You're overthinking it. it's demonstrated with an alert because when the alert is shown, it means the attacker was able to insert javascript code into your page and that code was executed as if you had put it there yourself. ... so from the perspective of the client (visitor) this code is coming from you, and they don't know anything about the attacker - which is what the attacker wants.
Answer from Ярослав Рахматуллин on Stack OverflowInvicti
invicti.com › learn › cross-site-scripting-xss
Cross-Site Scripting (XSS) Vulnerability Guide
A user might open that page using a link where the name parameter value includes an XSS payload: ... The script is injected directly into the DOM and executed in the user’s browser to pop up an alert box.
Bright Security
brightsec.com › blog › cross-site-scripting-xss
The Ultimate Beginners Guide to XSS Vulnerability - Bright Security
August 10, 2025 - Payload is broken_site/xss/3?id= ... And this worked, the site just checks once if the payload contains the script tags and removes them, once it removes them we get another set of script tags that we wrapped around the removed ones and we get the successful alert prompt.
Videos
28:56
What Is an XSS Attack: How to Fix + Prevent Cross-Site Scripting ...
08:41
❌ XSS Attacks Explained – How HACKERS steal data with one line ...
14:43
Cross-Site Scripting (XSS) Explained! // How to Bug Bounty - YouTube
08:28
How to Find XSS | Cross-site scripting - YouTube
03:31
🚨 Detecting and Alerting on XSS Attacks Real Time XSS Protection ...
34:52
Website Hacking Demos using Cross-Site Scripting (XSS) - it's just ...
What is the difference between XSS and CSRF?
XSS injects malicious JavaScript into a trusted web page, causing the user’s browser to execute attacker-controlled code. CSRF tricks a user’s browser into sending unauthorized HTTP requests. While XSS runs malicious code in the browser, CSRF abuses authenticated requests. Attackers may combine both types of attacks.
invicti.com
invicti.com › learn › cross-site-scripting-xss
Cross-Site Scripting (XSS) Vulnerability Guide
How can you avoid cross-site scripting vulnerabilities?
Effective XSS prevention requires strict input validation, context-aware output encoding, secure framework usage, modern security measures such as Trusted Types and Content Security Policy headers, and continuous web application security testing.
invicti.com
invicti.com › learn › cross-site-scripting-xss
Cross-Site Scripting (XSS) Vulnerability Guide
Is cross-site scripting still dangerous?
Yes. Cross-site scripting remains one of the most common web application security vulnerabilities. It can lead to account takeover, session hijacking, phishing, and exposure of sensitive data.
invicti.com
invicti.com › learn › cross-site-scripting-xss
Cross-Site Scripting (XSS) Vulnerability Guide
PortSwigger
portswigger.net › web-security › cross-site-scripting › contexts
Cross-site scripting contexts | Web Security Academy
The end result is that the alert() function is called with 1 as an argument. onerror=alert;throw 1 · There are multiple ways of using this technique to call functions without parentheses. The next lab demonstrates a website that filters certain characters. You'll have to use similar techniques to those described above in order to solve it. When the XSS context is some existing JavaScript within a quoted tag attribute, such as an event handler, it is possible to make use of HTML-encoding to work around some input filters.
Hackviser
hackviser.com › cross-site scripting (xss)
Cross-Site Scripting (XSS) Attack Guide | Hackviser
XSS occurs when a web application includes untrusted data in a web page without proper validation or escaping. For example, when a website reflects user input: <div>Hello, <?php echo $_GET['name']; ?></div> An attacker might input: ...
OWASP Cheat Sheet Series
cheatsheetseries.owasp.org › cheatsheets › XSS_Filter_Evasion_Cheat_Sheet.html
XSS Filter Evasion - OWASP Cheat Sheet Series
This is more useful against web application firewall (WAF) XSS evasion than it is server side filter evasion. Apache Tomcat is the only known server that by default still transmits in US-ASCII encoding. ... The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs: <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
Mozilla
developer.mozilla.org › en-US › docs › Web › Security › Attacks › XSS
Cross-site scripting (XSS) - Security - MDN Web Docs
Hello, <img src=x onerror=alert('XSS!')>!
Software Testing Help
softwaretestinghelp.com › home › security testing › cross-site scripting (xss) testing: xss alert example
Cross-Site Scripting (XSS) Testing: XSS Alert Example
May 9, 2025 - In order to perform stored XSS attack, the malicious script should be sent through the vulnerable input form (For Example, the comment field or review field). This way the appropriate script will be saved in the database and executed on the page load or appropriate function calling. Consider having a page where the latest user opinion is being loaded. Therefore, in the opinion or comment field it would be typed with the script as shown below. <script>alert(document.cookie)</script> This will be saved in the database and executed on the page load, as the latest user opinion will be displayed on the page.
Top answer 1 of 3
1
You're overthinking it. it's demonstrated with an alert because when the alert is shown, it means the attacker was able to insert javascript code into your page and that code was executed as if you had put it there yourself. ... so from the perspective of the client (visitor) this code is coming from you, and they don't know anything about the attacker - which is what the attacker wants.
2 of 3
1
It's just like a "hello world" program but from the XSS world. It's easy to check, minimalistic, checking that you can at least execute some javascript function (alert). While you're looking for an XSS, the payload itself is not as important as the "can I actually inject some javascript here?" question.
Basically, it's a 2 steps approach.
- Find a vulnerable parameter. (using alert or any other simple function)
- Now let's have some fun with it.
If I am not mistaken XSS means that the attacker should be able to establish two-way communication between infected client and attacker's server.
Not always. Sometimes, 1-way communication is enough:
- Just send data to your server, no response required. It's very useful for the stored XSS case (when let's say you can put random javascript code into a comment visible to other users)
- You can inject some HTML asking the user to open another website and do whatever you want. (XSS + social engineering)
To summarise: alert is a simple function sufficient to check if you can inject javascript, like "hello world" to check that your setup is working. If you're successful -> it's time to make it more complicated.
Edit: in a real attack, people usually check more options, because the "alert" keyword is blocked by most security filters. It doesn't mean that the XSS is not there ;) But "alert" is a very convenient example for tutorials, so you'll see it everywhere.
IBM
ibm.com › think › news › cisa-fbi-release-secure-by-design-on-cross-site-scripting
CISA and FBI release secure by design alert on cross-site scripting | IBM
November 19, 2025 - Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data ...
Nuharborsecurity
nuharborsecurity.com › blog › alertxss-pwn3d-real-dangers-cross-site-scripting
alert('XSS – Pwn3d!'): The Real Dangers of Cross-Site ...
XSS is a prime ingredient in any sophisticated attack and can be leveraged to perform cookie stealing and session hijacking, automated cross site request forgery (CSRF), same-origin policy bypass, X-CSRF tokens bypass, and even complete browser exploitation and operating system remote code execution. If alert(‘Pwn3d!’) doesn’t strike fear into you, it should.
PortSwigger
portswigger.net › web-security › cross-site-scripting › cheat-sheet
Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | Web Security Academy
xmp <xss onfocus=alert(1) autofocus tabindex=1> Copy Link · Compatibility: onfocusin · Fires when the element has focus · a · a2 · abbr · acronym · address · applet · area · article · aside · audio · audio2 · b · bdi · bdo · ...
Pentest-Tools.com
pentest-tools.com › home
10 Practical scenarios for XSS attacks | Pentest-Tools.com Blog
localhost:81/vulnerabilities/xss_d/?default=<script>alert(“DOM-based XSS”)</script>
Cobalt
cobalt.io › blog › a-pentesters-guide-to-cross-site-scripting-xss
A Pentester’s Guide to Cross-Site Scripting (XSS) | Cobalt
December 1, 2022 - -------------------------------------------------------------------- Unclosed Tags: <svg onload=alert(1)// -------------------------------------------------------------------- DOM XSS: “><svg onload=alert(1)> <img src=1 onerror=alert(1)> javascript:alert(document.cookie) \“-alert(1)}// <><img src=1 onerror=alert(1)> -------------------------------------------------------------------- Another case: param=abc`;return+false});});alert`xss`;</script> abc`; Finish the string return+false}); Finish the jQuery click function }); Finish the jQuery ready function alert`xss`; Here we can execute our
Black Hills Information Security
blackhillsinfosec.com › home › blog › canary in the code: alert()-ing on xss exploits
Canary in the Code: Alert()-ing on XSS Exploits - Black Hills Information Security, Inc.
August 12, 2025 - This is because the alert() function provides a clear and unmistakable indication of exploitation, halting the execution of the webpage and allowing hackers to quickly identify and verify the presence of an XSS vulnerability.
LiveOverflow
liveoverflow.com › do-not-use-alert-1-in-xss
Do NOT use alert(1) in XSS
July 31, 2021 - This injection is designed to affect other users of the website. Injecting an XSS payload containing alert(1) allows a window to pop-up as a result of the payload being executed. The window popping up is evidence that the payload was run.
Medium
medium.com › @sumayasomow › cross-site-scripting-xss-vulnerabilities-f7c8e63b2f10
Cross-Site Scripting (XSS) Vulnerabilities | by Sumayasomow | Medium
January 11, 2025 - We successfully bypassed the filter and exploited the Reflected XSS vulnerability in DVWA at High level security. Review the text that you input into the web form. How did it work? It forced an error to occur by attempting to load a non-existent image. The error was detected with onerror and the alert response was triggered to display the alert box.
GitHub
github.com › swisskyrepo › PayloadsAllTheThings › blob › master › XSS Injection › README.md
PayloadsAllTheThings/XSS Injection/README.md at master · swisskyrepo/PayloadsAllTheThings
While alert() is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so console.log() can be used instead to display a message in the console of the developer console (doesn't require any interaction).
Author swisskyrepo
Scribd
scribd.com › document › 844264626 › XSSalertTest
XSS Alert Script Examples | PDF
<ScRiPt>AlErT('XSS')</ScRiPt> "><script>alert('XSS')</script> "><ScRiPt>AlErT('XSS')</ScRiPt> =><><script>alert('XSS')</script> =><><ScRiPt>AlErT('XSS')</ScRiPt> ="><script>alert('XSS')</script> ="><ScRiPt>AlErT('XSS')</ScRiPt> ='><script>alert('XSS')</script> ='><ScRiPt>AlErT('XSS')</ScRiPt> ="><<script>alert('XSS')</script> ="><<ScRiPt>AlErT('XSS')</ScRiPt> ='><<script>alert('XSS')</script> ='><<ScRiPt>AlErT('XSS')</ScRiPt> <script>alert([Link](88, 83, 83)</script> <ScRiPt>AlErT([Link](88, 83, 83)</ScRiPt> "><script>alert([Link](88, 83, 83)</script> "><ScRiPt>AlErT([Link](88, 83, 83)</ScRiPt
Medium
medium.com › @sasi112002kumar › dont-use-alert-1-c34de3df1825
Don’t use alert(1)- XSS. Cross Site Scripting( XSS ) XSS is a… | by Sasi Kumar | Medium
November 2, 2024 - XSS Check XSS happens when the input from user is not encoded . So If you want to check whether a site’s input field is XSS secured or not the most used script is “<img src=x onerror=alert(window.origin)>” .
HackerOne
hackerone.com › knowledge-center › how-xss-payloads-work-code-examples-and-how-prevent-them
How XSS Payloads Work with Code Examples, and How to Prevent Them | HackerOne
A simple payload that displays a pop-up message to the user. This can be used to test for XSS vulnerabilities or as a proof of concept for more advanced attacks. Code example: <script>alert("XSS")</script> A payload that redirects the user to ...