Web Development

XSS Cheat Sheet (Cross Site Scripting Cheat Sheet)

Last Updated: 26th February, 2025

Jay Abhani

Senior Web Development Instructor at almaBetter

A complete XSS cheat sheet for web developers, covering common attack vectors and security tips. Master prevention techniques with quick, easy-to-follow guides

Cross-Site Scripting (XSS) is one of the most prevalent and dangerous vulnerabilities in web applications. It allows attackers to inject malicious scripts into trusted websites, which then execute in the victim’s browser. This XSS cheat sheet provides a comprehensive guide covering concepts, payloads, prevention strategies, and tools to understand and defend against XSS attacks effectively.

What is Cross-Site Scripting (XSS)?

XSS is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts can steal cookies, perform actions on behalf of users, or redirect them to malicious sites. XSS attacks typically exploit improper validation or escaping of user inputs.

Why is XSS Dangerous?

XSS can lead to severe consequences, including:

Stealing Sensitive Information: Cookies, tokens, and session data.
Identity Theft: Hijacking user sessions.
Phishing: Redirecting users to malicious websites.
Defacement: Modifying content on the web page.

Types of XSS Attacks

Reflected XSS

Description: The injected script is reflected in the server's response and executed in the victim's browser.
Example Scenario: A search query that returns user input directly without sanitization.

Stored XSS

Description: Malicious scripts are stored on the server (e.g., in a database) and executed when the content is retrieved.
Example Scenario: User-generated content fields like comments or chat messages.

DOM-Based XSS

Description: Vulnerabilities exist in the client-side code where user input directly manipulates the DOM.
Example Scenario: JavaScript dynamically modifying the page content using untrusted data.

XSS Payloads Cheat Sheet

Basic Payloads

Advanced Payloads

Steal Cookies:

Redirect Victim:

Event-Based Payloads

On Error:

On Mouse Over:

<div onmouseover="alert('XSS')">Hover over me</div>

Obfuscated Payloads

Using Hex Encoding:

Breaking Strings:

<scr<script>ipt>alert('XSS')</scr<script>ipt>

XSS Attack Workflow

Identify Input Points:
Locate input fields or URL parameters that accept user data.
Test for Vulnerability:
Inject harmless payloads like <script>alert(1)</script> to check execution.
Craft Malicious Payloads:
Use payloads to steal cookies, redirect users, or execute JavaScript.
Deliver Payload:
Embed payloads in links, forms, or stored inputs.
Execute Attack:
Payloads execute when victims interact with the vulnerable application.

Reflected XSS Cheat Sheet

How it Works:
User input is reflected immediately in the HTTP response.

Example Vulnerability:

http://example.com/?q=<script>alert('XSS')</script>

Mitigation:

Encode output data.
Use parameterized queries.

Stored XSS Cheat Sheet

How it Works:
Malicious scripts are stored persistently on the server.

Example:

<textarea>Write a comment...</textarea>

Malicious payloads like <script>alert('XSS')</script> are stored in the database.
Mitigation:
- Sanitize input on server side.
- Validate and encode output.

DOM XSS Cheat Sheet

How it Works:
Vulnerabilities exist in JavaScript, manipulating the DOM without sanitization.

Example Code:

document.getElementById('output').innerHTML = location.hash.substring(1);

Mitigation:

Use textContent or innerText instead of innerHTML.
Avoid using eval() and similar unsafe APIs.

OWASP XSS Prevention Cheat Sheet

The OWASP XSS Prevention Cheat Sheet provides effective steps to mitigate XSS vulnerabilities.

Key Recommendations:

Input Validation: Allow only valid and expected inputs using whitelists.
Output Encoding: Encode data based on its context (HTML, JavaScript, or URL).
Content Security Policy (CSP): Restrict the execution of scripts to trusted sources.
Sanitization: Use libraries like DOMPurify to sanitize HTML content.

XSS Prevention Techniques

Escape Output: Escape characters like <, >, &, and ' when displaying data.
Avoid Dangerous APIs: Avoid eval(), document.write(), and innerHTML.
Validate Input: Ensure inputs conform to expected patterns.
Enable Security Headers:
- Content Security Policy (CSP)
- X-XSS-Protection

XSS Script Cheat Sheet

Commonly Used Scripts:

Simple Alert:

Redirect:

Keylogger:

WAF Bypass XSS Cheat Sheet

Encoding Tricks:
Use hexadecimal or Unicode encoding to bypass filters.

String Concatenation:

Break payloads into parts to evade detection.

<scr<script>ipt>alert('XSS')</scr<script>ipt>

Polyglot Payloads:
Use payloads compatible in multiple contexts (HTML, JavaScript).

Event Handlers:

Tools for Detecting XSS

Burp Suite: Automated vulnerability scanning.
OWASP ZAP: Open-source penetration testing tool.
XSS Me: Firefox plugin for XSS testing.
DOMPurify: Library for sanitizing HTML inputs.

Best Practices to Protect Against XSS

Use a Framework: Frameworks like React and Angular escape output by default.
Adopt Secure Coding Standards: Train developers on secure coding practices.
Monitor Web Traffic: Use intrusion detection systems to spot unusual activity.
Perform Regular Audits: Test applications for vulnerabilities regularly.

Conclusion

This XSS Cheat Sheet provides a comprehensive guide to understanding, detecting, and mitigating XSS vulnerabilities. By using secure coding practices, applying the OWASP XSS prevention cheat sheet, and adopting advanced tools, developers can protect their applications from one of the most dangerous web application vulnerabilities. Stay vigilant, and ensure security is a priority in every stage of your development process.

More Cheat Sheets and Top Picks