One of these days I'm gonna have to learn why cross-site scripting even matters, especially with modern browsers restricting a script's access to anything local

The attacker can do anything using your session.

The "Hello world" examples always show using it to steal your cookies, which obviously doesn't work now when nearly every site uses the "httpOnly" flag which makes the cookie inaccessible to JavaScript, but really, stealing your session isn't necessary. They just have to make the XSS payload run the necessary JavaScript.

Once the JavaScript is running on the page, all bets are off. They can do ANYTHING that the page can do, because now they can make HTTP requests on your behalf. SOP no longer applies. CSRF no longer protects you. The attacker has full control of your account, and all the requests will appear to come from YOUR browser.

If I can run my own code but in your context, I can pull in malicious scripts.

With those (all these are "possible" but not always, as usual, it depends, and random off the top of my head):

- I can redirect you to sites I control where I may be able to capture your login credentials.

- May be able to prompt and get you to download malware or virus payloads and run them locally.

- Can deface the site you are on, either leading to reputational harm for that brand, or leading you to think you're doing one thing when you're actually doing another.

- I may be able to exfiltrate your cookies and auth tokens for that site and potentially act as you.

- I might be able to pivot to other connected sites that use that site's authentication.

- I can prompt, as the site, for escalated access, and you may grant it because you trust that site, thereby potentially gaining access to your machine (it's not that the browsers fully restrict local access, they just require permission).

- Other social engineering attacks, trying to trick you into doing something that grants me more access, information, etc.

It's a good question and one mature orgs ask themselves all the time. As you can see from most of the replies here, XSS captures the fancy of the bug bounty crowd because there are tonnes of hypothetical impacts so everyone is free to let their imagination run wild when arguing with triagers. It's also the exploit nonpareil for nerdsnipers because sanitisation is always changing and people get to spend their days coming up with increasingly ridiculous payloads to bypass them. In reality, find me one active threat actor who has compromised a business lately with an XSS. It's not an irrelevant risk, but the attention it gets is wildly disproportionate to its real-world impact.

You log in to goodsite.com

goodsite.com loads a script from user-generated-content-size.com/evil.js

evil.js reads and writes all your goodsite.com account data.