Is XSS input a threat if ONLY the same user will see it?

Question

What exactly can a malicious user gain if the XSS input he enters will be viewed only by him? Is there anything he can gain?

I understand how XSS is a problem when the malicious user input will be viewed by all site users. But if each user view only his own input, his malicious input will be viewed only by him, so my questions:

• can this affect other users indirectly in some way?
• what can he gain from this?

Answer 1

What an attacker can gain with viewing that the xss attack vector he found works, is just that :-) But! Then he can use that attack vector, and there are several ways to do that.

If it's a non-persistent XSS vulnerability (aka reflected), then probably by sending a link (most probably obfuscated via a urlshortener) to potential victims. If it's a persistent XSS vulnerability (i.e. stored as a comment like the one I'm writing now), then he would just make his post and wait.

Now, what he can gain is a big talk. Just think what you could do if you could inject a script tag into a web page. You could then load a whole javascript file from your server.

The malicious code would then steal some cookies perhaps (if those are not set httponly) and immediately post them via ajax to a backend application..which would probably notify the attacker and who knows..those cookies might be enough to login into that website as the victim.

Well..there are many things an attacker can do..so please eliminate all XSS vulnerabilities you might have.

XSS vulnerabilities mainly take advantage of the trust people have in other websites. Don't underestimate the XSRF vulnerabilities which depend on the trust a website has on your browser (another big talk), and Sql Injection attacks.

A few tips (I'm sure you know all about it but for the sake of completeness:

• set httponly in cookies you use to authenticate users
• use htmlentities when printing user input back to your output
• use mysql_real_escape_string before storing user input into your db
• do not perform critical actions (i.e. save/delete/modify articles) using GET requests..use POST for those (xsrf).

Good luck!

UPDATE:

A few tools that can help:

• Chrome plugin : Websecurify
• Firefox Plugin: xss-me
• Windows App: NetSparker Community Edition (free)
• X-platrofm: SkipFish , wapiti
• Nessus

(I recommend SkipFish)

Answer 2

I guess not, but this isn't an A/B thing. Who knows WHAT the "script" part of that "XSS" does. Maybe the attacker found a vulnerability in your AJAX/javascript, and he is using an XSS-type attack to get a toolkit on your host. Again, we can speculate about what harm can befall from injection-type attacks all day, the bottom line is that if you can secure against it, do so. Every trick we can think of here is going to be one trick short of the list that an attacker is using.

Prepare for what you can predict, defend against the known.