XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool. The
documents, tools and other content on this site assume you have a basic
understanding of XSS
issues and existing exploitation methods. If you are not famliar with
XSS, then I recommend you check out the primer links/docs below to get
a better of idea of what XSS is and how to detect it, fix it, and
Some Common Misconceptions about XSS
- “A user has to click a link to be impacted by XSS.” No – if you visit a page that has stuff_to_run
your browser will run it regardless of you clicking a link. I carefully
crafted this example so it would not be run by your browser, but I
could have put real script tags/commands here and made you run then
- “XSS only matters with bulliten boards, blogs, and other sites where an attacker can upload script content.”
That is one way the attack can happen, but an attacker can also
leverage sites that allow HTML/SCRIPT tags to be reflected back to the
same user (like a search form that repeats what it was told to look for
in the response). These flaws are commonly combined with public site
redirects or emails to attack a second site.
- “Don’t XSS attacks just create popup windows, alerts and other pesky things?”
No – They are commonly used to reveal your cookies or form based login
info to attackers. After havesting this info, the attacker uses it to
log into the same site as you.
- “I understand XSS, but I don’t think it’s a huge issue“. I
think you’ll change your mind once you understand this advanced attack.
Read the advanced stuff below and play with XSS-Proxy to see how evil
XSS really can be.
You can download XSS-Proxy here: