Skip to main content

Exploiting cross-site scripting vulnerabilities

The traditional way to prove that you've found a cross-site scripting vulnerability is to create a popup using the alert() function. This isn't because XSS has anything to do with popups; it's simply a way to prove that you can execute arbitrary JavaScript on a given domain. You might notice some people using alert(document.domain). This is a way of making it explicit which domain the JavaScript is executing on.

Sometimes you'll want to go further and prove that an XSS vulnerability is a real threat by providing a full exploit. In this section, we'll explore three of the most popular and powerful ways to exploit an XSS vulnerability.

Exploiting cross-site scripting to steal cookies​

Stealing cookies is a traditional way to exploit XSS. Most web applications use cookies for session handling. You can exploit cross-site scripting vulnerabilities to send the victim's cookies to your own domain, then manually inject the cookies into your browser and impersonate the victim.

In practice, this approach has some significant limitations:

  • The victim might not be logged in.
  • Many applications hide their cookies from JavaScript using the HttpOnly flag.
  • Sessions might be locked to additional factors like the user's IP address.
  • The session might time out before you're able to hijack it.