Saturday, December 29, 2012

XSS for Stealing Cookies and Mozzila for Using Them: article 201207

Takeaway: Using stored cross site scripting, XSS, a user's cookie can be stolen and used to bypass authentication to a website.  You need a vulnerable website, a script to steal the cookie, a server to write to, a script to write the cookie to a log, and an appendable log file.  Once you have the cookie you can utilize a Mozilla add on to use it.

My primary resource of information for this blog can be found at this YouTube video.

I have played with stored XSS before using the script message box to create a pop up:


and to read my own cookie:

but I decided today to take the opportunity to simulate actually stealing another users cookie. has posted a decent set of videos on YouTube from which I used as my guide to simulate this attack.

The first thing I needed was a vulnerable site.  I chose to use  Damn Vulnerable Web App.  Here is a link to a video showing how to install DVWA with XAMPP.  XAMPP can be downloaded here.

I changed the security setting of  DVWA to "Low".

The target of DVWA of course was XSS stored.  An issue I ran into was that the Messages text box only allowed for a maximum of 50 characters; too few to pull this simulation off.

To resolves this I navigated to:


and modified the index.php script, in my case line 49, from

    maxlength=\"50\" to maxlength=\"500\"

Next, two files needed to be created.  First a blank file named cookielogs.txt and a second file named stealer.php that receives the cookie and appends it to the cookielogs.txt file.  The code for stealer.php is:

I uploaded these two files to a personal website.

A third piece to this is the malicious script to post to the guest book; it is seen here:

Next it was time to post my script to the DVWA vulnerable guest book:

The next user that came along and clicked on the XSS stored link

Would have the cookie stolen and shipped off to my cookielogs.txt text file:

We have a cookie!  Now what?  Consume that cookie!

There is an add-on for the Mozilla browser titled cookie editor.  It is a tool that will let you view your cookies and, as the name says; edit them.

Once the editor is installed it can be found under the Tools menu of the browser.

Now as the attacker I browsed to the cookielogs.txt file and selected the cookie I wanted to try.  In the case the one at the bottom of the list.

I then browsed to the DVWA login page.

I opened the cookie editor

Notice in the above pic the IP address of the site I am visiting and next to each IP are the cookie names "PHPSESSID" and "security".  Notice back on the cookielogs.txt file that each of those are defined. So I edited these to match the cookie I had captured.  First the PHPSESSID.  Highlight then select edit.

Then replace the "Content" string with the string captured:

Click save and then repeat for the "security" cookie:

Here I changed it from "high" to "low", just as I had captured.  I then clicked "Save"

I clicked "Close"

Now back the web page I removed the "login.php" from the URL address:

I hit my keyboards "Enter" key and "Boom goes the dynamite". 

I was able to get to the log in screen without credentials.

As always I hope this helps others.  Please provide any feedback and I will be happy to answer any pertinent questions that I can.


Wednesday, December 5, 2012

Screen Scraper in Python: article 201206

As part of the SecurityTube Python Scripting Expert course the below is a simple script written to scrape the Top X suspect IP addresses from SANS Internet Storm Center.

Written in Python 2.7.2, Beautiful Soup 4, and LXML parser


import urllib
import re
import sys
from bs4 import BeautifulSoup
print "\n\n"
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
print """
        The following list of IP's is pulled from
        the SANS Internet Storm Center.  It shows
        a list of up to the top 100 IP's from which
        suspected malicous traffic was seen. It is
        not recommended to use this as a black list.
print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"

topX = int(raw_input("Enter the Top X amount, btw 1 & 100, of flagged IP's you want to see: "))

while ((topX < 1) or (topX > 100)):
        print "The ammount must be a number btw 1 & 100\n"
        topX = int(raw_input("Enter the Top X amount, btw 1 & 100, of flagged IP's you want to see: "))

print "\nPlease be patient\n"
print "Retrieving the top ", topX , " IPs\n"

iscPage = urllib.urlopen("")

#print iscPage.code

iscSoup = BeautifulSoup(, "lxml")

allAtag = iscSoup.find_all('a')

counter = 0

for item in allAtag:
        if ('ipinfo', str(item)) and (counter < topX)):
                        print item.string
                        counter = counter + 1
print "\n"