System administrator / DevOps / Ethical Penetration tester
Exploiting cross-site scripting vulnerabilities
The traditional way to prove that you’ve found a cross-site scripting vulnerability is to create a popup using the
Sometimes you’ll want to go further and prove that an XSS vulnerability is a real threat by providing a full exploit. In this section, we’ll explore three of the most popular and powerful ways to exploit an XSS vulnerability.
Exploiting cross-site scripting to steal cookies
In practice, this approach has some significant limitations:
- The victim might not be logged in.
- Sessions might be locked to additional factors like the user’s IP address.
- The session might time out before you’re able to hijack it.
Exploiting cross-site scripting to capture passwords
These days, many users have password managers that auto-fill their passwords. You can take advantage of this by creating a password input, reading out the auto-filled password, and sending it to your own domain. This technique avoids most of the problems associated with stealing cookies and can even gain access to every other account where the victim has reused the same password.
The primary disadvantage of this technique is that it only works on users who have a password manager that performs password auto-fill. (Of course, if a user doesn’t have a password saved you can still attempt to obtain their password through an on-site phishing attack, but it’s not quite the same.)
Exploiting cross-site scripting to perform CSRF
Anything a legitimate user can do on a website, you can probably do too with XSS. Depending on the site you’re targeting, you might be able to make a victim send a message, accept a friend request, commit a backdoor to a source code repository, or transfer some Bitcoin.
Some websites allow logged-in users to change their email addresses without re-entering their passwords. If you’ve found an XSS vulnerability, you can make it trigger this functionality to change the victim’s email address to one that you control, and then trigger a password reset to gain access to the account.
This type of exploit is typically referred to as cross-site request forgery (CSRF), which is slightly confusing because CSRF can also occur as a standalone vulnerability. When CSRF occurs as a standalone vulnerability, it can be patched using strategies like anti-CSRF tokens. However, these strategies do not provide any protection if an XSS vulnerability is also present.