Follow the flow

It is not just the use of a testing string like <script>alert(1)</script> a way to detect XSS bugs, actually it is important to understand how the information is showed by the response in the application, in order to know how to exploit a XSS.

If we examine the response generated by the application, we can understand more about how the application and bug is working.

Let's check the exploited example again. Here, we have a form to submit comments to a website:

If we use the application as it is supposed to be used:

You will ...

Get Bug Bounty Hunting Essentials now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.