Search code examples
javascripthtmlcookieshttprequestcsrf

How can i steal a specific cookie's value?

I want to test a CSRF vulnerability against a website, targetsite.com. On changing the personal info of an account, a HTTP request is sent like this:

REQUEST HEADER

http://www.targetsite.com/?area=EditPersonalInfo&force_wap=1

POST/HTTP/1.1
Host : www.targetsite.com
User-Agent : Mozilla/Firefox
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate
Referer : http://www.targetsite.com/?area=EditPersonalInfo&force_wap=1
Cookie : return_token=XXXXXXXXXXXXXXXX; mmbsid=XXXXXXXXXXXXX; s_post=XXXXXXXXXXXXXXX; mmbTracker=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx; mmbTrackerTarget=.targetsite.com; LOGIN=XXXXXXXXX; start_with_auth_form=1; mmbUID=XXXXXXXXXX; UID=XXXXXXXXX; mmbSECRET=XXXXXXXXXX; SECRET=XXXXXXX; LEVEL=Low; registered_once=1; mmbsid=XXXXXXXXXXXXXXXXX; unauth_lang=3

POST DATA

s_post=xxxxxxxxxxxxxx&personal_name=Rogers&submitted=Save&force_wap=1

If one can get the value of "s_post" present in the POST DATA, then he can easily perform a csrf attack against the website. And the main thing is that the value of "s_post" is present in a cookie (The name of the cookie is also s_post & IT'S NOT a httpOnly cookie) which is given to user at the time of their login. So if one can get the value of the cookie named "s_post" (which is present in the user's browser) by using any script then he can perform csrf easily (By inserting the value of the cookie in the place of the value of Post data "s_post=COOKIE VALUE GOES HERE &personal_name=DESIREDNAME HEREs&submitted=Save&force_wap=1" ).... I want a script that will steal the value of the cookie named "s_post", stored in victim's browser...

The details of the cookie is given below:

Name : s_post
Value : XXXXXXXXXXXXXXXXXXXXX
Host : .www.targetsite.com
Path : /
Expires At : At End Of Session
Secure : No
HTTP Only : No

Here's the form which i will use to perform csrf :

<form name="csrf_form" method="POST" action="http://m.targetsite.com/?area=EditPersonalInfo&force_wap=1"> 
<input type="text" id="s_post" name="s_post" value="HERE I WANT THE VALUE OF A COOKIE NAMED s_post"> 
<input type="text" id="personal_name" name="personal_name" value="Steve"> 
<input type="text" id="submitted" name="submitted" value="Save"> 
<input type="text" id="force_wap" name="force_wap" value="1"> 
</form>

Please help me guys... & Please comment below if there's a script that can steal the value of the cookie & automatically put it's value in the html form .... OR please give me a script that will only steal the cookie's value...

Thanks in advance :)

Solution

  • There is no generic means to steal cookie data. It requires either:

    • a security vulnerability (typically an XSS one) in a site that you can exploit to read the data or
    • for the connection to be insecure and for you to have access to the networks the requests and response pass through

    The Synchronizer Token approach to blocking CSRF attacks (which is what you are trying to bypass) would be useless if stealing cookies was commonly possible.