Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: [Guide] Chocolate Chip, Extra Rich: How to Cookie Grab

  1. #1
    Leet's Avatar
    Join Date
    Jan 2012
    Gender
    Posts
    104
    Thanks
    66
    Thanked 128 Times in 23 Posts


    Downloads
    7
    Uploads
    0
    Mentioned
    33 Post(s)
    Time Online
    1 d 3 h 27 m
    Avg. Time Online
    N/A
    Rep Power
    6

    [Guide] Chocolate Chip, Extra Rich: How to Cookie Grab


    First off, thank you to Inq for giving me a couple accounts to cookie grab.

    Secondly, thank you to Kyo for his expertise; most of what I've learned is from him. The rest, I learned along the way. Now, onto the guide.

    Thirdly, yes. You really are looking at a cookie grabbing guide.

    Cross-site scripting (XSS) is possible when a site has insecure coding. When websites allow us to interact with them (e.g. search box, comment boxes, etc) and don't keep it secure, they render themselves vulnerable to code injection.

    Many CGers take advantage of this and employ PHP and Javascript to snag the cookies. XSS itself isn't needed to CG, however but is just a step away from PHP/JS.


    Requirements
    Basic knowledge of HTML
    A website host (nearlyfreespeech, tech.coop, netfirms, etc)


    Writing the script
    People use PHP to retrieve the cookies and record it to a text file. A PHP script begins with <?php and ends with ?>.


    Sending anyone the link to your website with the script in it (1) snags their cookies (2) records in a log (3) redirects them to whatever link specified.


    Finding an exploit
    In any place where you can input a value, add <script>alert('1')</script> to see if the site allows javascript. If you get a popup, then the site is vulnerable.

    (Note: The demonstrated exploit has been patched.)

    Take for example the below and its corresponding result:

    Bingo, a ‘1’ pops up.


    Now try <script>alert(document.cookie)</script>


    Now you should have a popup that shows you your cookies. The highlighted portion is the neologin, which is the only information we need.


    You don’t actually write the data to the server unless you inject a script that modifies the page on the server’s end. The only thing you change is how the dynamic page acts on your end. As a result when you send someone else the page, you have to send him or her the link with the injection already in that page.

    Using this script will grab someone else’s cookies and log it on your site.


    Unfortunately, document.cookie is blocked on Neopets. There are/have been ways around this and alternatives (not listed).


    Using the Cookies
    Now that you’ve got their cookies recorded, you need to use them. This is done by replacing your Neopets cookie with ttheir cookie. Fortunately, we have addons to make it easy for us to do that.

    FIREFOX: Add 'n' Edit Cookies (Click)
    Chrome: Edit This Cookie (Click)

    FIREFOX VERSION:
    CHROME VERSION:
    How Did People Place Cookie Grabbers Onsite?

    Above, we discussed CGing that involved having someone click on a link that took them to an offsite page to snag their cookies. But how did people CG in the last petpage scare? This was mostly due to an error on TNT's part; you were able to link offsite by manipulating the battledome stats. This, of course, has since been patched due to rampant abuse.


    Once upon a time in a very distant past, you were able to cookie grab simply with an image, before the word "javascript" was blocked.


    In a similar fashion...


    Getting into CSS a bit...


    If you try these now though, you'll notice that TNT has banned the word "javascript". Even its hex form (6a6176617363726970743a616c6572742827312729) and its ASCII form (106,97,118,97,115,99,114,105,112,116,58,97,108,10 1,114,116,40,39,49,39,41) are blocked. Still. There are ways. You just have to do some extra research, gain experience, and be clever.


    Conclusion
    Written by Leet. This is a basic guide on the steps involved and you could very well start CGing people by linking them offsite. Additionally, it seeks to educate you on past methods and enlighten you on the flexibility of Javascript placement. Keep in mind, the biggest issue is actually getting a working onsite CGer.

    Of note, there have been rumors that someone is working on a cookie grabber where simply clicking on a thread in the BD Chat/Pound Chat/Trade Chat gets you CG'd... cough. But alas, it's simply a rumor.

    Finally, I won't help you cookie grab others or write a cookie grabber for you. You can use Google if you want to learn more. Suggestions for improvement are happily taken. Did I make any mistakes? Correct me.

    And since you were so patient and hardworking...
    Last edited by Leet; 01-14-2012 at 06:24 AM.

  2. The Following 19 Users Say Thank You to Leet For This Useful Post:

    Ashton (01-13-2012),Emiley (01-13-2012),fairydust201 (10-13-2012),hectorvazc (01-13-2012),hiddenwaybelow (01-13-2012),Hikari (11-30-2014),jackingskibf (02-20-2012),Kad (01-13-2012),kooldude888 (01-17-2012),Lindsay (11-10-2014),Mango (01-13-2012),Mike (01-13-2012),Monark (02-17-2012),n00ne (02-16-2012),Reemer (01-13-2012),Slasher (02-16-2012),Valent (07-12-2014),Venus (01-13-2012),Yue (01-17-2012)

  3. #2

    Join Date
    Dec 2011
    Gender
    Posts
    7
    Thanks
    15
    Thanked 0 Times in 0 Posts


    Downloads
    0
    Uploads
    0
    Mentioned
    8 Post(s)
    Time Online
    N/A
    Avg. Time Online
    N/A
    Rep Power
    6
    Gonna try this

  4. #3
    Leet's Avatar
    Join Date
    Jan 2012
    Gender
    Posts
    104
    Thanks
    66
    Thanked 128 Times in 23 Posts


    Downloads
    7
    Uploads
    0
    Mentioned
    33 Post(s)
    Time Online
    1 d 3 h 27 m
    Avg. Time Online
    N/A
    Rep Power
    6
    Just thought I'd give this a bump (:

  5. #4
    n00ne's Avatar
    Join Date
    Jan 2012
    Gender
    Posts
    140
    Thanks
    32
    Thanked 36 Times in 25 Posts


    Downloads
    10
    Uploads
    0
    Mentioned
    32 Post(s)
    Time Online
    17 d 2 h 50 m
    Avg. Time Online
    13 m
    Rep Power
    6
    Should have had a look at the screenshot before I started going for the shell lol. Shocked there has been so little interest in this thread. Very well explained and very helpful, thanks

  6. #5
    Leet's Avatar
    Join Date
    Jan 2012
    Gender
    Posts
    104
    Thanks
    66
    Thanked 128 Times in 23 Posts


    Downloads
    7
    Uploads
    0
    Mentioned
    33 Post(s)
    Time Online
    1 d 3 h 27 m
    Avg. Time Online
    N/A
    Rep Power
    6
    I, too, am surprised

  7. #6
    Banned


    Join Date
    Jan 2012
    Gender
    Posts
    1,305
    Thanks
    1,293
    Thanked 302 Times in 209 Posts


    Downloads
    1096
    Uploads
    0
    Mentioned
    213 Post(s)
    Time Online
    59 d 13 h 45 m
    Avg. Time Online
    45 m
    Rep Power
    0
    @Leet

    i use net2ftp .

    do i just make a new file

    & add that code in ????

  8. #7
    Leet's Avatar
    Join Date
    Jan 2012
    Gender
    Posts
    104
    Thanks
    66
    Thanked 128 Times in 23 Posts


    Downloads
    7
    Uploads
    0
    Mentioned
    33 Post(s)
    Time Online
    1 d 3 h 27 m
    Avg. Time Online
    N/A
    Rep Power
    6
    Quote Originally Posted by fairydust201 View Post
    @Leet

    i use net2ftp .

    do i just make a new file

    & add that code in ????
    Yes.

    http://www.net2ftp.com/homepage/screenshots/view.jpg
    ^Like in that kind of file, right? Then yeah.

  9. #8
    Banned


    Join Date
    Jan 2012
    Gender
    Posts
    1,305
    Thanks
    1,293
    Thanked 302 Times in 209 Posts


    Downloads
    1096
    Uploads
    0
    Mentioned
    213 Post(s)
    Time Online
    59 d 13 h 45 m
    Avg. Time Online
    45 m
    Rep Power
    0
    i had it but i just cant get the cookies to show up i have to look for that on foxfire ;;
    im glad you put this out tho ive been looking for a cookie grabber for a
    while if you dont mine can you pm me on this @Leet =)

  10. #9
    Leet's Avatar
    Join Date
    Jan 2012
    Gender
    Posts
    104
    Thanks
    66
    Thanked 128 Times in 23 Posts


    Downloads
    7
    Uploads
    0
    Mentioned
    33 Post(s)
    Time Online
    1 d 3 h 27 m
    Avg. Time Online
    N/A
    Rep Power
    6
    Why would I PM you? If I'm the one helping you, shouldn't it be your responsibility to PM me? If this sounds quite rude, it's because I feel that it's also quite rude to ask someone to PM you when you could easily PM them yourself. It's a matter of etiquette.

    Either way, I'm happy to answer questions but I'm not willing to build a cookie grabber with you.

  11. #10
    Banned


    Join Date
    Jan 2012
    Gender
    Posts
    1,305
    Thanks
    1,293
    Thanked 302 Times in 209 Posts


    Downloads
    1096
    Uploads
    0
    Mentioned
    213 Post(s)
    Time Online
    59 d 13 h 45 m
    Avg. Time Online
    45 m
    Rep Power
    0
    *_ Relax um ;; the cookie grabber download Dose not Work with firefox 10 =]

    so you might wanna put that out there but

    i will pm you if thats what you want no hard feeling =)

    Nm : lol i gotta down grade for foxfire -_- found the problem @Leet

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •