This paper addresses the fundamental challenge in blind cross-site scripting (BXSS) detection: the absence of external feedback channels renders conventional XSS detection techniques ineffective. To overcome this, we propose a novel blind code execution verification method based on polyglot payloads—multi-language, context-agnostic injection strings designed to trigger observable side effects regardless of execution context. We present the first systematic study of BXSS, introducing a lightweight, context-independent polyglot payload design, coupled with context-aware injection modeling and a blind execution verification mechanism that enables definitive vulnerability confirmation without any client- or server-side feedback. Empirical evaluation across the Tranco Top 100,000 websites identified 20 BXSS vulnerabilities across 18 backend systems, achieving detection accuracy comparable to state-of-the-art taint-tracking approaches. Our core contribution is the construction of the first verifiable, BXSS-specific polyglot payload framework—breaking the long-standing technical bottleneck in confirming XSS vulnerabilities under fully blind conditions.

Cross-Site Scripting (XSS) is a prevalent and well known security problem in web applications. Numerous methods to automatically analyze and detect these vulnerabilities exist. However, all of these methods require that either code or feedback from the application is available to guide the detection process. In larger web applications, inputs can propagate from a frontend to an internal backend that provides no feedback to the outside. None of the previous approaches are applicable in this scenario, known as blind XSS (BXSS). In this paper, we address this problem and present the first comprehensive study on BXSS. As no feedback channel exists, we verify the presence of vulnerabilities through blind code execution. For this purpose, we develop a method for synthesizing polyglots, small XSS payloads that execute in all common injection contexts. Seven of these polyglots are already sufficient to cover a state-of-the-art XSS testbed. In a validation on real-world client-side vulnerabilities, we show that their XSS detection rate is on par with existing taint tracking approaches. Based on these polyglots, we conduct a study of BXSS vulnerabilities on the Tranco Top 100,000 websites. We discover 20 vulnerabilities in 18 web-based backend systems. These findings demonstrate the efficacy of our detection approach and point at a largely unexplored attack surface in web security.