So, I have just made a web-app that uses some cross-site scrpting: https://flatassembler.github.io/PicoBlaze/PicoBlaze.html
Any idea what is going on here? How does it protect against cross-site scripting being used for tracking, if it allows this? I thought the whole point of using TOR Browser over TOR instead of using Firefox over TOR or Chrome over TOR was that TOR Browser doesn't allow scripts to do things damaging to your anonymity, such as cross-site scripting. But apparently TOR Browser allows that.
Interested to see just how different firms do things regarding XSS vulnerability detection during a web app penetration test. So there can be many entry points where XSS could be possible in a web application. Do you guys fuzz all input fields (if within scope) using an XSS payload list? Or do you just try a few payloads manually on input fields that you think are likely to be vulnerable? What's your general methodology to make sure you are giving as thorough a test as possible of XSS during an engagement?
In this video walkthrough, we demonstrated how to get the user's cookies using reflective cross site scripting. We demonstrated the scenario with TryHackMe Machine. This video is part of COMPTIA Pentest+ Pathway.
video is here