I have a toy web application that can be described roughly as a per-user key-value store. After logging in, the user can view and modify her set of key-value pairs. The keys and values are stored in a database on the server. The keys or values are not shared among users in any way.
I just discovered that JavaScript code included in the keys or values was not properly escaped. So if a user added a key foo
with a value of bar <script>alert(1)</script>
, the script would execute in the user's browser.
Of course, I fixed this as soon as I noticed it. But I was left wondering: Can this be exploited to do anything harmful? Remember that the key-value pairs are ONLY ever shown to the user who created them.
(The only scenario I could think of is rather far fetched: An attacker convinces the user to navigate to my web application and then to click on a rogue bookmarklet. The bookmarklet saves a key-value pair with a script that steals the user's key-value pairs. Because this is persisted to the database, the key-value pairs will be sent to the attacker every time the user loads the page. But with a rogue bookmarklet you can do almost anything anyway...)