Do-it-yourself XSS

We receive a steady stream of reports from users who manually altered the HTML documents returned by our services (for example, with Firebug, Zed Attack Proxy, Burp Proxy, or Chrome Developer Tools) and used this to inject alert(1) or equivalent JavaScript statements:


Perhaps unsurprisingly, we do not consider this to be a security bug: if an attacker can convince the victim to manually paste JavaScript code into Chrome Developer Tools, there is nothing that a web application could do to prevent the attack. As usual, when in doubt, try to think about a realistic attack scenario: list the steps that an evildoer would need to complete in order to gain access to the data of another user.