XSS attacks can be perform in two different ways, non-persistent and persistent. Non-persistent attacks require a user to visit a specially crafted link laced with malicious code. Upon visiting the link, the code embedded in the URL will be echoed and executed within the user’s web browser. Persistent attacks occur when the malicious code is submitted to a web site where it’s stored for a period of time. Examples of an attacker’s favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to click on any link, just simply view the web page containing the code.
Cookie Stealing Code Snippet:
Most web portals offer a personalized view of a web site and greet a logged in user with “Welcome, “. Sometimes the data referencing a logged in user are stored within the query string of a URL and echoed to the screen.
Portal URL example:
URL Encoded example of Cookie Stealing URL:
Decoded example of Cookie Stealing URL: