Lab: Exploiting cross-site scripting to steal cookies
This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to steal the session cookie of someone who views the blog post comments. Then use the cookie to impersonate the victim.
The online lab simulates another user who views blog comments after they are posted. You should exfiltrate this user's session cookie via the public Burp Collaborator server (
Instead of using Burp Collaborator, you could adapt the attack to make the victim post their cookie within a blog comment by exploiting the XSS to perform CSRF, although this would mean that the cookie value is exposed publicly, and also discloses evidence that the attack was performed.
Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
Submit the following payload in a blog comment, inserting your Burp Collaborator subdomain where indicated:
This script will make anyone who views the comment issue a POST request to
burpcollaborator.net containing their cookie.
Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again.
You should see an HTTP interaction. Take a note of the value of the victim's cookie in the POST body.
Then reload the main blog page, using Burp Proxy or Burp Repeater to replace your own cookie with the captured value. You should see an "Hello, admin" message within the response, demonstrating that you have successfully hijacked the admin user's session.