Cookie Stealing and Tracking Using Cross Site Scripting
Posted By : Mayank Jain | 27-Jun-2018
Online shopping, banking details are sensitive, important data and this is also remembered by a site with the help of session cookies in the browser. An attacker can grab the session token by using malicious code or program running at the client-side. If an attacker manages to get a hold of your session cookies with the help of script then that person will be able to hijack the user's session. This happens generally when the site is not secure has a vulnerability and the attacker uses something known as cross-site scripting (XSS). If an attacker sends a modified link to the victim with the malicious JavaScript code, when the victim clicks on the link, the JavaScript will run and grabs the important information.
Example - if we write code in the comment section the site consider it is some code from the server and it is supposed to run that code(which is actually a script).
<script>document.write( + ')
);</script>
The browser runs the code thinking that it is Javascript code because of SCRIPT tags sent by the server and will make it run. When a user visits the site and looks at the comment section he/she will see a link to an image in the comments section which is actually the result of the script running.
When a user clicks on this link without knowing it is actually a PHP file they get an image attached in the comment section. Now script silently executed and grabs their cookie.
Now, the cookie has important information like users session ID which is saved in the attacker's database system and the attacker can hijack that user on that site.
There are some simple techniques that can be used to prevent this from this attack.
- Input filtering is important with XSS.
- Confirmation is required for any sensitive action.
- Cookies used for sensitive actions should have a short life only.
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Mayank Jain
Mayank is responsible for implementing visual elements that users see and interact with in a web application.His skillset includes JavaScript, HTML, CSS, AngularJS and Bootstrap.