What is Manual XSS?

Manual XSS, or Cross-Site Scripting, is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Unlike automated XSS attacks using tools like Burp Suite, manual XSS attacks involve directly testing input fields to inject malicious scripts.

Manual XSS Techniques

There are several techniques used in manual XSS attacks, including:

• HTML Injection: This technique involves injecting malicious HTML code into a website, which is then executed by the victim's browser.
• JavaScript Injection: This technique involves injecting malicious JavaScript code into a website, which is then executed by the victim's browser.
• Document.cookie: This technique involves capturing the victim's cookies, which may contain sensitive information such as login credentials.

Preventing Manual XSS

Preventing XSS involves input validation, output encoding, and setting the HttpOnly flag for cookies. Input validation involves checking user input against a set of rules (a whitelist) and rejecting any inputs that do not meet these rules. Output encoding involves converting user input into a safe form where the input is displayed to users. Setting the HttpOnly flag for cookies prevents client-side scripts from accessing them, protecting them from theft.