Persistent XSS Leading To Financial Lost (Hypothetical Scenario)

Before I continue, I want to first declare that this is a hypothetical scenario and that I did not actually exploit this on the internet. (I do not want my reader to think I am click-baiting)

Recently I got into online marketing and it was certainly eye-opening to learn how people make a living out of online business.

They could be making money literally anywhere in the world and have the ability to generate truly passive income even when they are asleep.

Anyway, one of the more important take-ups aways is that Facebook has this little snippet of the script called a Facebook pixel.

Think about it as Google Analytics but for Facebook.

It allows an online business to retarget using Facebook ads.

After inserting Facebook pixel, marketers usually have 2 phases.

The first phase is to drive traffic to their website in hope of converting the leads to sales.

And in the second phase, they have two options.

  1. Retarget customers that have purchased an item or
  2. Retarget customers that have added an item to the cart but did not checkout.

Information Security Is Hard

I am into web application security and am always thinking of ways to explain a security flaw to someone non-technical.

Usually, the explanation of XSS vulnerability consists of cookie stealing or defacement.

All of these ideas are pretty abstract and do not resonate well with a non-technical person.

So here goes another attempt in getting them to understand the severity of a persistent XSS.


As a business owner imagine someone were to inject their own Facebook pixel into your website.

An attacker is then able to retarget all of your audience that was converting to their own.

Remember in the beginning I mentioned the first phase – to drive traffic?

Unless you are already ranking on Google, it is not cheap to drive traffic. So no business owner in the world is willing to let someone else retarget their customers.

Back to the mindset of an attacker.

Why would an attacker do this right?

If they could gain administrative access and deface a competitor’s site, why all this trouble?

The reason is simple. It’s hard to detect.

How often do business owners check the elements of their websites?

Even if they do, they would probably overlook the fact that there is an extra Facebook pixel that should not be there.

Position of Security Consultants

I think the role of a security consultant is unique.

Business people need to think in the shoes of their customers.

The C-level executive needs to think in the shoes of their employees.

But as a security consultant, you need to put yourself in the shoes of both a developer and the website owner.

It is your job to not only find the vulnerability but also make it meaningful so that the receiving end understands the severity of the vulnerability.