Hello all, today I am going to start the writing solutions for the tasks or challenges of course Javascript for Pentester at Pentester Academy. I am going to provide the quick solution to the task provided at Pentester Academy. You can view solutions to the other tasks here.
Task 1: Modify HTML with Javascript | Task Link
The task is pretty simple, we have to change the text “Modify me” to “Modified you” and again change the text “Find me” to “Found you” dynamically using XSS vulnerability that we will find on the site.
Solution:
First of all, we have to find out our injection point for the XSS payload in the site. After some inspection you will find your injection point, and that is the url parameter or the input field itself. Then we have to figure out the tags which we have to replace with custom text, and by inspecting the source code, you will find the first <h1> tag and third <h2> tag (heading tags) have to target.
<script>
document.getElementsByTagName('H1')[0].innerHTML="Found You";
document.getElementsByTagName('H2')[2].innerHTML="Modified You";
</script>
Then just copy the source code above and paste it into input field of the target web page. The first code line will go and pick the first h1 tag (heading 1) and replace it with our custom text “Found You”. And second line will again go and get the 3rd h2 tag (heading 2) and change it with our custom text “Modified You”.
Remeber, If you are putting the XSS payload into the URL after the url parameter, then you have to url encode it first and then put it into the URL after the url parameter.
That’s all. Refer this post as quick solution for the Javascript for Pentester tasks. For in-depth video tutorial, please refer to the video solutions provided at Pentester Academy website.