TABLE OF CONTENTS Up to this point, we have been discussing cross-site scripting as a hands-on attacker-led method for taking over a browser. As we have illustrated, there are many ways to do this and numerous actions we can perform against a victim, from stealing a cookie to hijacking the entire browser session. While these types of attacks provide a good representation of how XSS is currently being used on the Internet, things can get a lot worse.
In this chapter, we examine the future of XSS attacks and illustrate the potential for this class of vulnerabilities.
One of the questions regularly asked by people new to cross-site scripting is, "What is the worst thing you can do with XSS?" Many of the individual attacks that don't require human interaction with the exploit (e.g., intranet port scanning, hacking routers [drive-by pharming], cross-site request forgeries, stealing sensitive information, and so on) are all bad individually. But what if we chained those attacks together? Or worse yet, what if we chained them together across a number of sites? What if a single XSS could traverse multiple domains and attack many different sites instead of just one? This is the concept behind Exponential XSS.
Let's assume an attacker finds a single XSS vulnerability on a Web page, and gets a user to click on that XSS. That single XSS vector begins a series of events, including attempting to add itself to other sites, hacking the user's intranet, sending cookies of any authenticated sessions...
