Web - Client

Tuesday 20 February 2018, 09:05  #1
XSS - Stored 1
afullstopdot
afullstopdot
  • 2 posts

Hi There,

I have attempted to steal the cookie but I have failed, whether or not I failed because of my logic is what I want to clear up.
I attempted to inject a script that redirected to a domain with the cookie in the url, upon reading the payload the cookie was not found.
Both as part of the URL (?cookie=) or the header payload.

Does have to do with HttpOnly cookies (thus the challenge is broken) or am I just stupid.

Thanks

Wednesday 21 February 2018, 10:03  #2
XSS - Stored 1
Aster
Aster
  • 5 posts

Hello, I did the challenge yesterday.
Everything is working alright.

Make sure that all the parts work well one by one and then group them.

Saturday 24 February 2018, 00:50  #3
XSS - Stored 1
jam
jam
  • 99 posts

Hi all,

After injecting js - crypted payload i got user-session cookie. I suppose this cookie is mine. This one was not enough to validate the challenge. The administrator session cookie is still not to get so far. There is written, he or she should have read the message but where is the cookie, then ? Hmmm.. I redirected the session in stealth to my web - server where the cookies should have been saved..

Saturday 24 February 2018, 08:47  #4
XSS - Stored 1
jam
jam
  • 99 posts

Hi all,

got it :)

if the given conditions are welldone, then the focus will be filtering. Where the injection code is nested will be good idea....

Monday 18 March 2019, 15:10  #5
XSS - Stored 1
Dinesh Arunachalam
Dinesh Arunachalam
  • 4 posts

spoil is returning me blank string. Help

Friday 18 October 2019, 10:45  #6
XSS - Stored 1
Neo
Neo
  • 1 posts

i am not able to get the admin session with my payload. However i am always getting the UID cookie.

GET /?c=uid=wKgbZF2perBuvVSqA2fMAg== HTTP/1.1

what is the possible reason for this.

Please advise..

New reply New reply   New topic New topic