
Blast from the Past: Cross Site Scripting on the AWS Console - wendythehacker
https://embracethered.com/blog/posts/2020/aws-xss-cross-site-scripting-vulnerability/
======
tylerd22
xss is surprisingly hard to prevent because user input must be escaped
differently depending on context (html, css, js, json).

User input also shows up in surprising locations such as dns records and whois
info.

Luckily, an effective xss attack e.g. targetting the admin of a target
website, often require a large amount of effort and social engineering.

~~~
kerng
This is especially true for reflected attacks, besides doing target spear
phishing via email or messenger apps it won't be succesful.

For persistent attacks, its mostly just sit and wait for an attacker - they
don't really control when/if a user visits the compromised page.

