Professional Documents
Culture Documents
Today we will show, how easy is it to get the cookies of authenticated/logged user of a particular website that
can be your friend or relative using the Self-XSS hacking tool. Self-XSS uses social engineering tool and using
this hacker can gain control of the victims’ Instagram account.
ENVIRONMENT
• OS: Kali Linux 2019.3 64 bit
• Kernel version: 5.2.0
INSTALLATION STEPS
• Use this command to clone the project.
• git clone https://github.com/thelinuxchoice/self-xss
root@kali:/home/iicybersecurity# cd self-xss/
root@kali:/home/iicybersecurity/self-xss#
• Now, use this command to launch the tool bash self-xss.sh
• After Launching the tool, first we have to enter the website name whose account we want to hack. In our
case, it will be https://instagram.com
• Next, enter the Email and password details.
• Then the tool will downloads the Ngrok server automatically and start the PHP server and Ngrok server.
• Then it will give to malicious URL as we can see in the above picture.
• Now, send this malicious code to the victim using social engineering tricks and ask the victim to open this
link in the same Instagram Browser Tab.
Self-XSS – Malicious code Injected
• The Malicious code will captures the Instagram cookies and IP Address details of the victim and sends back
to the hacker.
• Now go to hacker machine where self-XSS is running.
• go to cd /home/iicybersecurity/self-xss
• To verify, use the cat command to view the details of the cookies.
o cat cookies.backup
mid=XsYGMQALAAFTsuFdOqBKpj1oAJs6; csrftoken=2Z8ovGnPCnaRccQ7Og2GlPLWBIAj4zFD;
ds_user_id=29687340949
IP: 112.196.159.115
Here, we successfully got the victims IP address with Machine details and victim’s Instagram cookies.
CONCLUSION
Now, we saw how to find the cookies details of the victim using a self-XSS in combination with social
engineering. So it is always recommended to never click on any suspicious link, and that too when you are
logged into any social networking website or any other website.