Cross-site scripting cookie theft

ID SAINT:C149D9B601C09A26F3118D1BDCE4B38A
Type saint
Reporter SAINT Corporation
Modified 2010-03-09T00:00:00


Added: 03/09/2010


Many web sites include scripts, which are lists of commands which, when executed in sequence, provide some enhancement to a web page. Web browsers are able to recognize scripts in web pages by the **<SCRIPT>** tag and handle them accordingly.


By sending an HTTP request containing **<SCRIPT>** tags to the web program, it is possible to cause the web server to return a page which contains arbitrary script. This condition allows an attacker to trick a user into executing the script in his or her browser in the security context of the vulnerable site. The script sends the user's cookies back to the attacker. If the cookies contain session IDs, the attacker can then use the cookies to hijack the user's session and gain unauthorized access to the web application.


Modify the vulnerable web program such that the response content does not contain user-supplied parameters without first checking the user-supplied parameters for invalid characters.




This exploit starts an exploit server if a cross-site scripting vulnerability is detected. A user must then click on a crafted link in order for the exploit to succeed. The Send E-Mail icon beside the exploit server can be used to send this link to users.

If the cross-site scripting vulnerability is non-persistent, then the vulnerable parameter must be a GET parameter in order for the e-mailed link to trigger the exploit.

In order for the exploit to succeed, the user's default browser cannot be Internet Explorer 8 or higher due to the cross-site scripting filter.

If the exploit succeeds, a virtual connection is created which allows hijacking of the user's web session. If the user's session ID has an expiration time, session hijacking is only possible before this expiration time.

In order for a cross-site scripting vulnerability to be detected during an automated penetration test, the vulnerable parameter must be present in an HTML form which is accessible by following links from the home page of a web site.

If using the https protocol, the exploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <>.