Home/ Questions/Q 7818411
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T06:34:00+00:00

If my site will only ever allow users to see their own submitted data,

  • 0

If my site will only ever allow users to see their own submitted data, and never ever data another user has submitted (i.e. no general ‘posts’ etc) – then is there actually a XSS risk on my site?

I’m still going to work towards XSS solutions (like httmlspecialchars() etc) – but I’m curious if an attacker can gain anything by looking at their own XSS attack?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    An attacker cannot gain anything by using cross-site scripting techniques on themselves. The intent of cross-site scripting is to manipulate page elements displayed to the user in a malicious way, be it phishing or reading a cookie. In other words, the attack can only affect client-side entities.

    However, it is important to keep in mind what “user only ever looking at their own data” means.

    Suppose I have a website where users can have a private profile, viewable only to themselves. There is a text input element on the page that allows users to enter their website URL. Now suppose the form to update a user’s profile uses GET.

    A page update submission might look like this:

    http://www.example.com/privateprofile.pl?action=update&userwebpage=http://www.example.net

    An attacker might exploit this by tricking the user into loading the URL:

    http://www.example.com/privateprofile.pl?action=update&userwebpage=[malicious_js_code_here]

    This is a fairly trivial example, of course, but hopefully it demonstrates the general concept. The concern is that there is the possibility that they may be able to trick the user into entering the XSS themselves. Of course, the viability of an XSS attack like this depends on your specific implementation.

    • 0