Everyone knows what XSS is, right? Good, I'll spare you the definition. A common use for XSS is stealing cookies to hijack sessions and gain access to restricted web content. Cookie stealing is typically done by forcing a target's browser to issue some sort of GET request to a server controlled by the attacker which accepts the target's cookie as a parameter and processes it in some way. In most cases, when a cookie stealing XSS attack is successful, it generates a visual clue which can tip off the target. While it is too late at this point, stealth has been compromised, and could be the difference between the user keeping the session active, or clicking 'log out' and rendering your stolen cookie invalid.
About a year ago, I came up with a stealth technique for executing cookie stealing XSS attacks that I assumed was common knowledge. But after talking about the technique with several top web app security professionals, I realize that the technique may be more unique than I initially thought. Below is an example of the technique.
So you see, this is very sneaky and full of potential. Here, I use this technique in creating a web based keystroke logger.
If you feel I have missed something or would like to contribute to this post, please email me by clicking the button that looks like a "@" on the left hand side of the page. I'm always open to improving my skill set and I'd be happy to add some additional details so that others benefit as well. Thanks for reading!
Want to learn more about conducting penetration tests against web applications? Join me for Assessing and Exploiting Web Apps with SamuraiWTF at Black Hat 2013, and for SANS SEC542: Web App Penetration Testing and Ethical Hacking at SANS Capital City 2013! Washington, DC | Tue Sep 3 - Sun Sep 8, 2013