What is an xss attack and how its work

What It Is

XSS is an input validation issue that lets attackers run scripting code in your browser within the trusted context of a site that you’re visiting. Browser scripting code can do quite a bit, including sending your authentication cookies to a malicious site so they can be used to impersonate you.

How It Works

XSS occurs when a site reflects code that it’s given, i.e. fails to identify it as something that can be run in a browser and then gives it back to the sender, instead of sanitizing it properly (filtering it for possible dangerous elements). So a site that’s vulnerable to XSS can be sent something like the following (within script tags) via an HTTP GET or POST.

alert('Uh oh -- XSS!')

If you get back a popup window that says, “Uh oh — XSS” — the site is vulnerable. One of the most common places to have these issues is in the search forms that most sites have. The key here is that the code is client-side code being “bounced back” to you by the server, which you then run.

The Attack

Ok, so XSS works by sending something to a site (often through their search form) with scripting code in it and having bounced back, right? So why is that a problem? How is someone going to make a victim send this potentially dangerous garbage to a site?

They send you a link.

Links can be very long and elaborate — including having a good amount of code in them. So what they do is pick a target site that’s vulnerable to XSS, say acmebank.com, and then build a query into a link that includes the malicious code. They then send these links all over the place and wait for people to click on them.

Remember that cookies can only be read by the domain that the cookies belong to. That’s why the attacker has to get THE VICTIM to send their malicious code to the website by clicking the links.

Summary

So here are the steps:

1. Attackers send out links with the poisoned queries in them directed at a specific vulnerable site.
2. The malicious code within the query string is reflected back to the victim by the vulnerable server.
3. The victim’s browser sees the code is coming from a trusted site, so it runs the code and/or gives it access to its cookies from that same domain.