Science & Tech News

How to steal cookies using XSS

Posted by Ahmad Alhasan on

What is XSS?

XSS is a way of inserting the malicious javascript code in your page in the form of the input therfore every time the page loads the script gets loaded in the webpage, since that the new code got inserted in the website, XSS is a short for “cross site scripting”.

Today’s tutorial is about how to do Cookie Stealing via Cross Site Scripting Vulnerability with persistent type. This kind of vulnerability is much more dangerous than the non-persistent one, because it will affect the whole user of the website that has this kind of persistent Cross Site Scripting Vulnerability. This type of vulnerability can give you access to other user account and even to administrator that maintain the website.

To understand much more about this tutorial, I have already created a simple forum using PHP and also a database using MySQL. I know this forum was not user friendly and even sucks but the important thing here is the logic about how this attack can happen in real world.

Okay let me introduce this simple forum first. This simple forum has 3 type of users, there is Admin, Registered User, and also Guest (admin, user, and guest). All of these users will have the same board where they can reply one with another to make some conversation, every conversation is saved on a database; that’s why every user can see their posting history.

Let’s start the preparation for our tutorial.

Simple Forum HTML

Step by Step :

I have already hosted this simple forum to a free web hosting. Because I only use 1 computer, I will separate the access between user and admin. Administrator will log in using Google Chrome browser and user will log in using Mozilla Firefox.

giphy

And then user also logs in to the simple forum and start the conversation.

Admin logs in again and then replies to the user

This user already knows that this simple forum website has an XSS hole where he can input some html tags in it. Now he wants to collect the cookie available over that message board.

The malicious user also has other free hosting out there with address attacker.loveslife.biz where he host the other PHP script to record all of the cookie he got from the simple forum.

If you see the picture above, the malicious user put some javascript that refer to his hosting at attacker.loveslife.biz/trap.php.

When the administrator logs in to that simple forum, he won’t notice anything strange.

Soon after admin logs in,  the malicious user opens his log file that located on there.

Now he tries to refresh the page to check whether it works or not….

Take your time to comment on this article.