I found a stored XSS vulnerability on a client's site, but they don't seem to think it's a big deal since it's "just an alert box." How can I create a more impactful Proof of Concept (PoC) that shows the real-world danger of this bug without actually damaging their production environment?
3 answers
You need to move beyond alert(1). To show real impact, demonstrate session hijacking. Create a script that steals the document.cookie and sends it to a server you control (like a RequestBin). Show the client that by stealing that cookie, you can take over an administrator's session without a password. Another great PoC is a "Virtual Defacement" where you use JavaScript to change the login form's action URL to point to a phishing page you've set up. When they see their own website asking for credentials and sending them to a third party, they will realize the severity of the vulnerability immediately.
When you show a cookie-stealing PoC, how do you address the client's argument if they have the HttpOnly flag enabled on their session cookies, which prevents JavaScript from accessing them?
I always try to find a way to redirect the user to a malicious site. It clearly illustrates how XSS can be used in a larger phishing campaign.
Simple and effective, Joseph. A forced redirect is hard for a client to ignore because it shows how their trusted domain can be used to harm their own customers.
Great question, Paul. If HttpOnly is on, I shift to showing an "External Service Interaction." I'll use the XSS to force the victim's browser to perform an action on their behalf, like changing their account email address or posting a comment. This demonstrates that even if I can't steal the session, I can still "act" as the user, which is a massive security failure.