Session HiJacking With Stored XSS And Cookie Stealers

Hello Friends, I’m going to show you how hackers can steal your cookie and gain access to your account.

The Cookie Stealer?

This is a very simple cookie stealing script by the way.


Deploying The Script

To Deploy the script go to.


This will be your fake website so,

Create an account with them, choose what you want your website to be called, then go to the control panel.


Then go to online file manager.

Then click on htdocs,


and finally, we upload the cookie stealer.


All the cookies that have been hijacked will be in the htdocs directory.

How The Attack Works

Once you have found a vulnerable web server, you can execute this command in a submission form or wherever the vulnerability exists.

Once this injection is successful everyone who views the website will get their cookie hijacked and it will pretty much start a worm.

Why Are Websites Vulnerable?

When a company has thought of a product to release they can sometimes try and get it out there as soon as possible before someone else takes the idea. They usually have time constraints and with these constraints gives them less time to work on programming the code. Sometimes the programmers have not been taught or qualified to look out for security flaws in their code, leaving the product or web app vulnerable.

There is a lot of information on the internet and this is what attracts hackers.

Why Do Black Hat’s Do This?

Black hats are after information, this information can be

  • bank account details
  • social security numbers
  • usernames and passwords
  • confidential files


Okay, so this is probably the most important of them all when you view a website make sure you view a site that has HTTPS this means that it’s secure.

also, make sure you have the NoScript plugin for Firefox because this will filter out cross-site-scripting attacks.

And make sure that the cookies are secure and HTTPOnly is disabled.

Watch this video for a demonstration of a stored XSS attack.

please comment if you have any thoughts.

Do not use this for illegal activities, I’m not to blame for any trouble you get into.

Leave a Reply