Cookie Stealing for phun and profit

[root@Athleone] ~$ cat cookiestealing.txtCookie StealingWritten by Athleone(or D4T4_L33CH)===============================================######################################################0x10 IntroductionXSS (cross site scripting) is usually criticized. It is said that XSS can do nothing, actually. All it can do is make a nice little alert box on your screen, telling you your cookies. That is a wrong assumption. Although it may be slightly difficult, you can use XSS to steal a user's cookies. Cookies are used to store valuable information such as Username, Password, IP address and much more. This tutorial aims at teaching you Cookie Stealing, and by the end of this text file, you should be able to independently steal other people's cookies.DISCLAIMER:This text is for educational purposes only. The author will not be held liable for any damages that occur from a reader for following this text or even learning from it.######################################################0x20 Finding the vulnerabilityFirst, you have to find the XSS vulnerability. This may prove to be a bit of a challenge, but for sites with lower security, this is actually quite easy. For example, have you ever seen one of those guestbooks? Some of them are not properly configured to filter the text you type in. What does this mean? It means that you can manipulate the HTML of the page, and inject javascript code! Alright, let's start off with something simple. Type this into the guestbook:Okay, now that's done, click enter. If the guestbook does not properly check its input, then you should be able to see your cookie pop up! Of course, if you type that in and it doesn't work, its probably gonna be a bit embarrassing, especially when the site admin taunts you. Anyway, to test whether a guestbook properly filters its input, type something like "You guys suck." and see if the "suck" comes up in bold text.If it does, the guestbook is probably not configured to filter input. However, XSS is not limited to guest books. Places in which you can change the HTML such as a page that uses a URL parameter to display an image or text, can be injected with a healthy doseof XSS. For example, the URL is this:site/bla.php?whatever=lol.gifNow, imagine what the HTML for the image would be like...so they add a "> at the back, which means we can do this:(start URL here)site/bla.php?whatever=lol.gif">Wheee that was fun. Alright, save it as evil.php. Now make an empty text file named evil.txt, and type some stuff into it such as "Cookie Stealer Phile (Newline here)". Alright, now you have to change the script that you put into the vulnerable site. Change it toOf course, change (site) into your site, and you are ready to go! Whenever a new luser gets lured into the trap, his cookies will be added to evil.txt!######################################################