Make an XSS Payload to Read a Cookie from a Vulnerable Website

InstructorMike Sherov

Share this video with your friends

Send Tweet

In this lesson, we'll learn how to exploit an XSS vulnerability to read the contents of a cookie from our vulnerable website. We'll also make an endpoint on our attacker website to receive and log the cookie we've stolen. This payload will be used and modified in the following lessons to validate vulnerabilities and to verify their mitigation.

Justyn Nelson
Justyn Nelson
~ 9 months ago

I don’t understand this example, cant you just look at the session cookie through the browser just as easily?

Mike Sherov
Mike Sherov(instructor)
~ 9 months ago

Hi Justyn2,

Yes, you as the user can look at their own session cookie through the browser, which allows them to authenticate themselves. However, when an attacker performs an xss attack, it allows them to see other people's session cookies, which allows the attacker to authenticate themselves as other people! The XSS is persisted so that when other people log into the site, they execute the attackers code, sending their own session cookie to the attackers servers.

Hope this helps!