[Tutorial] How To Steal Admin's Cookies With XSS

Hi guys,
Today I'm going to show you how to steal cookies with an XSS vulnerability, in a legal scenario.

Scenario:
A company hired you to do some web-pentests on their new website. They website is very simple: an index page where they show the company and at the bottom of that page you can leave comments.
You tried of some basic SQL injections on the comment box, you also tried to find their admin page to test the login but it's well hidden. You have the bright idea to try some XSS on the comment box.

You know that a basic way to find XSS vulnerabilities is to add this code/string to every input (that it's then added to the page) you find (URL, search, useragent, forms, etc) to see what character is encoded:


Code:

Code 1 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall

On the page it may look like:


Code:

Code 2 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall and you may think that only

Code:

Code 3 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall is escaped. But you are wrong!!

Let's take a look at the SOURCE CODE(right click-> View Source Code)(not Inspect Elements) for this comment that we just posted in the comment box:


Code:

Code 4 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall

Humm.. very interesting..
They tried to protect the website from XSS by encoding in HTML characters some of the characters that are used in JavaScript.
More info here: https://en.wikipedia.org/wiki/Character_...gs_in_HTML

So we need to create a script/a way to write JavaScript code to the page without using any of those characters:


Code:

Code 5 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall That's a challenege!

To solve this challenge you have to know how you can write/add JavaScript code to a webpage in different ways.
The way I'm going to use is that I'll tell the webpage to take the script from somewhere else. On one of my domains I hosted a script.js that has this code:


Code:

Code 6 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall

The comment looks like this:


Code:

Code 7 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall

Once someone (and you) visit the webpage that as the comment, you cookies will be send to the hacker.

Here's the source code that catches the cookie and save it:


Code:

Code 8 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall

End:
Now all you have to do is to contact the administrator and tell him about the vulnerability you found during your contract. (You'll find the cookie in the logs.txt file)
He'll be very happy! DO NOT USE THIS METHOD ILLEGAL

Share on Google Plus

About Vo Uu

Tác Giả là người chuyên nghiên cứu về các kỹ thuật hacking, security, marketing, là người có góc nhìn lạ và đi sâu vấn đề cũng như là một con người thẳng thắn góp ý. Nếu sử dụng bài trên blog mong các bạn dẫn lại nguồn tác giả!!! Tác Giả rất mong có sự đóng góp hội ý từ cộng đồng để cho an toàn an ninh mạng việt nam ngày càng được an toàn hơn!!