Instructions: 

For a social engineering scenario:

1. Open page http://www.iosec.org/iosec_login_vulnerable.php
2. Type "javascript:alert(document.cookie)" to the address bar and copy all information including Session ID.
3. Do not close browser window. You may close Tabs, but you shouldn't close browser window.
4. Wait for a victim who enters the http://www.iosec.org/iosec_login_vulnerable.php to login. (user:gokhan password:muharremoglu)
5. After he/she logins, use your copied Session ID to login as him/her. A cookie editor can do this job.

You can use Username field for an alternative XSS attack scenario. It is intentionally left vulnerable. This will help you to make a remote attack. 
You can steal PHPSESSID before Authentication thanks to the Predefined Post Authentication Session ID. 
But you can not steal it after Authentication because of httpOnly tag.
httpOnly tag will be added to PHPSESSID parameter after the login process. 

There is no Same-origin policy. If there is, you can bypass some of them with known techniques.

A scenario taken from real life:

There are KIOSK/Terminal machines at bank branches. Customers can reach to the regular Internet banking applicaton from here. 
But these machines are restricted with policies and you can not view any other web site or close browser page. 
But you can type in to the address bar. All you can do is to enter the bank's internet web application. 

1. Type "javascript:alert(document.cookie)" to the address bar and copy all information to a paper including Session ID or just Session ID.
2. Wait for a victim who logs in to the KIOSK.
3. After he/she logins, use your copied Session ID to login as him/her. 
 
 In this scenario;
There was no same-origin restriction,
There was no httpOnly cookie tag.