XSS Methodology

1. Discovery and Mapping:

   • Enumerate all endpoints, parameters, and user inputs.

   • Identify entry points such as query parameters, request bodies, and HTTP headers.

2. Generate Test Inputs:

   • Use a unique value for each entry point.

   • Inject these values to observe if and how they're reflected or stored.

3. Submit and Observe:

   • Submit the test inputs to all identified entry points.

   • Monitor both the immediate and subsequent HTTP responses for reflection or persistence of the input data.

4. Context Analysis:

   • Analyse where and how the input is reflected or stored in the application.

   • Pay attention to the surrounding HTML, JavaScript, or attribute context to craft effective payloads.

5. Crafting XSS Payloads:

   • Create payloads suitable for the identified contexts.

   • Alternatively use a pre-made list.

6. Payload Testing:

   • Fuzz with the crafted payloads.

   • For reflected XSS, test if the payload is reflected in the immediate response.

   • For stored XSS, check if the payload persists in storage and is executed in subsequent responses.

   • For DOM-based XSS, examine the source and trace the flow to any sinks in the DOM, then test payloads that interact with these sinks.

7. Browser Execution:

   • Execute the payloads in a browser to verify script execution.

   • Use simple JavaScript like prompt(document.domain) to test for execution.

8. Document Reflections and Payload Execution:

   • Document the precise location and context of each reflected, stored, or DOM-based input.

   • Take note of successful payloads and their outcomes.

9. Exploit Refinement:

   • If the initial payloads are blocked or sanitized, refine them by using different encodings or obfuscation techniques.

   • Consider all possible filter bypass techniques based on the application's behavior.

10. Automated Scanning:

    • Use automated scanning tools to identify potential XSS vulnerabilities. However, manual confirmation is necessary, as automated tools can generate false positives and negatives.

11. Test for Browser Quirks:

    • Test how different browsers interpret the payloads. Some browsers may encode or decode inputs differently, affecting payload delivery.

12. Confirm Persistent Storage (Stored XSS):

    • Verify that the payload is stored and executed across sessions or different user accounts, confirming a stored XSS vulnerability.

13. Check for Execution Context (DOM-based XSS):

    • For DOM-based XSS, use browser developer tools to check how the payload is handled by the browser's JavaScript engine.