Hidden XSS? No User Interaction!#

We usually think of XSS as "send link to victim, victim clicks link". But the most dangerous XSS requires no interaction at all.

Vectors for Hidden XSS#

1. Filename XSS#

Uploading a file named "><img src=x onerror=alert(1)>.jpg. If the application displays this filename in an admin panel without escaping, the admin gets hacked just by viewing the file list.

2. Metadata XSS (EXIF)#

Injecting XSS payloads into the EXIF data (e.g., Camera Model) of an image. When the application reads and displays this metadata, the payload fires.

3. API-Based XSS#

An attacker updates their profile via API to include a payload. PUT /api/user { "name": "<script>..." } The mobile app might handle this fine, but the web-based admin dashboard might render it as HTML.

Why It's Dangerous#

These attacks often target high-privilege users (admins) in contexts they trust (dashboards, logs). The victim doesn't need to click a suspicious link; they just need to do their job.

Prevention#

• Sanitize Everything: Never trust input, even from your own database.
• Content Security Policy (CSP): A strong CSP can prevent the execution of unauthorized scripts, even if the injection succeeds.