I’m able to execute reflected xss on an internal application which does not have internet access. The developer is asking me to exploit the issue. he also assures that the session id is mapped to IP and userid so it not exploitable. I want to validate the statement by actually trying to grab cookie from other user. Can someone help me with the steps and how to setup server to gab cookies
I submitted payload in the url parameter which was echoed back in the response and cookie popped up.
New contributor
AppSec is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.