Forum Thread: About JavaScript document.cookies for XSS ???

About JavaScript document.cookies for XSS ???

Hello everyone.
I am trying to test a vulnerable Web application XSS locally (localhost).

But the problem is that I would like to know in what part of the application inject JavaScript code to collect user cookies for this kind of application that only has the username and password form ???

1 - Should I put Javascript code "document.cookie" (to steal cookies on vulnerable web application for XSS) in the part forms Username and Password ???

2 - Or do I insert JavaScript "document.cookie" (to steal cookies on vulnerable Web application for XSS) in the URL of the browser just beside 10.0.0.2/xss/index.php ???

Thank you to inform me please.

2 Responses

I'm not sure you undertand how xss work. The objective is to inject a javascript code in a page, so when the navigator of another client encounter it, it will be executed by the client.

Inserting javascript in the url won't lead to anything.
Inserting javascript in the password will neither lead to anything as other clients will never see it.
Using an xss in the username make more sense, if the application display somewhere the list of users.

google "drapstv xss tutorial". He just put up a very basic xss tutorial on youtube which may help you out.

Share Your Thoughts

  • Hot
  • Active