Escalating XSS 🕵‍♀️

During a recent Pentest, I found an unauthenticated XSS in the login page. Since the page redirects authenticated users to the dashboard, normal XSS vectors weren't possible because the XSS payload would never be rendered if you're already logged in.

However, since we're talking about the login page, it's still possible to escalate this. It always surprises me when I see bug bounty reports for XSS that end with an 'alert()'. For a Pentest, I think escalating findings makes sense, too, but for bug bounties, you're literally throwing money out the window by reporting XSS that way. I'd argue that with a bit of creativity, you can always find a way to escalate XSS to at least a High CVSS score (whereas, a simple 'alert' would probably be a Medium).

Okay, back to my Pentest 😃. So what happens on the Login page? People input their credentials.

So I created an XSS payload that injects a keylogger and, as a PoC, logs a user's credentials to the console (in practice, a hacker would of course send them to an exploit server).

Below, you'll find (heavily redacted) screenshots that show the injected keylogger and showcase the exploitation scenario. LinkedIn compressed them down so much, but I think they're still readable (anyone got any idea how to avoid that 😃).