Cross Site Scripting (XSS)

  1. XSS Attack Classification
    1. Stored XSS
      1. Attack Mechanism
        1. Data Persistence Layer
          1. Storage Locations
            1. Retrieval Triggers
              1. Multi-User Impact
              2. Common Vulnerable Components
                1. Comment Systems
                  1. User Profile Fields
                    1. Forum Platforms
                      1. Content Management Systems
                        1. Message Boards
                          1. Product Review Systems
                            1. File Upload Metadata
                            2. Attack Scenarios
                              1. Administrative Panel Targeting
                                1. Mass User Exploitation
                                  1. Privilege Escalation Chains
                                2. Reflected XSS
                                  1. Attack Mechanism
                                    1. Request-Response Cycle
                                      1. Parameter Reflection
                                        1. Social Engineering Requirements
                                          1. Single-Use Nature
                                          2. Common Vulnerable Components
                                            1. Search Functionality
                                              1. Error Page Generation
                                                1. URL Parameter Processing
                                                  1. Form Validation Messages
                                                    1. Redirect Mechanisms
                                                    2. Attack Scenarios
                                                      1. Phishing Campaign Integration
                                                        1. Credential Harvesting
                                                          1. Session Token Theft
                                                        2. DOM-Based XSS
                                                          1. Attack Mechanism
                                                            1. Client-Side Processing
                                                              1. DOM Manipulation
                                                                1. JavaScript Execution Flow
                                                                  1. Browser-Only Exploitation
                                                                  2. Source Analysis
                                                                    1. URL Components
                                                                      1. document.URL
                                                                        1. location.hash
                                                                          1. location.search
                                                                          2. Browser Objects
                                                                            1. document.referrer
                                                                              1. window.name
                                                                              2. Storage Mechanisms
                                                                                1. localStorage
                                                                                  1. sessionStorage
                                                                                    1. IndexedDB
                                                                                  2. Sink Analysis
                                                                                    1. Direct DOM Manipulation
                                                                                      1. innerHTML Property
                                                                                        1. outerHTML Property
                                                                                          1. document.write Method
                                                                                          2. JavaScript Execution
                                                                                            1. eval Function
                                                                                              1. Function Constructor
                                                                                                1. setTimeout with String
                                                                                                  1. setInterval with String
                                                                                              2. Specialized XSS Types
                                                                                                1. Self-XSS
                                                                                                  1. Social Engineering Tactics
                                                                                                    1. User Manipulation Techniques
                                                                                                      1. Corporate Environment Risks
                                                                                                      2. Blind XSS
                                                                                                        1. Out-of-Band Detection
                                                                                                          1. Administrative Interface Targeting
                                                                                                            1. Log File Exploitation
                                                                                                            2. Mutation XSS
                                                                                                              1. Browser Parsing Inconsistencies
                                                                                                                1. DOM Mutation Events
                                                                                                                  1. Filter Bypass Techniques

                                                                                                              Previous

                                                                                                              3. XSS Terminology and Concepts

                                                                                                              Go to top

                                                                                                              Next

                                                                                                              5. Attack Vectors and Injection Points