What Is Cross-Site Scripting (XSS) attack

Cross site scripting (XSS)  is a web security vulnerability that allows attacker to compromise victims in XSS attacker can send java script malicious code, to the victim after sending victim, he will be manipulate, can steal the cookies, account take over, session hijacking

Refelected XSS
Store XSS
Blind XSS


We need to learn how to create an XSS payload for this I am dropping you a link to a lab where you learn and practice for free and easy to use https://prompt.ml/0

What is reflected XSS

It is a client-side attack where the attacker injects a malicious script into the web application which reflects the payload here an attacker can take whole control of the script
that is executed in the victim’s browser the cross-site scripting payload can be injected into the URL and search bar like this anywhere where inputs are available

Impacts of reflected XSS:

– Hackers can steal user’s necessary credentials
– Hacker can also perform account takeover
– Hackers could also steal cookies and sessions hijacking
– Hackers can extract user’s sensitive data


The most common payload are

- <script>alert(1)</script>
- <img src=x onerror=prompt(1)>
- <svg/onload=alert(1)>


What is stored XSS

This is something where the attacker sends a malicious link victim which reflects in the server here we can understand that in stored XSS, the payload is stored such in the field of the chat box, name, address,

Difference between reflected XSS and stored XSS is simple here in reflected XSS here attacker is attacking the client side, in stored here attacker is attacking to server-side


Stored XSS VS Reflected XSS

Reflected XSS -> STORE== reflect back
Stored XSS -> DATABASE -> Reflect Back


The most common payload are

<h1> Hacked By Me <>alert(document.cookie</></h1>
<img src=x onerror=prompt(document.cookie)>
<h1> Hacked By Me <>alert(document.cookie</></h1>



Hackers can deface the website
Hackers can steal the user’s credentials
Hackers also can perform hijacking users session’s
Hackers can takedowns user accounts and also take access to victim’s computer


Blind XSS

Blind XSS is a vulnerability that is some sort of similar to stored but here the catch is the attacker makes a payload which is connected with his own server he made up payload with his server for example:

-Attacker target a website

-Now he is injecting a malicious script to steal user information

-He needs to wait for victims to visit the website and for malicious script to be activated

-Now victims’ information is sent to the attacker for a while to days and he finally got access

Impacts :

Hackers can perform hijacking user’s currents sessions
Hackers can perform phishing attacks
Hackers can perform a man in the middle attacks

Download XSS Payloads from here: Download Here