I've stumbled upon following examples of XSS attacks on OWASP:
Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs...
As I know a classic XSS attack that uses JS has very restrictive access (if at all) to user end files and the OS itself because of the browser's sandbox. So I would like to know how is it even possible or maybe am I missing something? And does anyone has a scenario for such an attack?
An XSS attack could replace a legitimate download link on the site to one that contains a trojan. The user clicks the link, downloads the executable and runs it thinking it was the genuine program they were intending to install. The attacker could even backdoor the original executable so the user doesn't suspect that anything is wrong.
As for user files, it is not clear from the article but I'm assuming it is files uploaded to the system in question, not the user's file system.
So while an XSS attack doesn't allow actioning these things directly, should the user be unaware that an attacker has access to the client-side of their session, then the specific attacks mentioned could be accomplished.
As already suggested a beef hook into the xss vector can be very dangerous in this case. Apart from the traditional metasploit intergration into the beef hook, there are some other scenarios which needs to be kept in mind.
WebRTC javascript API including MediaStream,RTCPeerConnection, RTCDataChannel enables direct communication between browsers using TURN servers.
There is a very nice presentation about this in DEFCON23. I encourage you to have a look at it.
