The Exploit Blog

Raxis Cybersecurity Insights From The Frontlines

Cross-Site Scripting (XSS): Cookie Theft - Advanced Payloads

Exploits | How To | Web Apps

Cross-Site Scripting (XSS): Cookie Theft – Advanced Payloads

ByRaxis Research Team December 18, 2025November 21, 2025

We reached into our vaults to bring you the final video in our cross-site scripting (XSS) series. If you missed the first two videos in the series, take a look at the full playlist on YouTube.

After discussing the basics of XSS and two evasion techniques that hackers use to get past remediation efforts, in this video we show more advanced stored XSS attacks that move beyond pentester proof of concepts to three real-world attacks that can cause harm to websites.

Cookie theft to update a webpage for all visitors
Website defacement such as changing the website background to a photo of the attacker’s choosing or even redirecting users to the attacker’s website of choice
Cross-Site Request Forgery (CSRF) that forces a user to send HTTP requests, such as deleting or updating data, each time they visit the webpage

With injection listed as #5 on the new 2025 OWASP Top 10 list, these attacks are still very relevant today. Learn how the attacks work and how to remediate your web application to keep it secure from XSS exploits.

Raxis Research Team

The Raxis Research Team is dedicated to staying ahead of the threat landscape. Our experts dig into emerging exploits, uncover hidden vulnerabilities, and develop resources that power our penetration testing engagements. By combining curiosity with technical precision, the team equips Raxis testers with cutting-edge intelligence to simulate real-world attacks and strengthen client defenses.

How To | Red Team | Social Engineering

PSE & Red Team Series: The Power of Grip to Enhance the Under-Door Tool
ByBrad Herring August 12, 2025May 29, 2025

In this next post in our PSE and Red Team Series, Brad Herring explains how to use gaffer’s tape or heat-shrink tubing to make an under-door tool easier to use.

Read More PSE & Red Team Series: The Power of Grip to Enhance the Under-Door Tool
How To | Security Recommendations

Remediating Account Enumeration Vulnerabilities From Your Penetration Test
ByRaxis Research Team April 9, 2021June 16, 2025

Account enumeration reveals whether usernames are valid for use in other attacks. Lead Penetration Tester Matt Dunn explains how it works and how to prevent it.

Read More Remediating Account Enumeration Vulnerabilities From Your Penetration Test
Exploits | Penetration Testing | Red Team

Raspberry Pi Planted in Failed ATM Heist
ByBrian Tant August 14, 2025September 2, 2025

Raxis Chief Penetration Tester Brian Tant discusses the Raspberry Pi used in a recent ATM heist and how Raxis uses the same type of device in our pentesting.

Read More Raspberry Pi Planted in Failed ATM Heist
Exploits | How To

LDAP Passback and Why We Harp on Passwords
ByRaxis Research Team April 30, 2021June 6, 2025

LDAP passback exploits are easy when companies fail to change default passwords on network devices or fail to assign a password at all. If you connect it, you must protect it.

Read More LDAP Passback and Why We Harp on Passwords
Exploits

RAXIS THREAT ALERT: VULNERABILITY IN OPENSSL v3.0.x
ByBrad Herring October 31, 2022

In the cyberworld, news of a critical vulnerability affecting OpenSSL versions 3.0 – 3.0.6 will likely be the scariest part of Halloween ’22.

Read More RAXIS THREAT ALERT: VULNERABILITY IN OPENSSL v3.0.x
How To | Networks

Goodies for Hoodies: TCP Timestamps
ByBrian Tant June 4, 2018June 2, 2025

Does your penetration test always return a low-risk finding about TCP Timestamps? Why worry about it? Because it gives hackers info to use in other attacks.

Read More Goodies for Hoodies: TCP Timestamps