How to Upgrade Your XSS Bugs from Medium to Critical

Luke Stephens (@hakluke)
5 min readMay 21, 2019
Photo by Paul Esch-Laurent on Unsplash

TL;DR: Before you report an XSS, look for ways it can be leveraged to increase severity. Here’s my repo containing weaponised JavaScript payloads for popular platforms like Wordpress and Drupal. More will be added in the coming weeks.

It feels like every day that I see another under-leveraged XSS writeup hit my Twitter feed. I saw another one today, I don’t want to name and shame, so let’s call the author “Jim”. The write-up went something like this.

  • Jim found some user input that was reflected, unsanitised
  • Jim put <script> alert(1)</script> into the input and an alert box popped up
  • Triaged as P3/Medium Severity
  • Rewarded $300
  • The end

The target was a very large company, and this XSS was on their most prominent domain which hosts a customer login portal and performs a number of highly-sensitive actions. What Jim didn’t know is that with a bit of extra effort, this bug could have been upgraded to a one-click account takeover and would likely have paid $5000. Don’t be like Jim.

This problem isn’t unique to Jim. Many penetration testers and bug bounty hunters never put in the effort to build out fully weaponised XSS payloads because it’s time consuming, or too difficult, or they don’t know what’s possible. By the end of this article, you will be armed with the knowledge of how to weaponise your XSS findings, and you’ll also have some XSS payloads I’ve crafted that allow an attacker to take full administrative control of some popular content management systems, namely Wordpress and Drupal.

Before we continue on the XSS train, we need to talk about Cross-Site Request Forgery (CSRF). CSRF occurs where the attacker is able to perform sensitive actions in the context of the victim’s session by convincing them to click a link in their own browser. As an example, let’s say the following URL is used in a web application to update the password of the user who navigates to it.

Firstly it’s bad practice to put the password in a GET request, but let’s ignore that for a second. If there are no CSRF mitigations in place, an…