Raphael Silva Justin Gardner hakluke That’s basically it. But that’s also the two attack scenarios for xss
Raphael Silva Justin Gardner hakluke Of course you’re right xss can be much more easily weaponized. But I would argue that xss without further escalation is only useful for phishing and open redirect would do a similar job
Arham Khan Something like <script src='//15.rs' ?
That's about 21 characters, so you still have space in there for a slightly bigger domain if you need. You don't need the scheme nor the last '>' most of the time.
Raphael Silva Yeah, I think the blocker here is the lack of being able to supply our own DTD.
Raphael Silva xssdoctor hakluke Yeah, I mean 'being a part of an exploit chain' is SUPER broad, so putting that aside there isn't anything, but as for chains:
* OR => XSS (if it is client-side OR and JS scheme is available)
* OR + CSPT => XSS or CSRF
* SSRF + OR => Bypassed Host Restrictions
* OAuth + OR => ATO