alt Hacker NewsHow is XSS not remote code execution? You can do anything, from send fetch requests to the server with full credentials to loggging keystrokes or even open a tunnel and eval payloads...
Anything the user can do, you can do via an XSS attack.
Replies
collinmanderson • yesterday at 2:48 PM
Generally code execution within browser/client-side javascript sandbox is just "XSS".
RCE usually implies server-side code execution (or breaking out of browser sandbox).
➕ show 1 reply
Show me where you can "open a tunnel" using the XSS in this post.
> Anything the user can do, you can do via an XSS attack.
I just explained why this isn't a reasonable assumption. You seem to have multiple fundamental misunderstandings about web application security so I don't think it's constructive for either of us to continue this conversation.