What can an XSS attacker do?
2 min readFeb 12, 2021
Generally speaking, if an attacker manages to perform an XSS attack, he could be able to basically do one or more of the following:
- Ad-Jacking — Inject his ads in it to make money
- Click-Jacking — Create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
- Session Hijacking — HTTP cookies can be accessed by JavaScript if the HTTP ONLY flag is not present in the cookies.
- Content Spoofing — JavaScript has full access to the client-side code of a web app and hence he could use it to show/modify desired content.
- Credential Harvesting — He could use a fancy popup to harvest credentials: WiFi firmware has been updated, re-enter your credentials to authenticate.
- Forced Downloads — So the victim isn’t downloading his malicious flash player from good-domain.com? No problem: he could just try to force a download from the trusted website the victim is visiting.
- Crypto Mining — He could use the victim’s CPU to mine some bitcoin (or altcoin)
- Bypassing CSRF protection — He could collect and submit CSRF tokens to perform POST operations elsewhere on the site.
- Keylogging — Self-explanatory
- Recording Audio, Taking pictures, Geo-location — It requires authorization from the user but he could access the victim’s camera, microphone, and location. Thanks to HTML5 and JavaScript.
- Stealing HTML5 web storage data — A website can store data in the browser for later use and, of course, JavaScript can access that storage via window.localStorage() and window.Webstore()
- Fingerprinting — Very easy to find your browser name, version, installed plugins, and their versions, your operating system, architecture, system time, language, and screen resolution.
- Network Scanning — Victim’s browser can be abused to scan ports and hosts with Javascript. Crashing Browsers — Why not?! :-)
- Stealing Information — Grab information from the webpage and send it to his malicious server.
- Redirecting — Self-explanatory
- Tabnapping — Fancy version of redirection: when no keyboard or mouse events have been received for more than a minute, it could mean that the user is AFK and he can sneakily replace the current webpage with a fake one.
- Capturing Screenshots — Thanks to HTML5 again, now you can take a screenshot of a webpage. Blind XSS detection tools have been doing this before it was cool.
- Perform Actions — He is controlling the browser