cross site scripting aka XSS is when you put code into a user input and that code then executes. the most common way is when something like a search query allows input and reflects what you type back at you into the html. if nothing is in place to stop it from putting scripts in there (in some way, shape or form) then when somebody goes to the link you get from that query, your code will execute. if this vulnerability was on facebook they could steal your facebook session cookie and own your account without even needing a password.
the other kind is even more deadly. it is when you input something that is stored on the site, like a comment or topic in a forum. you can make that input code and again if nothing is in place to stop it you can do the same thing without even needing to send a link to anyone. if you managed to do this on someones facebook news feed it would hack all of your friends. however dont try it. you probably cant and you will get banned. also if you attempt and fail youll have a stored XSS attempt, which just makes you look like a goof.
the last kind is XSS within the javascript of the page itself. this involves finding javascript variables that are assigned as user input and figuring out how they would work in an execution context. if you can find something like that and you can either craft a link to emulate that input or have that xss get stored then you achieve xss without it even touching the server.
how to test for these?
for the first kind you could just experiment with how your inputs show up in the HTML and try to find a way to finagle it into executable script given where in the html it is. note that if the site has something like CLOUDFLARE (SC does.) to detect it then you could get ip banned from this. if you want to try to find a way to bypass cloudflare you should use tor so you can keep trying after it bans your ip address(es).
for stored xss dont even try experimenting with the inputs, you will be banned very quickly. instead make posts that appear innocent and make sure to "slip in" whatever you want to experiment with. better yet just analyze the html of other users' content to save yourself effort. if you spot a vulnerability that you are CERTAIN will work you can try it out. if not dont, your pathetic stored xss ATTEMPT will be a pathetic stain on your anomymous e rep.
for the javascript variable/document oriented xss strain, you're gonna have to get down and dirty with the javascript for the page until you find a way to slip your xss in there that will be executed. this requires actual understanding of the javascript language and is therefore the most involved (and in my opinion the most fun) but i digress, you should learn javascript anyway because it will help with all 3 of these xss methods.
happy hacking.
