XSS & CSRF Testing Basics
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) are two of the most prevalent client-side security vulnerabilities. XSS allows attackers to inject and execute malicious scripts in other users' browsers. CSRF tricks authenticated users into making unintended requests. Both can be tested systematically by testers without advanced hacking skills.
XSS and CSRF Test Cases
// ══════════════════════════════════════════════════════════════
// XSS (CROSS-SITE SCRIPTING) TESTING
// ══════════════════════════════════════════════════════════════
// XSS TEST PAYLOADS — enter these in any text field that displays content
const xssPayloads = [
// Basic script injection:
"<script>alert('XSS')</script>",
// Event handler injection:
"<img src=x onerror=alert('XSS')>",
// SVG injection:
"<svg onload=alert('XSS')>",
// URL-encoded:
"%3Cscript%3Ealert('XSS')%3C/script%3E",
// JavaScript URI:
"javascript:alert('XSS')",
];
// WHERE TO TEST:
const xssInputPoints = [
"User profile name field (reflected on profile page)",
"Comment/forum posting fields (stored XSS — persists for other users)",
"Search field (reflected in URL and displayed results)",
"Error messages that include user input",
"URL parameters that get rendered into the page",
];
// HOW TO DETECT VULNERABILITY:
// ✅ SECURE: Input displayed as: <script>alert('XSS')</script> (HTML entities)
// 🔴 VULNERABLE: Browser dialog appears OR <script> tag appears in page source
// AUTOMATED XSS TEST (Selenium):
def test_xss_in_search_field(driver, base_url):
payload = "<script>document.title='XSS'</script>"
driver.get(f"{base_url}/search")
search_box = driver.find_element("id", "search-input")
search_box.send_keys(payload)
search_box.submit()
# If XSS worked, the page title changes
assert driver.title != "XSS", f"XSS vulnerability: payload executed and changed page title"
# Verify payload is encoded in page source (not executed)
assert "<script>" not in driver.page_source.lower(), "Raw script tag found in page source — potential XSS"
// ══════════════════════════════════════════════════════════════
// CSRF (CROSS-SITE REQUEST FORGERY) TESTING
// ══════════════════════════════════════════════════════════════
// WHAT IS CSRF: Attacker's page submits a form to your app
// using the victim's logged-in session (cookies are automatically sent)
// HOW TO TEST CSRF PROTECTION:
// Test 1: State-changing requests require CSRF token
// Send POST /api/user/password without CSRF token:
import requests
session = requests.Session()
# Login first
session.post("https://staging.myapp.com/api/auth/login",
json={"email": "alice@test.com", "password": "Test@1234"})
# Try password change WITHOUT CSRF token (simulate cross-site request)
response = session.post("https://staging.myapp.com/api/user/password", json={
"newPassword": "Hacked@1234"
})
# EXPECTED: 403 Forbidden (CSRF token missing)
# VULNERABLE: 200 OK (password changed without CSRF validation)
assert response.status_code == 403, "CSRF token validation missing!"
// Test 2: CSRF token is tied to session (not reusable)
// Get CSRF token for session A, use it in session B — should fail
// Test 3: SameSite cookie attribute
// Verify auth cookies have SameSite=Strict or SameSite=LaxCommon Mistakes
- Testing XSS only in text inputs — XSS can be injected in URLs, HTTP headers, JSON values, file metadata; test all user-controlled data
- Using alert() payload and assuming no alert = not vulnerable — modern Content Security Policies block alerts; use document.title manipulation or onerror detection instead
- Not testing Stored XSS — stored XSS (persists in database, shown to other users) is more dangerous than reflected; test comment fields, profiles, and any stored content
- Testing CSRF only via the UI — CSRF is a server-side validation; test it directly with requests (bypassing the UI) to confirm the validation exists on the server
Tip
Tip
Practice XSS CSRF Testing Basics in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.
Technical diagram.
Practice Task
Note
Practice Task — (1) Write a working example of XSS CSRF Testing Basics from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.
Quick Quiz
Common Mistake
Warning
A common mistake with XSS CSRF Testing Basics is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready software testing code.
Key Takeaways
- Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) are two of the most prevalent client-side security vulnerabilities.
- Testing XSS only in text inputs — XSS can be injected in URLs, HTTP headers, JSON values, file metadata; test all user-controlled data
- Using alert() payload and assuming no alert = not vulnerable — modern Content Security Policies block alerts; use document.title manipulation or onerror detection instead
- Not testing Stored XSS — stored XSS (persists in database, shown to other users) is more dangerous than reflected; test comment fields, profiles, and any stored content