This is a shop with robust security

(You can tell because it has a padlock)


Imagine this site is an online store. What you probably didn't know when you clicked a link to this site was that it had an XSS payload in it (have a look at the address bar now). This "secure" site takes that XSS and renders it to the HTML, except it doesn't know how to output encode for the JavaScript context it's rendered in. This means an attacker can give you a link which executes his code in your browser; this site lets that happen.

This site also doesn't flag all cookies as "HTTP only" which means the attacker can access them with his XSS payload. Cookies on this site include personal information and other data which could allow an attacker to hijack your session. If he hijacks your session, he has access to all your other personal data stored on the site; your address, your phone number and portions of your credit card information. If you followed the link to this site with the XSS payload while you were logged in to the store, all this information was sent to the attacker. You didn't even know it happened because the information was sent asynchronously. Click here if you'd like to (not) see it happen again or cannot see the XSS payload in the address bar.

XSS can also be used to completely change the behaviour of the site. How about we place a logon form on this page and tempt you to hand over your credentials? The same practice can be used to redirect links, change page contents or even serve you malware.

Of course this is not a real store and you have no personal information here for an attacker to harvest. However, if you do have an account at an online store that follows the practices above, one little click on one little link is all it might take for an attacker to start harvesting your personal data. Different browsers implement different levels of defence against XSS so you may or may not see the full experience. Further information on the context of this site will soon be up on

If you'd like to see the source code for this site, it's up on GitHub under ShopWithRobustSecurity.