Here is a XSS Exploiter sample report:
Demonstrate to your client how easy it is to exploit the XSS vulnerability that you have found in his web application. Quickly create a Proof-of-Concept simulating a real-life attack.
Distribute the payload to the target audience and gather data from multiple users. Measure the security awareness of the organization and find privileged accounts (ex. administrators) to extract data from.
This tool can also be used during web security training in order to better understand XSS and its risk in real life attacks.
|Label||The label which is used to identify your handler. Choose something meaningful for you, such as the name of the web application, of the organization, a testing scenario, etc.|
|Get cookies||Have the script fetch the user's cookies. A common field that is stored here is the session cookie. Stealing this can be used to impersonate the user and do actions on their behalf. In order to do this, you only need to replace your own session cookie when accessing the application with the one stolen from the user.|
|Get HTML Content||Have the script fetch the HTML content of the page the user is on. This includes any modifications caused by user interaction, such as automatic completion of forms or sensitive user data displayed inside an Account Details page.|
|Get page screenshot||Have the script fetch a screenshot of the generated page. This is useful when presenting the Proof-of-Concept to non-technical users, as definite visual proof that the private session of another user can been accessed.|
|Get keystrokes||Have the script intercept and record user keyboard input. A keylogger is especially useful on pages where sensitive user input is requested, such as login pages. It can retrieve usernames, passwords, specific search terms used, or other sensitive user-inputted data, that is not available at the end of the page load.|