Cookies are information which a website requests or maintains regarding specific users which visit the page. These cookies contain information about how in addition to also when they visit, as well as authentication information for the site such as usernames in addition to also passwords. As these cookies must be in use whenever a visitor is usually active on a given website, an attacker who can intercept them can steal This particular information in addition to also use the idea to impersonate or catalog information about specific users.
While we don’t advocate stealing anyone’s passwords, This particular guide is usually a must-know topic for any pentester or the idea security professional to understand. If you don’t know how black hat hackers do things, you’ll never be able to catch them.
Don’t Miss: How to Hack Web Browsers with BeEF
Step 1: Creating an HTML Test Page
We can move into This particular directory with cd command, as in This particular example.
Once we’re in This particular folder, we can create our index file with touch by typing the following into a terminal window.
Next, we’ll edit This particular index file too. First, open the file in nano.
We can save This particular file by pressing Ctrl+O in nano. At This particular point, if opened in a web browser, our page will be blank. We can add a title element or some basic HTML content, or even add our scripting elements to any web page we’ve created, although for testing purposes, This particular will be sufficient.
Don’t Miss: How to Conduct a Simple Man-in-the-Middle Attack
Step 2: Creating a Cookie
We can create a basic parameter inserted within a cookie by using only 1 string. This particular cookie will only exist within This particular page, in addition to also similarly, the technique used to dump cookies later will apply to any cookie being stored within the page on which the script is usually run or injected.
This particular script should be inserted within the “body” section of the HTML file, as seen below.
If the webpage with This particular script is usually opened, a cookie will be set, although nothing will be visible inside browser. We can dump the cookie directly into the page itself using the “document.write” function. This particular won’t be of any use for exporting the cookies without a potential user’s knowledge, although the idea can help us understand the format in which the cookie writing technique works. We can add the following line to our script to test This particular.
Our script should right now look similar to the example below.
document.cookie = “username=Null Byte”;
When opened in a browser, the idea should look similar to the image below.
We’ve right now successfully set “username=Null Byte” as a cookie with This particular page. We can right now remove the “document.write(document.cookie);” function of the script, as we are instead going to forward the cookies retrieved through the targeted user’s page to an independent, offsite page on which they can be written in addition to also stored by us.
In This particular example, the PHP file is usually located on the local machine, or localhost, at 127.0.0.1. In an actual deployment of This particular technique, the idea should point towards a file hosted on a web server which can be resolved to outside of the local network or local machine.
If one was targeting a social media website, the script could be injected within of which site, in addition to also the cookies which are stolen could be sent to an IP or URL of a server controlled by the hacker.
Don’t Miss: How Null Byte Injections Work
For testing purposes, we will be able to host the file locally using PHP’s test server module.
The HTML page code should right now look similar to the image below.
Step 4: Processing Cookies with PHP
This particular is usually sufficient for a test deployment, although in a real-world scenario the PHP file could be better served using a less obvious name in addition to also located at an external IP or URL.
First, create a completely new PHP file inside same directory as the index.html file. You can do so by typing the following command.
After adding PHP opening in addition to also closing brackets, the first element we’ll want to define is usually redirect location, as seen in This particular example.
We define This particular as the “Location” following the “header,” in This particular case “https://google.com.” the idea can be set to whatever you choose, so long as the idea’s an address which can be handled by a web browser. To limit the risk of a user becoming aware of an attack, the idea could be best to redirect them to a relevant page on the same domain, such of which they are not alarmed, or become stuck in an infinite loop of the script running over in addition to also over.
With the user redirection established, we can add additional code to process the cookie. First, we’ll assign the cookie as carried by the URL to a variable.
$cookies = $_GET”c”;
Next, we’ll define the file to which the cookies will be saved to on the server which we control. inside example below, the file is usually named “log.txt.”
$file = fopen(‘log.txt’, ‘a’);
Lastly, we’ll combine the variables defined inside above two strings in order to write the variable’s content, the cookie, to our log file.
fwrite($file, $cookies . “nn”);
Our code should right now appear similar to the image below.
With This particular file saved, we’re ready to prepare a test environment for the PHP code.
Step 5: Testing the Cookie Stealer
The type of PHP available on most Linux distributions in addition to also Unix-like operating systems includes a test server. This particular server module is usually modest, limited, in addition to also not suitable for live deployments, although is usually very lightweight in addition to also effective for testing PHP code.
through within the same directory as our index.html in addition to also cookiestealer.php files, we can launch a PHP test server through the command line by typing the following.
php -S 127.0.0.1:80
This particular test server right now allows us to test our page by simply opening “127.0.0.1” within a web browser on the same machine.
After opening This particular page, our browser will most likely almost immediately resolve to the website we defined as a redirect, in This particular case Google.
If we take a look at our PHP server log, we’ll notice of which an argument was passed to our PHP file in addition to also our PHP code was executed.
Finally, we’ll be able to retrieve the cookies by checking the “log.txt” file which right now exists in our site directory. We can view This particular by using cat inside command line.
Step 6: Deploying the Attack
This particular attack is usually extremely valuable for doing damage in addition to also gaining user credentials in any scenario where you’re able to inject code on a site where users may be using cookies. Cookies often contain important user information in plaintext, in addition to also many times contain private keys which can be used to impersonate or log on as the user.
This particular attack could be injected anywhere which an HTML script tag could be inserted. A common test method to test web forms for XSS vulnerability is usually using a simple “alert” string such as the one below.
This particular script will simply attempt to open an alert box such as the example below. If the idea opens, the website is usually vulnerable to XSS.
In a live attack, a hacker could be careful with the way in which the PHP script is usually hosted. If done improperly, the origin of the PHP file could be easily traced back to the hacker. If a tactic such as This particular is usually detected, in order to identify an attacker, the idea could be useful to attempt to seek information on where stolen cookies are being sent in addition to also stored.
I wish you enjoyed This particular article on stealing cookies! If you have any questions or comments about the article, leave them below or reach me on Twitter @tahkion.