Could someone steal all stored cookies with an XSS attack?

Question

I mean, with "document.cookies" the browser shows cookie(s) that belong(s) to only for that website. (Or doesn't it?) So, could an XSS attack steal all stored cookies in device/browser? Thanks.

Answer 1

The document.cookie object retrieves the cookies from the current document. The document refers to the webpage from where the javascript invoking the document object is running. So javascript won't be able to access cookies from other websites, that includes obviously a XSS attack.

with "document.cookies" the browser shows cookie(s) that belong(s) to only for that website.

This statement is not entirely true. The document.cookie object allows javascript to access cookies from the current document, but only those that doesn't have the HTTPOnly flag. This flag is used to prevent javascript from accessing those cookies and is a policy enforced by the browser. It's recommended to turn on that flag on session cookies to protect them from being stolen through XSS

Answer 2

That depends on the type of XSS. An XSS vuln in a web site can only be used to steal non-HTTPOnly cookies on the domain in question (and possibly subdomains if they have set domain to the root domain in any of their cookies). If however you manage to exploit an XSS in a chrome extension (or some other type of universal XSS), you may be able to steal cookies for all pages including HTTPOnly cookies.

Answer 3

When you use a browser, the website where you are can only access to its cookies. It can't access to the cookies of others websites.

So with an XSS, you are able to stole all stored cookies from the website which is vulnerable. This is not a restriction of document.cookie but a restriction of your browser. You can have a more detailed answer in this can a webpage read another pages cookies