Files — cybersecuritynews.com
  38. Content Security Policy (CSP) explained including common bypasses — blog.detectify.com
  39. Collection of Cross-Site Scripting (XSS) Payloads ~ SmeegeSec — smeegesec.com
  40. https://labs.nettitude.com/blog/cross-site-scripting-xss-payload-generator/ — labs.nettitude.com
  41. https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md — github.com
  42. Finding DOM Polyglot XSS in PayPal the Easy Way — portswigger.net
  43. Uber Bug Bounty: Turning Self-XSS into Good-XSS – Jack Whitton — whitton.io
  44. When HttpOnly Isnt Enough: Chaining XSS and GhostScript for Full RCE Compromise — securityboulevard.com
  45. Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSS — cybersecuritynews.com
  46. Cross-site Scripting (XSS) in vue-i18n (CVE-2025-53892) — security.snyk.io
  47. How I Stole Plunker Session Tokens With Angular Expressions — royaljay.com
  48. PortSwigger Web Security Blog: Adapting AngularJS Payloads to Exploit Real — blog.portswigger.net
  49. XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP — owasp.org
  50. XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP — owasp.org
  51. Mozilla Releases Firefox 148 With New Sanitizer API to Block XSS Attacks — cyberpress.org
  52. Firefox 148 Released With Sanitizer API to Disable XSS Attack — cybersecuritynews.com
  53. Firefox 148 Unveils New Sanitizer API to Mitigate XSS Attacks in Web Applications — gbhackers.com
  54. Paris The Thinker and why your WAF should block XSS by default — securityboulevard.com
  55. s0md3v/XSStrike: Most advanced XSS scanner. — github.com
  56. XSS Penetration Testing Tool | Advanced Web Security for Pen Testers — store.xss0r.com
  57. Simplifying XSS Detection with Nuclei - A New Approach — blog.projectdiscovery.io
  58. Introducing DOM Invader: DOM XSS just got a whole lot easier to find — portswigger.net
  59. Mass Hunting Blind XSS Using XSSHunter Express Part 1 — ott3rly.com
  60. Hacker Tools: How to set up XSSHunter — blog.intigriti.com
  61. The XSS hunter's secret weapon — bxsshunter.com
  62. NDSS 2025 - EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search — securityboulevard.com
  63. Persistent XSS/RCE using WebSockets in Storybooks dev server — aikido.dev
  64. XSS Bug in VS Code Extension Exposed Local Files — esecurityplanet.com
  65. Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS Attacks — cybersecuritynews.com
  66. Bypassing WAFs for Fun and JS Injection with Parameter Pollution — blog.ethiack.com
  67. PolyShell flaw exposes Magento and Adobe Commerce to file upload attacks — securityaffairs.com
  68. Magento PolyShell Flaw Enables Unauthenticated Uploads RCE and Account Takeover — thehackernews.com
  69. Unleashing an Ultimate XSS Polyglot · 0xSobky/HackVault Wiki — github.com
  70. GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks — cybersecuritynews.com
  71. Zimbra ZCS Flaw CVE-2025-27915 Actively Exploited — thecyberexpress.com
  72. Lab: Reflected DOM XSS | Web Security Academy — portswigger.net
  73. Cross-Site Scripting (XSS) Cheat Sheet - 2023 Edition | Web Security Academ — portswigger.net
  74. Russian APT Exploits Zimbra XSS In GhostMail Attacks On Ukrainian Government — cyberpress.org
  75. FortiSandbox XSS Vulnerability Let Attackers Run Arbitrary Commands — cybersecuritynews.com
  76. Critical XSS Vulnerability in StealC Malware Admin Panel Allows Researchers to Infiltrate and Monitor Threat Actor Operations — rescana.com
  77. OWASP CRS Vulnerability Enables Charset Validation Bypass — gbhackers.com
  78. Cross-Site Scripting Vulnerability Discovered in Citrix NetScaler ADC and Gateway — cyberpress.org
  79. Respect XSS — respectxss.blogspot.com
  80. https://github.com/terjanq/Tiny-XSS-Payloads — github.com
  81. GitHub - Cybersecurity-Ethical-Hacker/xssdynagen: 🪄 XSSDynaGen is a tool designed to analyze URLs with parameters, identify the characters allowed by the server, and generate advanced XSS payloads based on the analysis results. — github.com
  82. GitHub - theinfosecguy/QuickXSS: Automating XSS using Bash — github.com
  83. RenwaX23/XSSTRON: Electron JS Browser To Find XSS Vulnerabilities Automatic — github.com
  84. GitHub - hakluke/weaponised-XSS-payloads: XSS payloads designed to turn alert(1) into P1 — github.com
📚 This guide is synthesized from the full text of resources curated in the XSS library, and refreshed as new material is added.