--- name: xss description: XSS testing covering reflected, stored, and DOM-based vectors with CSP bypass techniques --- # XSS Cross-site scripting persists because context, parser, and framework edges are complex. Treat every user-influenced string as untrusted until it is strictly encoded for the exact sink and guarded by runtime policy (CSP/Trusted Types). ## Attack Surface **Types** - Reflected, stored, and DOM-based XSS across web/mobile/desktop shells **Contexts** - HTML, attribute, URL, JS, CSS, SVG/MathML, Markdown, PDF **Frameworks** - React/Vue/Angular/Svelte sinks, template engines, SSR/ISR **Defenses to Bypass** - CSP/Trusted Types, DOMPurify, framework auto-escaping ## Injection Points **Server Render** - Templates (Jinja/EJS/Handlebars), SSR frameworks, email/PDF renderers **Client Render** - `innerHTML`/`outerHTML`/`insertAdjacentHTML`, template literals - `dangerouslySetInnerHTML`, `v-html`, `$sce.trustAsHtml`, Svelte `{@html}` **URL/DOM** - `location.hash`/`search`, `document.referrer`, base href, `data-*` attributes **Events/Handlers** - `onerror`/`onload`/`onfocus`/`onclick` and `javascript:` URL handlers **Cross-Context** - postMessage payloads, WebSocket messages, local/sessionStorage, IndexedDB **File/Metadata** - Image/SVG/XML names and EXIF, office documents processed server/client ## Context Encoding Rules - **HTML text**: encode `< > & " '` - **Attribute value**: encode `" ' < > &` and ensure attribute quoted; avoid unquoted attributes - **URL/JS URL**: encode and validate scheme (allowlist https/mailto/tel); disallow javascript/data - **JS string**: escape quotes, backslashes, newlines; prefer `JSON.stringify` - **CSS**: avoid injecting into style; sanitize property names/values; beware `url()` and `expression()` - **SVG/MathML**: treat as active content; many tags execute via onload or animation events ## Key Vulnerabilities ### DOM XSS **Sources** - `location.*` (hash/search), `document.referrer`, postMessage, storage, service worker messages **Sinks** - `innerHTML`/`outerHTML`/`insertAdjacentHTML`, `document.write` - `setAttribute`, `setTimeout`/`setInterval` with strings - `eval`/`Function`, `new Worker` with blob URLs **Vulnerable Pattern** ```javascript const q = new URLSearchParams(location.search).get('q'); results.innerHTML = `