XSS and Cookie Theft: A Real-World Before/After Case Study
A few years ago, I helped clean up a customer support dashboard that had a “small” XSS bug nobody took seriously. The team’s first reaction was predictable: “So what? Our session cookie is SameSite=Lax. We’re fine.” They weren’t fine. The attacker didn’t need anything fancy. They found a stored XSS bug in an internal comments feature, dropped in a payload, and every support agent who viewed that ticket executed attacker-controlled JavaScript in their browser. The original fear was cookie theft, but the real damage was bigger: account actions, data extraction, and session abuse. Cookie theft was just the easiest thing to explain to the team. ...