Every security team has seen a report that says: "XSS found. Proof: alert(1) fired."

That is not a critical finding. An alert box proves execution — it does not prove impact. The question every triage engineer asks is: what can you actually do with this?

The answer is almost always: steal the session and take over the account.

Here is the escalation chain:

1. Find XSS — reflected, stored, or DOM
2. Steal the session cookie — send it to a server you control
3. Inject the cookie into your browser — you are now authenticated as the victim
4. Do whatever the victim can do — change email, extract data, access admin panels

In 2021, a stored XSS in a fintech company's transaction notes field allowed an attacker to steal session cookies from bank staff. The attacker gained access to internal admin tools with visibility into all customer accounts. The bug was initially triaged as Low. After the researcher demonstrated account takeover, it was upgraded to Critical with a $15,000 bounty.

Learning to escalate XSS to account takeover is what separates hobbyists from professionals.