Professional Documents
Culture Documents
accounts
Introduction
Exactly how does a cookie stealer work, anyway? There are two components in a
cookie stealer: the sender and the receiver.
The sender can take many forms. In essense, it's just a link to the receiver with the
cookie somehow attached. It can sometimes be difficult to find a way to implement
the sender.
The receiver, as the name suggests, is a device which receives the cookie from the
sender. It can also take several forms, but the most common is that of a PHP
document, most commonly found residing on some obscure webserver.
Coding a receiver is the part with which most newbies struggle. Only two things are
needed to make a receiver: a webhost which supports PHP, and Notepad (see the end
of the text for a link to some free PHP hosts).
As I said in the introduction, the receiver's job is to receive the cookie from the
sender. The easiest way to send information to a PHP document is by using the HTTP
GET method, which appends information to the end of the URL as a parameter (for
example, "page.php?arg1=value"). PHP can access GET information by accessing
$HTTP_GET_VARS[x], where x is a string containing the name of the argument.
Once the receiver has the cookie, it needs a way to get that cookie to you. The two
most common ways of doing this are sending it in an email, and storing it in a log.
We'll look at both.
First, let's look at sending it in an email. Here is what such a beast would look like
(functioning code):
Next, we'll look at my preferred method, which is storing the cookie in a logfile.
(functioning code)
The hardest part (usually) of making a cookie stealer is finding a way to use the
sender. The simplest method requires use of HTML and JavaScript, so you have to be
sure that your environment supports those two. Here is an example of a sender.
/ Line 3
Line 1 tells the browser that the following chunk of code is to be interpereted as
JavaScript.
Line 2 adds document.cookie to the end of the URL, which is then stored in
document.location. Whenever document.location is changed, the browser is redirected
to that URL.
Line 3 tells the browser to stop reading the code as JavaScript (return to HTML).
You can plant your sender where the victim will view it as an HTML document with
his browser. In order to do that, you have to find some way to actually post the code
somewhere on the site.