I am confused about the attack surface made possible by an XSS vulnerability. Suppose I have a simple web application that does not involve authentication (perhaps a “word of the day” kind of thing). If it is naively written and allows injection by crafting a malicious link, what kind of damage can the injection do?
To make things concrete, here’s a PHP script (what else) that is wide open to attack, since it will send back any nonsense added to the request URL.
<html><body> <p> <?php echo 'Access denied:' . $ _SERVER["PHP_SELF"] ; ?> </p> </body></html>
How bad would it be to have this problem on my server? What can happen exactly? My script does not collect or store any data, so there is no chance of a persistent injection on my server.
If the user clicking on the malicious link trusts my domain, they could be tricked into doing or accepting things that they wouldn’t otherwise. But if my domain enjoys no special trust, is there still danger? The attacker has already had access to the user/victim to trick them into visiting me through the doctored link, so is my website really posing an additional danger?
Since the reflected code appears to originate on my domain, could the attacker gain access to my intranet? I suppose in this case no trickery is needed: the attacker can run the malicious requests directly on my server, right?
I must be missing something here, please help me understand what that is.