Most frequently, cross-site scripting vulnerabilities are used by an attacker to obtain information, such as a cookie or session ID, which is available via the Document Object Model. However, some cross-site scripting vulnerabilities might allow execution of arbitrary code on the victim’s machine, especially when the vulnerability is in a trusted site or Web-driven client application, or is combined with an unsafe ActiveX control.
Cross-site scripting can also be used to:
Manipulate the Document Object Model. If scripts can be executed, any of the functions available through the browser’s Document Object Model can be called, including functions that read and write files (usually blocked in “unsafe” domains, but cross-site scripting bugs are not confined to these), pop up windows, or manipulate cookies and history.
“Poison” cookies by modifying them to suit an attacker’s purpose. Chapter 20describes cookie poisoning in more detail.