Manual Testing Fundamentals

Manual testing remains irreplaceable for finding complex XSS vulnerabilities that automated tools might miss. The process begins with understanding the application's data flow – identifying every point where user input enters the system and tracking how it's processed, stored, and displayed. This reconnaissance phase involves mapping all input vectors including URL parameters, form fields, headers, cookies, file uploads, and API endpoints. Modern applications often have hidden input vectors in WebSocket communications, postMessage handlers, or client-side storage mechanisms that require careful investigation.

The basic manual testing approach involves injecting various payloads and observing how the application handles them. Start with simple payloads like <script>alert(1)</script> to test for completely unfiltered inputs. When this fails, progressively test more sophisticated payloads that might bypass specific filters. Event handler injections like <img src=x onerror=alert(1)> often succeed where script tags fail. Testing should cover different contexts where input might be reflected: within HTML tags, inside attribute values, within JavaScript code, in CSS contexts, or even in HTTP headers that might be reflected in the page.

Context is crucial in manual testing. A payload that works in HTML context might fail in JavaScript context and vice versa. For example, if user input is reflected inside a JavaScript string like var name = 'USER_INPUT';, the appropriate payload would be '; alert(1); // to break out of the string context. Similarly, input reflected in HTML attributes requires different payloads depending on whether it's within single quotes, double quotes, or unquoted attributes. Successful manual testing requires understanding these contexts and crafting appropriate payloads for each.