How to Hunt for XSS vulnerability

When hunting XSS vulnerabilities, the first step is to identify the input fields such as cookies, headers, forms and so on., where the web application that will send back to the browser the data entered in those fields, either immediately (reflected XSS) or later after a specific query (stored XSS). Here are some common scenarios where XSS can be found:

Search fields :  The search term entered will be reflected in the response. for example, “The name was not found".

Contact forms : This is where most of XSS is found. Usually, if the user enters a value not valid in the form, such as a wrong email address, date, and so on, the error is detected and all the information entered will be sent back, filling out the contact form automatically so that the user only needs to fix the appropriate field. Attackers will take advantage of this behavior by purposely entering a wrong email address, for example, and the injection in another field will be executed while the contact form is being filled out again in the browser.

Error messages : Many XSS bugs have been found in the error messages returned by applications such as Apache, .NET, Java, PHP, Perl, and more. This usually occurs when a wrong URI, an invalid filename, or an invalid data format is entered.

HTML Links : The data entered in the input fields is used to generate dynamic HTML links in the response.

Injection in JavaScript blocks : This scenario occurs when the application creates JavaScript code based on the data entered by the users. Such scenarios include showing a pop-up message with the action performed, filling out HTML elements dynamically, and creating DOM elements such as a list of states based on the country selected. Injecting malicious code into JavaScript blocks can help you easily bypass the browser’s protection.

Articles Related to XSS :

What is Cross Site Scripting (XSS)
Reflected XSS
Stored XSS
Web for pentester VM XSS Examples Walk-through
XSS Payloads Collection and Important Links