TL;DR
Your XSS payload isn’t working because of input validation, output encoding, Content Security Policy (CSP), browser security features, or incorrect placement. This guide helps you systematically identify and fix the issue.
Troubleshooting Steps
- Understand Input Validation:
- Check if the application filters characters like
<,>,",', or/. - Look for server-side validation that might be stripping potentially harmful code before it even reaches your browser. Common techniques include whitelisting allowed characters and blacklisting dangerous ones.
- Check if the application filters characters like
- Inspect Output Encoding:
- The application likely encodes special characters to prevent them from being interpreted as HTML. Common encodings are:
- HTML Entity Encoding: Converts
<to<, etc. - JavaScript Encoding: Escapes characters like quotes and backslashes.
- URL Encoding: Replaces spaces with
%20, etc.
- HTML Entity Encoding: Converts
- Use your browser’s developer tools (usually by pressing F12) to inspect the HTML source code where your payload is displayed. See if it’s encoded.
- The application likely encodes special characters to prevent them from being interpreted as HTML. Common encodings are:
- Check for Content Security Policy (CSP):
- CSP tells the browser which sources are allowed to load resources from. If an inline script isn’t permitted, your XSS payload won’t execute.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'"> - Inspect the
Content-Security-Policyheader in your browser’s developer tools (Network tab, response headers). If it restrictsscript-srcto specific domains or uses'nonce-'or'sha256-'hashes, you need to bypass these restrictions.
- CSP tells the browser which sources are allowed to load resources from. If an inline script isn’t permitted, your XSS payload won’t execute.
- Browser Security Features:
- XSS Filters: Some browsers have built-in XSS filters that might block your payload even if it’s not perfectly encoded.
- Same-Origin Policy: If you’re trying to access cookies or other data from a different domain, the Same-Origin Policy may prevent it.
- Payload Placement and Context:
- Ensure your payload is placed in the correct context where JavaScript code can be executed.
- HTML Attributes:
<img src="x" onerror=alert(1)> - URL Parameters: Sometimes possible, but often encoded.
- JavaScript Code: Injecting directly into a JavaScript variable is ideal.
- HTML Attributes:
- Test different payloads to see if any work. Simple payloads like
<script>alert(1)</script>are good starting points.
- Ensure your payload is placed in the correct context where JavaScript code can be executed.
- Debugging with Developer Tools:
- Use the browser’s JavaScript console to check for errors. This can help you identify issues in your payload or the application’s code.
- Set breakpoints in your payload to see how it’s being processed by the browser.
- Try Different Encoding Techniques:
- If basic encoding is blocking your payload, try more advanced techniques like:
- Double Encoding: Encode characters multiple times.
- Unicode Encoding: Use Unicode character representations.
- If basic encoding is blocking your payload, try more advanced techniques like: