Hacking Tutorials XSS

Reflected XSS on JSON, AJAX, XML based web apps

Welcome back my fellow XSSers. Today we will perform XSS on JSON, AJAX and XML based applications. But before we start injecting payloads lets take a quick view of XML, JSON and AJAX.


eXtensible Markup Language (XML) is used to keep data in some other file (.xml file) instead the HTML webpage itself.


JavaScript Object Notation (JSON) is used to organize input submitted by a user and to transmit data between a server and a web application.


Asynchronous JavaScript And XML (AJAX) is basically a technology which allows a webpage to send and receive data without reloading the page.

Cross Site Scripting in JSON

json xss preventation

This is a webpage which uses JSON. How do I know? Well its source code clearly says that:

XSS on JSON payload
So HTML takes input from the search box and then a JSON scripts gets executed which processes the input.
This line of code is our area of interest because this line fetches input from the HTML.

var JSONResponseString = '{"movies":[{"response":"HINT: our master really loves Marvel movies "}]}';

Take a look at the red characters I have marked. They represent arrays which are used to arrange data.
Our input goes straight to these arrays. Moreover, all this process is happening inside a <script> tag.

So there can be 3 (or more) different payloads:

"}]}';</script><script>alert('You got XSSed')</script>

It closes the arrays using “}]}’; and closes the <script> using </script>. After that it executes our script.

</script><script>alert('You got XSSed')</script>

it just closes the <script> tag and executes our script.

"}]}';alert('You got XSSed')</script>

This one really cool. It just closes the arrays and injects our script without using any <script> tag to start the script because we are already inside a <script> so we don’t need to start it 😉
All these three payloads will give the same result
json based xss payload
So we just played with arrays and closed tags to get our desired result.

Cross Site Scripting in AJAX

Well web pages that use AJAX are a little different because they will show the search results as you type your query in the search box without reloading the page.

reflected xss on ajax

As you can see, I entered the word “input” and it got reflected i.e. displayed. AJAX is being used in here so the results are displayed without reloading the page. Well the quickest way to check for XSS in AJAX based web apps is to try to render the content with tags like <s> strike through, <b> bold, <i> italic etc. So I will be doing the same.

Damn! It worked! Now lets the following string

<s>This</s> <b>is</b> <i>vulnerable<i> <u>to</u> <font color=red>XSS</font>

xss payload for ajax
Huh? we can render the output in any way we want to.
Now I will <b> bold tag to generate a link that points to teamultimate.in as follows

<b href=teamultimate.in>Click here to win prizes</b>

cross site scripting ajax

And we got the desired input. Similarly we can run our other malicious scripts too.

Cross Site Scripting in XML

Now we have another page which uses XML instead of JSON. Take a look at the output of our innocent query

xml xss payload

It shows some kind of error. Its because XML can’t parse characters like < or ” directly. We have to use HTML escape characters or HTML Special Entities. I have summed up the most important ones here

" can be written as &quot;
< can be written as &lt;
> can be written as &gt;

/ ‘ = \ are rendered as they are.
I will be using this script against this form:

<img src=# onerror=alert(1)>

<img> tag is used to add a image to a webpage but we have used # as the source of the image which will give an error. Then I have added onerror=alert(1), which speaks itself that it will raise an error box if an error is found.

Now lets use our HTML’s special characters instead of the regular ones (< ” >) so that the XML can parse our script.

&lt;img src=# onerror=alert(1)&gt;

I haven’t changed anything much, just changed > < and ” with their HTML special entity. Now the XML should be able to parse script and hence the webpage might execute.

xml xss payload bypass

It worked perfectly.

That’s all folks. Keep learning Keep XSSing.

Also Read: Persistent, Reflected, DOM-based and Self XSS attacks


About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.


Click here to post a comment

  • Hello I have a search page of a website. The scenario is when i try to search anything the request goes in json format and when the application returns some result the response is also in json format. Do you have any idea to break it? simple breaking wont work here 🙂

    • Check HTTP headers, if the Content-Type header has a value of application/json then its perfect otherwise it may be vulnerable. Try injecting special characters if the header is absent.

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.