Sunday, May 28, 2017
Home / Public / XSS Cookie Monster (Stealing Session ID/Cookie)

XSS Cookie Monster (Stealing Session ID/Cookie)

This is how you can use XSS to steal users cookies/Session ID. I’m using the HTTP POST method versus HTTP GET in this example. : ) Enjoy…

Using one of the reported XSS vulnerabilities in Netsweepers WebAdmin Portal to hijack an authenticated users cookie and then using it to bypass authentication with an already authenticated session.

# Exploit Title: Netsweeper WebAdmin Portal CSRF, Reflective XSS, and “The later”
# Date: Discovered and reported CSRF and XSS reported 4/2012 and “The later” reported 7/2012
# Author: Jacob Holcomb/Gimppy042
# Software Link: Netsweeper Inc. – Netsweeper Internet Filter (www.netsweeper.com)
# CVE : CVE-2012-2446 for the XSS issues, CVE-2012-2447 for the CSRF, and CVE-2012-3859 for the “The later”

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …