Cross-Site Scripting (XSS) and the 5WE Program

Introduction to XSS

• XSS is one of the most common vulnerabilities found in bug bounty platforms.
• Allows for insertion of JavaScript into a website which can lead to account takeover, API key hijacking, etc.
• Can be stored (data stored and shown back) or reflected XSS (in the URL).

5WE Program Explanation

• New 5-week program to help participants find their first vulnerability.
• One participant will join a pentest with the instructor and get paid.
• Aim is to find new talent and offer real-world experience.

Understanding Cross-Site Scripting

• XSS allows injecting malicious JavaScript code to control browser behavior on the target site.
• Example Impact: Account takeover on sites like Amazon.

Basic Steps to Identify XSS

1. Initial HTML Injection
   • Start by injecting simple HTML payloads like <h1>test123</h1>.
   • Check if it renders on the page to identify potential vulnerabilities.
2. Introduce Event Handlers
   • Use events like `onmouseover=